1. Privacy and Information Security Non-VUMC Training - 2010-2011 Vanderbilt University Medical Center Information Privacy & Security Website: www.mc.vanderbilt.edu/root/vumc.php?site=InfoPrivacy Security

4. Things You Need To Know: Disposal of Written Documents:  Written documentation or printed documents that contain VUMC Protected Health Information MUST be placed in a shredder bin or processed through a shredding device (preferably a cross-shredder). Shredder bins are located throughout the Medical Center. Disposal of Labels Containing Patient Identifiable Information:  DO NOT dispose of labels or containers that contain patient identifiable information in regular trash containers.  Labels affixed to IV bags, or specimen containers that cannot removed for shredding, MUST be placed in biohazard red bags. Disposal of Film:  Films, microfilm, or microfiche are to be cut into pieces or chemically destroyed.

5. Disposal of Electronic Devices and Electronic Media  Department administrators are encouraged to work with their LAN Manager or local technology support provider for guidance in adhering to the requirements for disposal of Electronic Devices and Electronic Media.  The information on devices or media must be erased and not recoverable before the device or media is disposed of, surplused, or transferred within or between departments by: Destroying the information on the hard drive or media by reformatting. Remove the hard drive or other media and place it in secure storage. Remove the hard drive or other media and physically destroy it.  DO NOT discard outdated, decommissioned, or broken electronic devices or electronic media in dumpsters or regular trash containers.  Copier hard drives should be returned to the vendor for destruction. Reference Operations Policy, OP 10-40.22: “Disposal of Confidential Information”

6.  Photography for purposes of patient care does not require additional consent beyond the standard Consent for Treatment.  Patient Identifiable Photography is Protected Health Information (PHI) and use and disclosure of this PHI must comply with all Information Privacy and Security Policies for PHI.  Photography for purposes other than patient care generally does require explicit consent.  Immediately upload patient photos to the EMR or another secure server and delete from the device used to capture the image(s). Do not identify patient photographs with more than the minimum necessary (e.g. avoid SSN and patient phone number).  Do Not post Photography of patients in public areas, on internet websites, or blogs without written or documented verbal consent from the patient/legal representative prior to the posting.

7.  Permissible uses of Photography;  Requirements for consent, camera and recording equipment, and storage/retention of images;  Use and disclosure of Photography images; and  Behaviors that are not permissible by staff/faculty related to Photography of patients.  Permission to Take and Use Photography or Videos (MC 3930) - use for education/training, performance improvement, or other non-media related acceptable purposes.  Media Relations-Authorization to Create, Use, or Disclose Photographs or Videos for Media Releases and Public Relations (MC6690) - use for public relations, media, or marketing purposes is coordinated through VU Media and Public Relations staff and uses a specific consent form.  Patient Authorization for Security Photographs (MC3642) – use in the newborn nursery areas for newborn Photography. Reference: Operations Policy, 20-10.10 : “Patient Photography and Video Imaging”

8.  NEVER use the full nine-digit social security number in an electronic message unless the message has been encrypted or otherwise secured!  Use the Medical Record Number as the primary identifier and only a part of the patient’s name (if needed), such as last name or initials.  DO NOT use a patient’s full name associated with specific health information (e.g. reason for visit, diagnosis, procedures, or test results). Always follow the minimum necessary standard when sharing patient information.  Use a Vanderbilt ID number as a primary identifier for employees and students.  Files containing identifiable patient or other sensitive information may not be sent over the Internet in clear text. Security measures such as VPN technology, encryption, or other secure transmission process.  The StarPanel message basket system provides secure messaging among and between VUMC clinical staff and faculty about a specific patient.

9. Reference: Operations Policy, 10-40.37 “Electronic Messaging of Individually Identifiable Patient and other Sensitive Information”

10. Reference HR-025: “Electronic Communications and Information Technology Resources”

11.  If you identify yourself in any online forum as a faculty/staff member of VUMC or use your Vanderbilt email address, you must make it clear you are not speaking for VUMC and all submissions represent your own personal views and comments.  Do not post digital images and messages containing protected health information (PHI) without written authorization from the patient. Remember recognizable markings or body parts are PHI.  Remember that all content contributed on all platforms becomes immediately searchable and can be immediately shared…It immediately leaves your control forever.  Known or suspected incidents involving use or disclosure of PHI or Personal Information through social networking are reported to the VUMC Privacy Office and investigated.  New federal law and regulations require breach notification and reporting when a patient’s health information is accessed, used or disclosed in a way that violates the Privacy Rule of HIPAA and poses a significant risk of reputational, financial, or other harm to the individual..

12. Reference: Operations Policy, 10-40.05 “Breach Notification: Unauthorized Access, Use, or Disclosure of Individually Identifiable Patient or Other Personal Information”

13.  When breach notification is required the individual whose information was breached must be notified and the incident must be reported to the Secretary of Health and Human Services (HHS).  These federal regulations are in addition to the State of Tennessee notification requirements already in place for security breach of unencrypted computerized data containing Personal Information.  Accessing an individual’s medical or personal information without appropriate authorization may trigger the federal breach notification requirements.  Unintentional and accidental disclosures resulting from careless handling of PHI may trigger federal breach notification requirements – with very narrowly defined exceptions

14.  Accessing a co-worker’s medical record out of curiosity/concern or just to look up a room number may trigger the federal breach notification requirements.  Encryption of computerized information or destruction of paper, film, or hard copy information are the only acceptable methods of “securing PHI” so that the State and Federal breach notification requirements are not triggered.  Operations Policy, 10-40.05 “Breach Notification: Unauthorized Access, Use, or Disclosure of Individually Identifiable Patient or Other Personal Information” defines the procedures to be followed upon discovery of known or suspected incidents involving unauthorized acquisition, access, use or disclosure of PHI or computerized Personal Information so that appropriate notification requirements are satisfied

15.  To provide treatment or services for the patient  To bill or collect payment for services  As required in order to do your job as part of defined health care operations  As required or allowed by law  With appropriate authorization by the patient or the patient’s legal representative **Except for purposes of treatment, only the Minimum Necessary may be shared**

16.  Careless handling of patient information  Unauthorized access or disclosure of patient information  Sharing passwords or allowing others to work under the same user ID

17.  Documents containing patient information faxed to the wrong recipient or fax number.  Patient information mailed or handed to the wrong recipient.  Printed documents containing patient or other confidential information left unattended in a public place.  Gossiping or sharing patient information with someone who is not authorized to know.  Reports or billing statements containing patient information mailed to the wrong patient.  Patient information discussed by staff or faculty in waiting rooms, elevators, or other public areas where others can overhear  Accidental access of a patient’s medical record by selection the wrong patient in the search by name

18.  When faxing a document always use a cover sheet that includes the sender’s full name, department or clinic name, and complete phone number and fax number. Double check and always confirm to be sure you are sending the right patient’s information to the right recipient at the confirmed fax number.  When you select a recipient for faxed documents from StarPanel Fax Directory always confirm that you have the correct provider by name, specialty, office location, and fax number.  When mailing patient information always double check to be sure you are sending the correct patient’s information to the correct person at the correct address.  Be sure to verify that you are giving the correct patient the information belonging to that patient.  When looking for a patient’s medical record, attempt to use more than first and last name to identify the correct patient; e.g. birth date or middle name  MyHealthatVanderbilt is a secure web portal that can be used as an alternative to email and faxing when communicating with patients.  Avoid conversations about patients in an area that is open to the public where you might be overheard.

19.  Staff or faculty accessing a co-worker’s or a co-worker’s family member’s medical record without having written authorization (out of curiosity or concern).  Staff or faculty accessing a co-worker’s medical record to locate room number, or personal contact information (home number or mailing address).  Staff or faculty accessing a co-worker’s medical records of others (family, friends, others) without a job related need or documented authorization.  Failure to ask visitors and family members to leave the patient room prior to discussing confidential information with patient.  Staff accessing the record of a patient not assigned to their unit for care out of curiosity or concern or boredom.  Staff accessing the patient record with blatant disregard for privacy, for personal use or malicious intent.  Staff inappropriately use of email/internet disclosing patient personal or health information

20.  Prior to accessing a patient’s record for any reason other than completion of your assigned job duties there should be documentation in the medical record showing the patient has granted you permission prior to accessing the record. Written authorization may be in the form of a note entered into the medical record documenting verbal permission or, preferably, a signed copy of the “Authorization to Access Medical Records” form (MC1814) (This form is available on e-docs, electronically within StarPanel in clinics that have signature pad capability, or through the Privacy Office.)  The Privacy Office regularly audits the medical records of all VMC staff and faculty that are admitted for access by co-workers

21.  Patients may request an audit of the medical record if they believe a staff or faculty member has accessed their record without appropriate authorization.  Whenever possible, allow the patient to determine which family members or others involved in their care are communicated with regarding the patient’s care and services. Do not assume that the patient agrees for a visitor or family member in the patient’s room to see or hear any personal health information.  Gossiping about a faculty/staff member’s health information resulting in the individual filing a complaint, gossiping about a VUMC patient’s health information, or gossiping or sharing PHI secured through your role at VMC are all considered privacy violations and will result in appropriate disciplinary action.  All incidents/complaints are investigated and all violations result in disciplinary action, up to and including termination.

24.  Staff or faculty member logs onto electronic workstation in a shared work area and leaves the device allowing others to access patient information under the user identification first used.  Staff or faculty member accesses electronic patient information without first logging on with their own unique identification.  Staff or faculty member shares their own unique User ID and Password that allows access to restricted systems and or confidential information or PHI of others.  Staff or faculty member shares User ID and Password that allows access to that individual’s computer or personal information, not to restricted systems or confidential data.

25.  Individually assigned passwords to VUMC systems, applications, or devices are confidential codes. Even though the password might not allow access to PHI it is still considered a security violation if it is shared or if you use someone else’s password to access confidential systems or information.  Sharing your user name/password or using someone else’s user name/password that allows access to a restricted system and confidential information or PHI of others is an even more serious violation and may result in Final PIC for staff, written warning for faculty and house staff.  As explicit roles are defined within applications and systems, user ID and password will be used to drive communication and escalation of alerts and messages. Corrupting the integrity of the unique user ID and password may seriously disrupt that communication and result in harm to the patient. Sharing Passwords and Using Someone Else’s User ID

26.  Commitment to maintain the confidentiality of your user ID and password is a matter of personal integrity.  Do not share your confidential passwords with anyone including a manager or system administrator. Contact your LAN manager or system administrator to set up shared drives or folders as a secure means for sharing access to files or databases without sharing individual user identification.  Workstations must be secured by locking the screen or logging off whenever the user walks away. Failure to lock the computer screen may result in others using the system under someone else’s user identification which is a data integrity concern.  Failure to lock the computer screen allows unauthorized individuals to view confidential information. Visitors or other individuals not authorized to access VMC systems may access information through an unattended device left logged on.  If you fail to log off a computer or lock the screen and someone else uses the computer under your user identification, you may be held accountable for any activity that results (e.g., unauthorized access to a patient’s record, inappropriate use of the Internet). Sharing Passwords and Using Someone Else’s User ID

27. Privacy Office (936-3594) or e-mail Privacy.Office@vanderbilt.edu Privacy.Office@vanderbilt.edu Help Desk 343-HELP (343-4357) Compliance Reporting Line (343-0135) Always forward Patient privacy complaints to Patient Affairs (322-6154) or the Privacy Office. Your manager

28.  Some privacy/security breaches occur from individuals being careless while others occur from deliberate actions.  Follow the practices set forth in this training presentation and you will avoid committing the most frequent type of breaches that occur at VUMC.  If you have any questions or need to report a concern, please contact the Privacy Office at (615) 936-3594 or privacy.office@vanderbilt.eduprivacy.office@vanderbilt.edu To complete the training you must print off the HIPAA Test and submit it to the manager in your department for filing in your personnel file. HIPAA Test