Privacy and Information Security Training ( ) VUMC Privacy Website

The Most Common Privacy/Security Incidents Reported I. Unauthorized access or disclosure of patient information II. Sharing passwords, and electronic signatures III. Failure to secure workstations IV. Failure to properly dispose of documents containing confidential information V. Careless handling of personal or confidential information

I.Unauthorized Access or Disclosure of Patient Information  Have you been concerned about a co-worker in the hospital and looked up their medical record?  Have you looked up your spouse’s record without formal authorization? These are considered Level III violations and will result in at least final written warning or Final PIC. Patient information shall be accessed and disclosed only as authorized, on a need-to-know basis, or as required by law.

Accessing and Disclosing Patient Information Things You Need to Know An “Authorization to Access Medical Records” form (MC1814) must be signed and placed into the patient’s record for you to have permission to access a record. You can obtain this form in Star Panel, by going to e-docs, or calling the Privacy Office. The Privacy Office conducts audits each month on the records of staff and faculty.

Accessing and Disclosing Patient Information Things You Need to Know Entering a patient’s room and proceeding to discuss information with the patient in front of family members/visitors has resulted in inappropriate disclosures. Remember to ask family members/visitors to leave the room prior to discussing information. If the patient says it’s okay for them to stay then you can proceed with the discussion.

Accessing and Disclosing Patient Information Things You Need to Know The following behaviors are considered privacy breaches under the current sanctions policy? Gossiping about a faculty/staff member’s health information resulting in a complaint being filed is considered a Level I violation. Gossiping/sharing PHI secured through your role at VUMC is considered a Level III violation. VUMC Sanctions Policy: Manual/Hpolicy.nsf/AllDocs/F4FAEAD3EEB0D9C986256FE7006DE2A2

II. Sharing Passwords and Electronic Signatures  What if a manager shares the password to her account with her Administrative Assistant?  What if a resident shares her SecurID token with another resident who is having problems with his own token? Both of these are privacy/security violations and will result in disciplinary action. Individual user names and passwords, as well as electronic signatures, must be kept confidential and shall not be shared.

Sharing Passwords and Electronic Signatures Things You Need to know Sharing your VU-net user name and password with another person gives that person access to your personnel records. You are able to delegate access to your account to someone else without sharing your password. Contact your computer support person if you need help to give someone access to your account.

III. Failure to Secure Workstations Things You Need to Know  Failure to lock the computer screen may result in others documenting in the electronic medical record under your user-id.  Failure to lock the computer screen when you walk away allows unauthorized individuals to view confidential information. Be sure to lock the computer screen or log off anytime you need to walk away from the computer to protect confidentiality and data integrity.

IV. Failure to Dispose of Documents Containing Confidential Information Things You Need to Know  Always dispose of confidential information in a shredder bin.  Be sure to clear your desk of any documents containing confidential information or remove them from view when leaving your desk for an extended period of time.  Photos of patients for treatment purposes must be stored in the patient’s record or in a secure database in accordance with the revised policy “Consent for Patient Photographs/Videos” OP Medical records, reports or other documents or information shall not be left unattended in a way that exposes confidential information.

V. Careless handling of personal or confidential information Things You Need to Know When faxing:  Always use a cover sheet  Confirm the fax number before you send  Double check to make sure you enter the correct fax number. Personal or confidential information misdirected to the wrong person verbally or by fax or is considered a privacy breach.

Careless handling of personal or confidential information Things You Need to Know  When sending electronic messages  Use MyHealthatVanderbilt.com (a secure web-based portal) to securely communicate with patients, as opposed to standard  If you use , confirm the address before sending and limit the personal information sent  When discussing confidential information  Avoid being overheard by others  Just leave a name and call back number in phone messages

Conclusion Some privacy/security breaches occur from individuals being careless while others occur from deliberate actions. Follow the practices set forth in this training presentation and you will avoid committing the most frequent type of breaches that occur at VUMC. If you have any questions or need to report a concern, please contact the Privacy or

Final Instructions To complete the training you must print off the HIPAA Test and submit it to the manager in your department for filing in your personnel file. HIPAA Test Any questions related to this training may be submitted to the Privacy Office at or call