Why Respect Privacy and Confidentiality?
Access to Confidential Information (OP ) Protection and Security of Protected Health Information (OP ) Protection and Security of Research Health Information (OP ) Notification of Computerized Data Security Breach Involving Personal Information (OP )
Access to Confidential Information (OP ) VUMC Confidential Information is defined to include patient, research, student, employee, academic program, and VMC and/or third-party proprietary information in verbal, paper, or electronic form. Workforce members are granted access, based upon job role, after completion of HIPAA training and signing the individual Confidentiality Agreement. Business Associates and other external parties involved in treatment, payment, or health care operations may be granted access based upon a written contract with the company or individual that defines the allowable uses and disclosures of PHI and other Confidential Information and the consequences of failing to comply with VMC policies for privacy and information security. Compliance or Research Monitors/Auditors are granted time-limited access to VUMC Confidential Information following a defined process that confirms the identity of the user and restricts access to minimum necessary to accomplish the required review Things You Need To Know:
Protection and Security of Protected Health Information (OP ) THINGS YOU NEED TO KNOW: VMC stores electronic PHI on protected network servers. If an authorized business purpose exists for storing electronic PHI somewhere other than a VMC secure network server, the individual storing the data is accountable for the protection and security of the PHI consistent with the standards of the HIPAA Security Rule. PHI accessed and stored on mobile devices requires increased levels of protection, up to and including: Password protection on the device; and Encryption of the PHI stored on the device; Use of minimum necessary information to accomplish the business purpose (avoid the use of patient names as an identifier in conjunction with patient’s full social security number, medical record number or other identifiers) Immediately report loss or theft of any device containing PHI to VPD and the Privacy Office or the Help Desk.
The Principal Investigator (PI) must define the safeguards that will be implemented in the research protocol submitted for review by the Institutional Review Board (IRB) prior to collection or storage of RHI. Mobile devices have increased vulnerability to loss or theft and RHI accessed and stored on such devices require increased level of protection, up to and including: Password protection on the device; and Encryption of the RHI stored on the device; and Use of minimum necessary information to accomplish the research purpose THINGS YOU NEED TO KNOW: Research involving data from Veteran Affairs (VA) must comply with all specific requirements for the use of VA Sensitive Information. VA Sensitive Information may not reside on non-VA owned equipment unless specifically designated and approved in advance by the appropriate VA officials. Suspected or known loss, theft, or other breach of the confidentiality or security of RHI must be reported to the VUMC IRB Office and the Privacy Office. Theft of a computer or mobile device containing RHI must also be reported to VPD. Protection and Security of Research Health Information (OP )
Notification of Computerized Data Security Breach Involving Personal Information (OP ) Personal Information is defined as an individual’s first name or first initial and last name, in combination with a social security number; drivers license number; and/or account number, credit or debit card number, in combination with any required security code, access code or password. The State of Tennessee and most surrounding states have laws requiring companies to notify the individual when there is reasonable belief that unencrypted computerized data containing Personal Information about that individual may have been the subject of unauthorized acquisition or control. VMC policy defines the procedures to be followed in determining whether or not data breach notification is required, the notification method and timeframe, and additional notice and mitigation steps. Things You Need To Know:
Careless handling of personal or confidential information Unauthorized access or disclosure of patient information Accidental access or disclosure of patient information Sharing passwords or allowing others to work under the same user ID
Reports or billing statements mailed to the wrong patient. Documents containing patient information faxed to the wrong fax number. Patient information discussed by staff or faculty in waiting rooms, elevators, or other public areas where others can overhear. MOST FREQUENTLY REPORTED INCIDENTS Printed documents containing patient or other confidential information left unattended in a public place. Data storage devices or cameras with unencrypted patient data or pictures lost or stolen. Avoid careless handling of personal or confidential information that may result in unauthorized disclosure
Things You Need To Know: Be sure when you are mailing correspondence about a patient that you are sending the correct patient’s information to the appropriately authorized recipient. When faxing a document always use a cover sheet and double check the fax number. When you select a recipient for faxed documents from the StarPanel Fax Directory always confirm that you have the correct provider by name, specialty, office location, and fax number. Avoid conversations about patients in an area that is open to the public where you might be overheard. Always place confidential information in a shredder bin for disposal.
Staff or faculty accessing a co-worker’s or a co-worker’s family member’s medical record without having written authorization (out of curiosity or concern or for deliberate use of the information). Staff or faculty accessing medical records of others (family, friends, others) without a job-duty related need or documented authorization. Failure to ask visitors and family members to leave the patient’s room prior to discussing confidential information with the patient. Patient information is to be accessed and disclosed only as authorized, on a need-to-know basis, or as required by law. Most Frequently Reported Incidents
Things You Need to Know: Whenever possible, allow the patient to determine which family members or others involved in their care are communicated with regarding the patient’s care and services. Do not assume that the patient agrees for a visitor or family member in the patient’s room to see or hear any personal health information. Prior to accessing a patient’s medical record for any reason other than completion of your assigned job duties, there should be documentation in the medical record showing the patient has granted you permission prior to accessing the record. Written authorization may be in the from of a note entered into the medical record documenting verbal permission or, preferably, a signed copy of an authorization form granting the access. Unauthorized Access or Disclosure of Patient Information
Things You Need to Know: The Privacy Office regularly audits the medical records of all VUMC staff and faculty that are admitted to VUMC for access by co-workers. Patients may request an audit of the medical record if they believe a staff or faculty member has accessed their record without appropriate authorization. Gossiping about a faculty/staff member’s health information resulting in the individual filing a complaint, gossiping about a VUMC patient’s health information, or gossiping or sharing PHI secured through your role at VUMC are all considered privacy violations and will result in disciplinary action. Unauthorized Access or Disclosure of Patient Information All incidents/complaints are investigated and all violations result in disciplinary action, up to and including termination.
Always Get Written Patient Authorization WHEN IN DOUBT
Accidental access of a patient’s medical record by selecting the wrong patient in the search by name or entering wrong medical record number. Release of information to a person answering the patient’s phone or claiming to be authorized by the patient PHI scanned into wrong medical record Most Frequently Reported Incidents Accidental access or disclosure is not incidental and is considered unauthorized. Accidental disclosure requires disclosure tracking.
Things You Need to Know: When looking for a patient’s medical record, attempt to use more than first and last name to identify the correct patient; e.g. birth date or middle name to avoid accidental access or disclosure. Accidental disclosure of patient information is a violation of HIPAA even if it is unintentional. Accidental disclosure of PHI should be recorded in the Disclosure Tracking System. Check the medical record to see if the patient has authorized communication with a family member or friend before you proceed to release information.
Staff or faculty member logs onto electronic workstation in a shared work area and leaves the device allowing others to access patient information under the user identification first used. Manager directs or allows an employee to work on a computer workstation previously logged in under another person’s user name and password. A faculty member or director shares his/her User-ID and password with another employee to facilitate work getting done in a timely fashion. Staff and/or faculty share user name and password in order to share access to common reports or files. Individual user identification is essential to maintaining the accuracy, integrity, and confidentiality of the electronic information systems and the patient’s medical record. Most Frequently Reported Incidents
Things You Need to Know: Individually assigned passwords to VUMC systems, applications, or devices are confidential codes. Even though the password might not allow access to PHI it is still considered a security violation if it is shared or if you use someone else’s password to access confidential systems or information. Sharing your user name/password or using someone else’s user name/password that allows access to a restricted system and confidential information or PHI of others is an even more serious violation and may result in Final PIC for staff, written warning for faculty and house staff. Workstations must be secured by locking the screen or logging off whenever the user walks away. Failure to lock the computer screen may result in others using the system under someone else’s user identification which is a data integrity concern. If you fail to log off a computer or lock the screen and someone else uses the computer under your user identification, you may be held accountable for any activity that results (e.g., unauthorized access to a patient’s record, inappropriate use of the Internet).
Things You Need to Know: As explicit roles are defined within applications and systems, user ID and password will be used to drive communication and escalation of alerts and messages. Corrupting the integrity of the unique user ID and password may seriously disrupt that communication and result in harm to the patient. Commitment to maintain the confidentiality of your user ID and password is a matter of personal integrity. Do not share your confidential passwords with anyone including a manager or system administrator. Contact your LAN manager or system administrator to set up shared drives or folders as a secure means for sharing access to files or databases without sharing individual user identification. Sharing Passwords and Electronic Signatures
Some privacy/security breaches occur from individuals being careless while others occur from deliberate actions. Follow the practices set forth in this training presentation and you will avoid committing the most frequent type of breaches that occur at VUMC. If you have any questions or need to report a concern, please contact the Privacy Office at (615) or TEST You must complete the TEST associated with this lesson in order to be marked complete for the HIPAA training. TEST Close this window and then select the link to TEST beside the name of the Lesson (Privacy and Information Security Training).