Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Privacy & Security EVMS Health Services 2004 Training.

Similar presentations


Presentation on theme: "HIPAA Privacy & Security EVMS Health Services 2004 Training."— Presentation transcript:

1 HIPAA Privacy & Security EVMS Health Services 2004 Training

2 Privacy & Security Privacy –what should be protected Security –how to protect it

3 Privacy What should be protected? Any health information that can be used to identify the patient

4 Patient Identifiers Name Date of Birth Date of Visit Social Security # Postal Address (even zip) Telephone/Fax # Medical record/Chart # Email Address/URL Account # Photographs

5 Privacy Ways to protect patient information: –Turn computer screens inward –Keep patient schedules covered –Talk quietly – don’t use patient’s name –Shred documents –Verify identity before disclosure –Use security controls

6 Security Is a process not a product Examples of Security Controls –Set automatic log offs after 20 minutes –Use screensavers w/ password features –Virus protection software –Log-on trails

7 Security Weakest link in security is people why? Don’t see it as important Laziness Averse to technology Don’t know controls are there

8 People Controls - management/leadership Don’t assign system passwords until employees have Privacy Training Tell staff how to safeguard work areas Store confidential information on network drive – not hard drive Don’t ever share passwords

9 People Controls Monitor Behavior  Are staff logging off computers?  Are they accessing information not needed for their job?  Is sensitive information removed whenever possible (minimum necessary rule?)  Are fax cover sheets used?  Are recycling bins used?

10 People Controls Monitor Actions  Is the Privacy Notice prominently displayed?  Are new patients being asked to initial/sign the privacy notice acknowledgement?  Are accidental disclosures logged in the patient’s disclosure log?  Are privacy complaints being forwarded to the privacy office?

11 Fax Transmittals - controls Always use a fax cover sheet that lets the recipient know who to contact “just in case” there is a transmission error – If you make a mistake, the “unauthorized” disclosure must be logged in the patient’s medical record.

12 Disclosure Log - in the medical record We are required by law to “log” the following types of disclosures: Public health Social Services Law enforcement Unauthorized (or accidental) disclosures

13 Data bases #1 Risk area Do it right Get patient authorization (even for prospective research) Protect data w/ security controls Limit access Don’t store on portable devices Update data fields

14 EVMS Privacy & Security Manuals It is your responsibility to follow the EVMS HIPAA Privacy & Security Policy & Procedures Each manager is required to review the Privacy & Security procedures with staff Privacy Policy & Procedures: http://hsmail.evms.edu/compliance/compliance web/ http://hsmail.evms.edu/compliance/compliance web/ Security Policy & Procedures: http://info.evms.edu/bfis/postdocs/itac_1/hipaa_ /policies_/bov20030710secu/default.htm

15 Mini Quiz Someone is caught accessing the PHI of a co-worker. How do you handle this situation?  Report person to supervisor/Privacy Office  Tell person that she can get fired, but don’t report to Privacy Office  Find out what person was looking at so you can report it (click mouse for answer) Report person to supervisor/Privacy Office immediately

16 Mini Quiz What are some ways to protect patient information?  Turn computer screens inward  Keep schedules covered up  Talk quietly, without using the patient’s name  All of the above (click mouse for answer) All of the above

17 Mini Quiz You use an electronic device to store/use health information. How do you protect the information?  Log off system when not in use  Store information on password protected network drive  Keep portable devices on you or locked up at all time  All of the above (click mouse for answer) All of the above

18 Mini Quiz The following are patient identifiers: A) Date of birth B) Date of office visit C) Strep throat diagnosis D) A & C E) A & B (click mouse for answer) E) A & B

19 Mini Quiz A patient does not want to be contacted by EVMS for fundraising purposes. What should be done? A) remove patient’s address & telephone # from IDX B) ask patient to complete an opt-out fundraising form & forward to Privacy Office C) call the EVMS Institutional Advancement office for advice (click mouse for answer) Answer is B!

20 Mini Quiz Are you allowed to share passwords?  It is ok to give passwords to nurses, but no one else  IDX passwords can be shared but not electronic medical record passwords  No one is allowed to share passwords – ever (click mouse for answer) No one is allowed to share passwords!

21 Privacy - questions/concerns Contact the Privacy Office:


Download ppt "HIPAA Privacy & Security EVMS Health Services 2004 Training."

Similar presentations


Ads by Google