Privacy and Information Security Training ( 2006 - 07 )


13 Ιουν 2012 (πριν από 6 χρόνια και 1 μήνα)

337 εμφανίσεις

Privacy and Information Security Non
VUMC Training


Vanderbilt University Medical

Information Privacy & Security Website:

It’s the right
thing to do!

It’s a VUMC
Credo Behavior

It’s a key driver
to overall patient

It’s the law!

Things You Need To Know:

Disposal of Written Documents:

Written documentation or printed documents that contain VUMC Protected Health

be placed in a shredder bin or processed through a shredding device
(preferably a cross
shredder). Shredder bins are located throughout the Medical Center.

Disposal of Labels Containing Patient Identifiable Information:


dispose of labels or containers that contain patient identifiable information in
regular trash containers.

Labels affixed to IV bags, or specimen containers that cannot removed for shredding,

be placed in biohazard red bags.

Disposal of Film:

Films, microfilm, or microfiche are to be cut into pieces or chemically destroyed.

Disposal of Electronic Devices and Electronic Media

Department administrators are encouraged to work with their LAN Manager or local
technology support provider for guidance in adhering to the requirements for disposal of
Electronic Devices and Electronic Media.

The information on devices or media must be erased and not recoverable before the device
or media is disposed of, surplused, or transferred within or between departments by:

Destroying the information on the hard drive or media by reformatting.

Remove the hard drive or other media and place it in secure storage.

Remove the hard drive or other media and physically destroy it.


discard outdated, decommissioned, or broken electronic devices or electronic
media in dumpsters or regular trash containers.

Copier hard drives should be returned to the vendor for destruction.

Operations Policy,

OP 10
“Disposal of Confidential Information”

Photography for purposes of patient care
does not require

additional consent beyond the
standard Consent for Treatment.

Patient Identifiable Photography is Protected Health Information (PHI) and use and disclosure
of this PHI must comply with all Information Privacy and Security Policies for PHI.

Photography for purposes other than patient care generally
does require

explicit consent.


upload patient photos to the EMR or another secure server and delete from the
device used to capture the image(s).
Do not identify patient photographs with more than the
minimum necessary (e.g. avoid SSN and patient phone number)

Do Not

post Photography of patients in public areas, on internet websites, or blogs without
written or documented verbal consent from the patient/legal representative

to the

Permissible uses of Photography;

Requirements for consent, camera and recording equipment, and storage/retention of images;

Use and disclosure of Photography images; and

Behaviors that are not permissible by staff/faculty related to Photography of patients.

Permission to Take and Use Photography or Videos (MC 3930)

use for

performance improvement, or other non
media related acceptable purposes.

Media Relations
Authorization to Create, Use, or Disclose Photographs or Videos for Media
Releases and Public Relations (MC6690)


use for public relations, media, or marketing purposes
is coordinated through VU Media and Public Relations staff and uses a specific consent form.

Patient Authorization for Security Photographs (MC3642)

use in the newborn nursery areas for
newborn Photography.


10.10 :
“Patient Photography and Video Imaging”


use the full nine
digit social security
number in an electronic message unless the
message has been encrypted or otherwise

Use the Medical Record Number as the
and only a part of the patient’s name (if
needed), such as last name or initials.

use a patient’s full name associated
with specific health information (e.g. reason for
visit, diagnosis, procedures, or test results).
Always follow the minimum necessary standard
when sharing patient information.

Use a Vanderbilt ID number as a primary
identifier for employees and students.

Files containing identifiable patient or other
sensitive information may not be sent over the
Internet in clear text. Security measures such as
VPN technology, encryption, or other secure
transmission process.


message basket system provides
secure messaging among and between VUMC
clinical staff and faculty about a specific


Policy, 10

Electronic Messaging of Individually Identifiable Patient and other Sensitive Information


025: “
Electronic Communications and Information Technology Resources”

If you identify yourself in any online forum as a faculty/staff member of VUMC or use your
Vanderbilt email address, you

make it clear you are not speaking for VUMC and all
submissions represent your own personal views and comments.

Do not

post digital images and messages containing protected health information (PHI) without
written authorization from the patient.

recognizable markings or body parts are

Remember that all content contributed on all platforms becomes

searchable and
can be


leaves your control forever.

Known or suspected incidents involving use or disclosure of PHI or Personal Information
through social networking are reported to the VUMC Privacy Office and investigated.

New federal law and regulations require
breach notification and reporting

when a patient’s
health information is accessed, used or disclosed in a way that violates the Privacy Rule of
HIPAA and poses a significant risk of reputational, financial, or other harm to the individual.



Breach Notification: Unauthorized Access, Use, or Disclosure of Individually Identifiable Patient or

Other Personal Informatio

When breach notification is required the individual whose information was
breached must be notified

and the incident must be reported

to the Secretary of
Health and Human Services (HHS).

These federal regulations are in addition to the State of Tennessee notification
requirements already in place for security breach of unencrypted computerized
data containing Personal Information.

Accessing an individual’s medical or personal information without appropriate
authorization may trigger the federal breach notification requirements.

Unintentional and accidental disclosures resulting from careless handling of
PHI may trigger

federal breach notification requirements

with very narrowly
defined exceptions

Accessing a co
worker’s medical record out of curiosity/concern or just to look
up a room number may trigger the federal breach notification requirements.

Encryption of computerized information or destruction of paper, film, or hard
copy information are the only acceptable methods of “securing PHI” so that the
State and Federal breach notification requirements are not triggered.

Operations Policy, 10
40.05 “Breach Notification: Unauthorized Access, Use, or
Disclosure of Individually Identifiable Patient or Other Personal Information”
defines the procedures to be followed upon discovery of known or suspected
incidents involving unauthorized acquisition, access, use or disclosure of PHI or
computerized Personal Information so that appropriate notification requirements
are satisfied

To provide

or services for the patient

To bill or collect

for services

As required in order to do your job as part of defined
health care operations

required or allowed by law

With appropriate authorization
by the patient or the patient’s legal

Except for purposes of treatment, only the Minimum
Necessary may be shared

Careless handling of patient information

Unauthorized access or disclosure of patient

Sharing passwords or allowing others to work
under the same user ID

Documents containing patient information faxed to the wrong recipient or fax number.

Patient information mailed or handed to the wrong recipient.

Printed documents containing patient or other confidential information left unattended
in a public place.

Gossiping or sharing patient information with someone who is not authorized to know.

Reports or billing statements containing patient information mailed to the wrong

Patient information discussed by staff or faculty in waiting rooms, elevators, or other
public areas where others can overhear

Accidental access of a patient’s medical record by selection the wrong patient in the
search by name

faxing a document always use a cover
that includes the sender’s full name,
department or clinic name, and complete phone
number and fax number.


always confirm

to be sure you are sending the
right patient’s information to the right recipient
at the confirmed fax number.

When you select a recipient for faxed documents
from StarPanel Fax Directory always confirm
that you have the correct provider by name,
specialty, office location, and fax number.

When mailing patient information always
to be sure you are sending the correct
patient’s information to the correct person at the
correct address.

Be sure to verify that you are giving the
correct patient the information belonging to
that patient.

When looking for a patient’s medical
record, attempt to use more than first and
last name to identify the correct patient;
e.g. birth date or middle name

MyHealthatVanderbilt is a secure web
portal that can be used as an alternative to
email and faxing when communicating
with patients.

Avoid conversations about patients in an
area that is open to the public where you
might be overheard.

Staff or faculty accessing a co
worker’s or
a co
worker’s family member’s medical
record without having written authorization
(out of curiosity or concern).

Staff or faculty accessing a co
medical record to locate room number, or
personal contact information (home
number or mailing address).

Staff or faculty accessing a co
medical records of others (family, friends,
others) without a job related need or
documented authorization.

Failure to ask visitors and family members
to leave the patient room prior to
discussing confidential information with

Staff accessing the record of a patient not
assigned to their unit for care out of
curiosity or concern or boredom.

Staff accessing the patient record with
blatant disregard for privacy,
for personal
use or malicious intent.

Staff inappropriately use of email/internet
disclosing patient personal or health

Prior to

a patient’s record for any reason other than completion of your assigned
job duties there should be documentation in the medical record showing the patient has
granted you permission prior to accessing the record. Written authorization may be in the
form of a note entered into the medical record documenting verbal permission or, preferably,
a signed copy of the “Authorization to Access Medical Records” form (MC1814)
(This form
is available on e
docs, electronically within StarPanel in clinics that have signature pad
capability, or through the Privacy Office.)

The Privacy Office regularly audits the medical records of all VMC staff and faculty that are
admitted for access by co

Patients may request an audit of the medical record if they believe a staff or faculty member
has accessed their record without appropriate authorization.

Whenever possible, allow the patient to determine which family members or others involved
in their care are communicated with regarding the patient’s care and services. Do not assume
that the patient agrees for a visitor or family member in the patient’s room to see or hear any
personal health information.

Gossiping about a faculty/staff member’s health information resulting in the individual filing
a complaint, gossiping about a VUMC patient’s health information, or gossiping or sharing
PHI secured through your role at VMC are all considered privacy violations and will result in
appropriate disciplinary action.

All incidents/complaints are investigated and all violations result in disciplinary action, up to
and including termination.

Staff or faculty member logs onto electronic workstation in a shared work area and leaves the
device allowing others to access patient information under the user identification first used.

Staff or faculty member accesses electronic patient information without first logging on with
their own unique identification.

Staff or faculty member shares their own unique User ID and Password that allows access to
restricted systems and or confidential information or PHI of others.

Staff or faculty member shares User ID and Password that allows access to that individual’s
computer or personal information, not to restricted systems or confidential data.

Individually assigned passwords to VUMC systems, applications, or devices are
confidential codes. Even though the password might not allow access to PHI it is still
considered a security violation if it is shared or if you use someone else’s password to
access confidential systems or information.

Sharing your user name/password or using someone else’s user name/password that
allows access to a restricted system and confidential information or PHI of others is an
even more serious violation and may result in Final PIC for staff, written warning for
faculty and house staff.

As explicit roles are defined within applications and systems, user ID and password will
be used to drive communication and escalation of alerts and messages. Corrupting the
integrity of the unique user ID and password may seriously disrupt that communication
and result in harm to the patient.

Sharing Passwords and
Using Someone Else’s
User ID

Commitment to maintain the confidentiality of your user ID and password is a matter of
personal integrity.

Do not share your confidential passwords with anyone including a manager or system
administrator. Contact your LAN manager or system administrator to set up shared drives or
folders as a secure means for sharing access to files or databases without sharing individual
user identification.

Workstations must be secured by locking the screen or logging off whenever the user walks
away. Failure to lock the computer screen may result in others using the system under someone
else’s user identification which is a data integrity concern.

Failure to lock the computer screen allows unauthorized individuals to view confidential
information. Visitors or other individuals not authorized to access VMC systems may access
information through an unattended device left logged on.

If you fail to log off a computer or lock the screen and someone else uses the computer under
your user identification, you may be held accountable for any activity that results (e.g.,
unauthorized access to a patient’s record, inappropriate use of the Internet).

Sharing Passwords and
Using Someone Else’s
User ID

Privacy Office (936
3594) or e

Help Desk 343
HELP (343

Compliance Reporting Line (343

Always forward Patient privacy complaints to

Patient Affairs (322
6154) or the Privacy Office.

Your manager

Some privacy/security breaches occur from individuals being careless while others
occur from deliberate actions.

Follow the practices set forth in this training presentation and you will avoid
committing the most frequent type of breaches that occur at VUMC.

If you have any questions or need to report a concern, please contact the Privacy
Office at (615) 936
3594 or

To complete the training you must print off the
and submit it to the manager in your
department for filing in your personnel file.