HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:

Vanderbilt Credo “We treat others as we wish to be treated” Vanderbilt Credo Behavior “I respect privacy and confidentiality”

What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Limits how we use and share patient information Gives patients more control over their information Protects the integrity, availability and confidentiality of patient information Defines violation penalties

What is Protected under HIPAA? Individually identifiable health information collected from an individual that is created or received by a health care provider, employer, or plan. In any form: written, verbal, electronic Information pertaining to HIV, alcohol and drug treatment, psychotherapy notes, etc. have even more stringent protections.

Patient Rights Patients have the right to: Receive a Notice of Privacy Practices that describes how we use and share their information Review and obtain copies of their medical and financial records Request corrections if they believe information is incorrect HIPAA regulations provide individuals with certain rights that are reflected in VUMC policy.

Sharing Patient Information You must obtain patient authorization except for in these circumstances: Treatment (referring physicians, family members involved in patient’s care, etc.) Whenever possible, the patient should be given the opportunity to control which family members receive information. Payment (insurance companies, other third parties) Administrative functions (QI, financial analysis, educational or training activities) Other specific exceptions (required by law, Department of Public Health)

Giving Patients Control Over their Information Only share patient information with other faculty and staff who need the information to do their job. Avoid accessing a patient’s record unless you need to do so for your job or you have written permission from the patient. You are not allowed to access the record of your co-worker, spouse, or family member unless there is a signed authorization form in the patient’s record.

Key Information Security Practices Passwords & Electronic Signatures Logging Off

Passwords and Electronic Signatures Some Do’s and Don’ts related to passwords and electronic signatures. Note: Electronic signatures should be protected in the same manner as passwords. DO choose ones that you can remember DO remember that the longer they are, the better DO use numbers, uppercase and lowercase letters, and special symbols to create them, where allowed DO NOT share them with anyone DO NOT write them down where others can see or store them where others can access them (unless encrypted) DO NOT use words, names, or personal data (e.g., SSN)

Logging Off When using a computer if you need to walk away you should always: – Log Off OR – Lock the computer screen This is important so that others do not document in the electronic medical record under your user-id or gain access to information they may not be authorized to view.

sent over the Internet is unencrypted and not secure. Find alternative ways to communicate confidential information (e.g., encryption, MyHealthAtVanderbilt, password protected files, VPN) Limit the amount of patient information. Beware of Attachments!

Helpful Reminders Privacy RisksApproaches to Reduce the Risk 1.Conversations at nurses stations, front desks, semi- private rooms, hallways, etc. 1.Lower voice, ask visitors to leave the room 2.Documents or computer monitors in view. Printers accessible by public. 2.Turn monitors away or use filter screens, log off or lock systems, keep documents in folders. Keep printers in secure areas. 3.Whiteboards with patient info. 3.Use initials, abbreviations, codes, etc. 4.Faxing clinical information 4.Make sure you enter the correct fax number. Always use a cover sheet.

Helpful Reminders Privacy RisksApproaches to Reduce the Risk 5. ing patients, or patient information 5.Use an alternative method for communicating patient information whenever possible. Avoid ing patient information outside of VUMC. 6.Leaving messages for patients 6.Limit the information on the message 7.Disposal of document or electronic media containing patient information in regular trash. 7.Shred documents and dispose of electronic media appropriately

Sanctions for Privacy and Information Security Violations VUMC considers it a serious incident anytime that a privacy or security violation occurs. HIPAA requires that we monitor information system activity which assists in identifying violations and that we document all incidents. Disciplinary/corrective action ranges from training/counseling to termination. Unfortunately every year someone at VUMC is terminated due to committing this type of violation.

What should be reported? Examples: Looking at someone else’s confidential data. Leaving paperwork with patient information lying around unattended. Sharing your password or electronic signature with someone else or using someone else’s password or electronic signature.

Contact one of the following to Report Privacy & Information Security Incidents Privacy Office ( ) or Help Desk ( ) Compliance Reporting Line ( ) Your manager Always forward Patient privacy complaints to Patient Affairs ( ) or the Privacy Office.

The Bottom Line Consider the patient’s perspective and give them control over how their information is used. Avoid situations in which the patient would object to how their information was used or shared Implement appropriate security measures to maintain the integrity of patient data, ensure its availability, and keep it confidential. Be familiar with Vanderbilt’s privacy & information security policies

Final Instructions To complete the training you must print off the HIPAA Test and submit it to the manager in your department for filing in your personnel file.HIPAA Test Any questions related to this training may be submitted to the Privacy Office at or call