PRIVACY AND INFORMATION SECURITY 2015 – STAFF TRAINING PRIVACY AND INFORMATION SECURITY
RESPECT FOR PRIVACY AND CONFIDENTIALITY
WHAT IS PROTECTED HEATLH INFORMATION (phi) The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."
FREQUENTLY REPORTED HIPAA PRIVACY INCIDENTS Medical record documents, billing statements and prescriptions being mailed or handed to the wrong patient. E-mails containing more than minimally necessary patient Protected Health Information (PHI) sent in a format that is not secure. Gossiping or sharing patient information with someone who is not authorized to know. Staff or faculty accessing a co-worker’s or any other patient’s electronic medical record without a legitimate business purpose or written authorization is a privacy violation regardless of the reason and may trigger the federal breach notification requirements. Staff or faculty member shares User ID and Password that allows access to restricted systems and or confidential information or PHI of others.
How To Avoid Hipaa Privacy Incidents Access information only if you need it to do your job; Share information only with others who need it to do their jobs; Email only the minimum necessary amount of patient identifiable information (MRN, initials) or use FTA (File Transfer Application); Use MHAV to email when communicating with a patient; Speak where others (including patient family members and friends) cannot hear, if possible; Confirm identity of patient is correct before accessing a patient record or handing and mailing patient health information; Allow the patient an opportunity to allow or not allow their friends or family members to hear any information discussed with them; Never share your password or work under another’s password; During the patient registration process allow the patient to provide you pertinent information that will identify the patient: Date of Birth, Address, Last 4 of SSN. (Do not give them the information to confirm instead have them provide it to you!); Dispose documents containing confidential information by shredding; Consult with a CHIM (Center for Health Information Management) Release of Information staff member for questions concerning the release of patient information.
PHISHING What is Phishing: How to Identify Phishing: Phishing is a fraudulent attempt usually made through email to steal your personal information through fake websites that appear to be legitimate organizations including Vanderbilt University Medical Center (VUMC) How to Identify Phishing: Phishing emails usually ask for your personal information such as a credit card number, social security number, account number, or password. VUMC has taken steps to decrease recent problems of phishing. As a reminder, if you receive a suspicious email or phone call, please report it to the Dell-staffed Vanderbilt IT Help Desk at (615) 343-HELP or the Tech Hub at (615) 343-9999. Phishing emails will almost always tell you to click a link that takes you to a site where your personal information is requested. Legitimate organizations would not request this information from you via email
PHISHING…Cont. The following steps/tips can be used to avoid becoming a victim: Always check the sender’s address, and be aware that phishers may forge the sender’s address to make it look as though it came from a legitimate organization, when in fact it did not. Bottom line: If you’re asked to reveal any personal information via email, you should not respond. Do not click on links, photos or videos in these messages as they may contain viruses and malware that can be installed on your computer. (Facebook and other social networking messages, ads, videos and links). Remember: Vanderbilt employees are never asked to provide their user name and password via an email. If you think your User ID and/or Password have been compromised, change your password immediately.
FAXING OF PHI Faxing PHI with the wrong patient information attached/sending PHI to the wrong fax number is the second most frequently report HIPAA violation. Faxing should only be used when there is a time sensitive need to send/receive information and an alternative secure method (e.g., mail, courier service, web-based authentication system, secure file transfer, or telephone) does not exist or is not reasonable. Prior to faxing to an external party (not available through a confirmed fax database), confirm the fax number is accurate with the individual making the request. Read-back of the fax number to the requestor is an acceptable method of confirming accuracy The Provider Communication Wizard utilizes a confirmed provider database and is the preferred mode for faxing patient information to and between providers. Always use a Fax Cover Sheet and include a phone number for the recipient to contact you in case of a faxing error. When confidential information is faxed in error, immediately inform the recipient to destroy the document and then notify the VUMC Privacy Office.
SOCIAL MEDIA If you identify yourself in any online forum as a faculty/staff member of VUMC, you must make it clear your are not speaking for VUMC and all submissions represent your own personal views and comments. Social Media Sites (Facebook, Twitter, LinkedIn, Google+, etc.) and blog sites (WordPress, Blogger, LiveJournal etc.) allow you to easily share information with your friends and the public. Never post patient protected health information or confidential information of any kind on social media or blog sites without written authorization from the patient. Remember recognizable markings or body parts are PHI.
PATIENT PHOTOGRAPHY AND VIDEO IMAGING VUMC may utilize Photography or Video Imaging of a patient for purposes of identification and patient care and treatment or as otherwise authorized by the patient or the patient’s legal representative Patient Identifiable Photography is Protected Health Information (PHI) and use and disclosure of this PHI must comply with all Information Privacy and Security Policies for PHI. Photography for purposes of patient care does not require additional consent beyond the standard Consent for Treatment. Photography for purposes other than patient care generally does require explicit consent. Immediately upload patient photos to the EMR or another secure server. Immediately delete the image from the camera/device. Do Not post Photography of patients in public areas, on internet websites, or blogs without written or documented verbal consent from the patient/legal representative prior to the posting.
THE PRIVACY OFFICE WILL DETERMINE WHETHER HIPAA PRIVACY VIOLATIONS REQUIRE BREACH NOTIFICATION AND REPORTING What You Need to Do… Report all suspected Breach of Patient Health Information (PHI) to the Privacy Office. Report all suspected Breach of Employee Information (i.e. Social Security Number) to the Privacy Office. Things You Need to Know… Breach: The unauthorized acquisition, access, use, or disclosure of individually identifiable Personal Information or Protected Health Information that compromises the security or privacy of such information. When breach notification is required the individual whose information was breached must be notified and the incident must be reported to the Secretary of Health and Human Services. State of TN notification may be required when there is a security breach of unencrypted computerized data containing Personal Information, (such as SSN). The Breach Notification policy defines the procedures to be followed upon discovery of known or suspected incidents involving unauthorized acquisition, access, use or disclosure of PHI or computerized Personal Information so that appropriate notification requirements are satisfied.
Privacy and Information Security Policies Policy Review: The following policies with implications for Privacy and Information Security have been updated and published for 2015 training Review: Patient Safety and Confidentiality: No Information, Security Risk, and Alias Designations – IM 10-20.12 (October 2013) Breach Notification: Unauthorized Access, Use, or Disclosure of Individually Identifiable Patient or Other Personal Information – IM 10-30.02 (February 2014) De-Identification of Protected Health Information and Use of a Limited Data Set – IM 10-30.07 (February 2014) Releasing Patient Information and Coordinating Access to Patients by External Law Enforcement Officials and Investigators – IM 10-30.11 (April 2014) Patient Requests to Restrict the Use and Disclosure of Information – IM 10-30.08 (April 2014) Cloud-Based Computing and Data Storage – IM 10-30.27 (June 2014) Protection and Security of RHI – IM 10-30.14 (August 2014)
ALWAYS FORWARD PATIENT COMPLAINTS TO PATIENT RELATIONS Contact One of the Following to Report Privacy and Information Security Incidents: ALWAYS FORWARD PATIENT COMPLAINTS TO PATIENT RELATIONS (615) 322-6154