 Privacy Act of 1974 PII (Personally Identifiable Information)….Protection of social security numbers……….

 HIPAA – Health Insurance Portability and Accountability Act A federal law that mandates standards that must be followed when healthcare information is used, disclosed, or transmitted for treatment, payment or health care operations purposes. The rules affect all persons who have access to Protected Health Information (PHI)

 Governor’s Privacy Team  Executive Order 6-06  New Policies and Procedures

 Accountability  Notice  Minimum Necessary/Limited Use  Consent  Individual Rights  Security Safeguards

 Personally Identifiable Information (PII) PII includes all protected and non-protected information that identifies, or can be used to identify, locate, or contact an individual. (social security numbers are considered PII)

 Sensitive PII (SPII) Those elements of PII that must receive heightened protection due to legal or policy requirements include, but are not limited to: Social Security numbers Credit card numbers Health and Medical data Driver license numbers Individual financial account numbers

 Protected Health Information (PHI) Individually identifiable health information (IIHI) held by any physician, health care provider, or payer that is transmitted or maintained in any medium (including oral transmission). The information covered includes any record or information relating to the past, present, or future health, condition, care, or payment of a individual, and extends to PHI that may be contained in paper records, electronic databases, or records and any other individual-specific data in a physician’s office

 Use - The sharing, analysis, application, utilization, examination or employment of such information within any entity that maintains such information.  Disclosure - The release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.

 Incidental Disclosure - In the course of routine communication, confidential information or PII may sometimes be inadvertently disclosed to someone who is not authorized to receive that information.

 Computer screens  Sign in sheets  Bulletin boards  Calendars with names in plain view

 Situations where unauthorized individuals may overhear information. speaking on the telephone; collecting information from individuals; communicating information to the individual or to the individual's family or representative; communicating individual information to other staff involved in the individual's case; and dictating.

 Users of Laptops and PDAs are responsible for assuring that the PHI/PII on the Laptops/PDAs is kept secure and private.  Any loss or theft of a Laptop/PDA is to be reported immediately to the Agency Privacy Officer who will report the loss or theft to the Cabinet Privacy and Security Officers.  Both the Laptop and the file containing PHI/PII are to be password protected.

 Individuals whom we serve  Employees  Referral Sources  Other

 PII – address; telephone  SPII – SSNs; Credit card numbers; bank account numbers; health and medical information

 HR information  SPII on application and on employee performance evaluations  Ex: Employee has an illness or is in the hospital. Do not share health information or address with other staff without that individual’s permission

 Bulletin Boards  Bulletin boards may not contain any documents with PHI/PII of clients, unless the client has authorized the display.

 Cleaning Personnel  Cleaning personnel do not need PHI/PII to accomplish their work. Whenever reasonably possible, PHI/PII will be placed in locked containers, cabinets, or rooms before cleaning personnel enter an area.  When it is not reasonably possible to lock up PHI/PII, it must be removed from sight before cleaning personnel enter an area.

 Computer Screens  Computer screens at each workstation must be positioned so that only authorized users at that workstation can read the display. When screens cannot be relocated, filters, hoods, or other devices may be employed.  Computer displays will be configured to go blank, or to display a screen saver when left unattended for more than a brief period of time. Wherever practicable, reverting from the screen saver to the display of data will require a password.  Computer screens left unattended for longer periods of time will log off the user.

 Conversations  Conversations concerning PHI/PII must be conducted in a way that reduces the likelihood of being overheard by others.  Wherever reasonably possible, noise inhibitors may be used to reduce the opportunity for conversations to be overheard.

 Copying other PHI/PII When PHI/PII is copied, only the information that is necessary to accomplish the purpose for which the copy is being made, may be copied. This may require that part of a page be masked or that information be redacted.

 Desks and Countertops  Records and other documents that contain PHI/PII must be placed face down on counters, desks, and other public places where third parties can see them.  Case records and other documents containing PHI/PII will not be left on desks and countertops after business hours or for extended periods of time unsupervised. Supervisors will take reasonable steps to provide all work areas where PHI/PII is used in paper form with lockable storage bins, lockable desk drawers, or other means to secure PHI/PII during periods when the area is left unattended.

 Desks and Countertops (cont.)  In areas where locked storage after hours cannot reasonably be accomplished, PHI/PII must be kept out of sight. A staff member must be present whenever someone who is not authorized to have access to that data is in the area.

 Disposal of paper with PHI/PII Paper documents containing PHI/PII must be shredded when no longer needed. If retained for a commercial shredder, they must be kept in a locked bin.

 Information carried from one building to another When a member of the workforce is transporting PHI/PII from one building to another via vehicle, it may not be left unattended unless it is in a locked vehicle with case record or PHI/PII with identifying information out of site. Locking the vehicle alone is not sufficient.

 Printers and Fax Machines Printers and fax machines must be located in secure areas, where only authorized members of the workforce can have access to documents being printed and faxed.

 Record Storage  Areas where records and other documents that contain PHI/PII are stored must be secure. Wherever reasonably possible, the PHI/PII will be stored in locked cabinets or a records room.  Where locked cabinets are not available, the storage area must be locked when no member of the workforce is present to observe who enters and leaves, and no unauthorized personnel may be left alone in such areas without supervision.

 Transcription  Dictation tapes must be numbered, and workforce members must account for each tape they receive and return by number.  Dictation tapes must be completely erased before being reused.  Tapes and transcribed hard copy will be subject to the same policies that apply to the safeguarding of paper documents and electronic files that contain PHI/PII, such as case records and copies of medical records.

 Workforce Vigilance  All members of the workforce have a responsibility to watch for unauthorized use or disclosure of PHI/PII, to act to prevent the action, and to report suspected breaches of privacy  This responsibility will be included in staff training.  This responsibility will become a part of all work staff job descriptions.

 Visitors A staff member must accompany all visitors to any area where PHI/PII is stored or in use.

Take every reasonable caution to protect confidential information!

Library Commission Privacy Officer Denise Seabolt Library Commission Security Officer Harlan White Education & the Arts Privacy Officer Brenda Bates Education & the Arts Security Officer Tiffany Redman