Privacy and Information Security Training ( 2006 - 07 )

stagebetterSecurity

Jun 13, 2012 (5 years and 2 months ago)

316 views

Privacy and Information Security Non
-
VUMC Training
-

2010
-
2011

Vanderbilt University Medical
Center

Information Privacy & Security Website:

www.mc.vanderbilt.edu/root/vumc.php?site=InfoPrivacy
Security

It’s the right
thing to do!

It’s a VUMC
Credo Behavior

It’s a key driver
to overall patient
satisfaction!

It’s the law!

Things You Need To Know:

Disposal of Written Documents:


Written documentation or printed documents that contain VUMC Protected Health
Information
MUST

be placed in a shredder bin or processed through a shredding device
(preferably a cross
-
shredder). Shredder bins are located throughout the Medical Center.



Disposal of Labels Containing Patient Identifiable Information:


DO NOT

dispose of labels or containers that contain patient identifiable information in
regular trash containers.


Labels affixed to IV bags, or specimen containers that cannot removed for shredding,
MUST

be placed in biohazard red bags.



Disposal of Film:


Films, microfilm, or microfiche are to be cut into pieces or chemically destroyed.

Disposal of Electronic Devices and Electronic Media


Department administrators are encouraged to work with their LAN Manager or local
technology support provider for guidance in adhering to the requirements for disposal of
Electronic Devices and Electronic Media.



The information on devices or media must be erased and not recoverable before the device
or media is disposed of, surplused, or transferred within or between departments by:


Destroying the information on the hard drive or media by reformatting.


Remove the hard drive or other media and place it in secure storage.


Remove the hard drive or other media and physically destroy it.



DO NOT

discard outdated, decommissioned, or broken electronic devices or electronic
media in dumpsters or regular trash containers.



Copier hard drives should be returned to the vendor for destruction.

Reference
Operations Policy,


OP 10
-
40.22:
“Disposal of Confidential Information”


Photography for purposes of patient care
does not require

additional consent beyond the
standard Consent for Treatment.



Patient Identifiable Photography is Protected Health Information (PHI) and use and disclosure
of this PHI must comply with all Information Privacy and Security Policies for PHI.



Photography for purposes other than patient care generally
does require

explicit consent.




Immediately

upload patient photos to the EMR or another secure server and delete from the
device used to capture the image(s).
Do not identify patient photographs with more than the
minimum necessary (e.g. avoid SSN and patient phone number)
.




Do Not

post Photography of patients in public areas, on internet websites, or blogs without
written or documented verbal consent from the patient/legal representative
prior

to the
posting.



Permissible uses of Photography;


Requirements for consent, camera and recording equipment, and storage/retention of images;


Use and disclosure of Photography images; and


Behaviors that are not permissible by staff/faculty related to Photography of patients.


Permission to Take and Use Photography or Videos (MC 3930)
-

use for

education/training,
performance improvement, or other non
-
media related acceptable purposes.


Media Relations
-
Authorization to Create, Use, or Disclose Photographs or Videos for Media
Releases and Public Relations (MC6690)

-

use for public relations, media, or marketing purposes
is coordinated through VU Media and Public Relations staff and uses a specific consent form.


Patient Authorization for Security Photographs (MC3642)


use in the newborn nursery areas for
newborn Photography.


Reference:

Operations
Policy,
20
-
10.10 :
“Patient Photography and Video Imaging”


NEVER

use the full nine
-
digit social security
number in an electronic message unless the
message has been encrypted or otherwise
secured!



Use the Medical Record Number as the
primary
identifier
and only a part of the patient’s name (if
needed), such as last name or initials.



DO NOT
use a patient’s full name associated
with specific health information (e.g. reason for
visit, diagnosis, procedures, or test results).
Always follow the minimum necessary standard
when sharing patient information.



Use a Vanderbilt ID number as a primary
identifier for employees and students.



Files containing identifiable patient or other
sensitive information may not be sent over the
Internet in clear text. Security measures such as
VPN technology, encryption, or other secure
transmission process.




The
StarPanel

message basket system provides
secure messaging among and between VUMC
clinical staff and faculty about a specific
patient.


Reference:

Operations
Policy, 10
-
40.37



Electronic Messaging of Individually Identifiable Patient and other Sensitive Information


Reference

HR
-
025: “
Electronic Communications and Information Technology Resources”


If you identify yourself in any online forum as a faculty/staff member of VUMC or use your
Vanderbilt email address, you
must

make it clear you are not speaking for VUMC and all
submissions represent your own personal views and comments.




Do not

post digital images and messages containing protected health information (PHI) without
written authorization from the patient.
Remember

recognizable markings or body parts are
PHI.




Remember that all content contributed on all platforms becomes
immediately

searchable and
can be
immediately

shared…It
immediately

leaves your control forever.




Known or suspected incidents involving use or disclosure of PHI or Personal Information
through social networking are reported to the VUMC Privacy Office and investigated.




New federal law and regulations require
breach notification and reporting

when a patient’s
health information is accessed, used or disclosed in a way that violates the Privacy Rule of
HIPAA and poses a significant risk of reputational, financial, or other harm to the individual.
.


Reference:

Operations
Policy,
10
-
40.05



Breach Notification: Unauthorized Access, Use, or Disclosure of Individually Identifiable Patient or

Other Personal Informatio
n



When breach notification is required the individual whose information was
breached must be notified

and the incident must be reported

to the Secretary of
Health and Human Services (HHS).



These federal regulations are in addition to the State of Tennessee notification
requirements already in place for security breach of unencrypted computerized
data containing Personal Information.



Accessing an individual’s medical or personal information without appropriate
authorization may trigger the federal breach notification requirements.



Unintentional and accidental disclosures resulting from careless handling of
PHI may trigger

federal breach notification requirements


with very narrowly
defined exceptions


Accessing a co
-
worker’s medical record out of curiosity/concern or just to look
up a room number may trigger the federal breach notification requirements.



Encryption of computerized information or destruction of paper, film, or hard
copy information are the only acceptable methods of “securing PHI” so that the
State and Federal breach notification requirements are not triggered.



Operations Policy, 10
-
40.05 “Breach Notification: Unauthorized Access, Use, or
Disclosure of Individually Identifiable Patient or Other Personal Information”
defines the procedures to be followed upon discovery of known or suspected
incidents involving unauthorized acquisition, access, use or disclosure of PHI or
computerized Personal Information so that appropriate notification requirements
are satisfied


To provide
treatment

or services for the patient


To bill or collect
payment

for services


As required in order to do your job as part of defined
health care operations


As
required or allowed by law


With appropriate authorization
by the patient or the patient’s legal
representative

**
Except for purposes of treatment, only the Minimum
Necessary may be shared
**


Careless handling of patient information




Unauthorized access or disclosure of patient
information




Sharing passwords or allowing others to work
under the same user ID



Documents containing patient information faxed to the wrong recipient or fax number.



Patient information mailed or handed to the wrong recipient.



Printed documents containing patient or other confidential information left unattended
in a public place.



Gossiping or sharing patient information with someone who is not authorized to know.



Reports or billing statements containing patient information mailed to the wrong
patient.



Patient information discussed by staff or faculty in waiting rooms, elevators, or other
public areas where others can overhear



Accidental access of a patient’s medical record by selection the wrong patient in the
search by name





When
faxing a document always use a cover
sheet
that includes the sender’s full name,
department or clinic name, and complete phone
number and fax number.
Double

check
and

always confirm

to be sure you are sending the
right patient’s information to the right recipient
at the confirmed fax number.



When you select a recipient for faxed documents
from StarPanel Fax Directory always confirm
that you have the correct provider by name,
specialty, office location, and fax number.



When mailing patient information always
double
check
to be sure you are sending the correct
patient’s information to the correct person at the
correct address.





Be sure to verify that you are giving the
correct patient the information belonging to
that patient.



When looking for a patient’s medical
record, attempt to use more than first and
last name to identify the correct patient;
e.g. birth date or middle name



MyHealthatVanderbilt is a secure web
portal that can be used as an alternative to
email and faxing when communicating
with patients.



Avoid conversations about patients in an
area that is open to the public where you
might be overheard.


Staff or faculty accessing a co
-
worker’s or
a co
-
worker’s family member’s medical
record without having written authorization
(out of curiosity or concern).



Staff or faculty accessing a co
-
worker’s
medical record to locate room number, or
personal contact information (home
number or mailing address).



Staff or faculty accessing a co
-
worker’s
medical records of others (family, friends,
others) without a job related need or
documented authorization.




Failure to ask visitors and family members
to leave the patient room prior to
discussing confidential information with
patient.



Staff accessing the record of a patient not
assigned to their unit for care out of
curiosity or concern or boredom.



Staff accessing the patient record with
blatant disregard for privacy,
for personal
use or malicious intent.



Staff inappropriately use of email/internet
disclosing patient personal or health
information



Prior to
accessing

a patient’s record for any reason other than completion of your assigned
job duties there should be documentation in the medical record showing the patient has
granted you permission prior to accessing the record. Written authorization may be in the
form of a note entered into the medical record documenting verbal permission or, preferably,
a signed copy of the “Authorization to Access Medical Records” form (MC1814)
(This form
is available on e
-
docs, electronically within StarPanel in clinics that have signature pad
capability, or through the Privacy Office.)



The Privacy Office regularly audits the medical records of all VMC staff and faculty that are
admitted for access by co
-
workers


Patients may request an audit of the medical record if they believe a staff or faculty member
has accessed their record without appropriate authorization.



Whenever possible, allow the patient to determine which family members or others involved
in their care are communicated with regarding the patient’s care and services. Do not assume
that the patient agrees for a visitor or family member in the patient’s room to see or hear any
personal health information.



Gossiping about a faculty/staff member’s health information resulting in the individual filing
a complaint, gossiping about a VUMC patient’s health information, or gossiping or sharing
PHI secured through your role at VMC are all considered privacy violations and will result in
appropriate disciplinary action.



All incidents/complaints are investigated and all violations result in disciplinary action, up to
and including termination.



Staff or faculty member logs onto electronic workstation in a shared work area and leaves the
device allowing others to access patient information under the user identification first used.



Staff or faculty member accesses electronic patient information without first logging on with
their own unique identification.



Staff or faculty member shares their own unique User ID and Password that allows access to
restricted systems and or confidential information or PHI of others.



Staff or faculty member shares User ID and Password that allows access to that individual’s
computer or personal information, not to restricted systems or confidential data.


Individually assigned passwords to VUMC systems, applications, or devices are
confidential codes. Even though the password might not allow access to PHI it is still
considered a security violation if it is shared or if you use someone else’s password to
access confidential systems or information.



Sharing your user name/password or using someone else’s user name/password that
allows access to a restricted system and confidential information or PHI of others is an
even more serious violation and may result in Final PIC for staff, written warning for
faculty and house staff.



As explicit roles are defined within applications and systems, user ID and password will
be used to drive communication and escalation of alerts and messages. Corrupting the
integrity of the unique user ID and password may seriously disrupt that communication
and result in harm to the patient.

Sharing Passwords and
Using Someone Else’s
User ID


Commitment to maintain the confidentiality of your user ID and password is a matter of
personal integrity.


Do not share your confidential passwords with anyone including a manager or system
administrator. Contact your LAN manager or system administrator to set up shared drives or
folders as a secure means for sharing access to files or databases without sharing individual
user identification.


Workstations must be secured by locking the screen or logging off whenever the user walks
away. Failure to lock the computer screen may result in others using the system under someone
else’s user identification which is a data integrity concern.


Failure to lock the computer screen allows unauthorized individuals to view confidential
information. Visitors or other individuals not authorized to access VMC systems may access
information through an unattended device left logged on.


If you fail to log off a computer or lock the screen and someone else uses the computer under
your user identification, you may be held accountable for any activity that results (e.g.,
unauthorized access to a patient’s record, inappropriate use of the Internet).


Sharing Passwords and
Using Someone Else’s
User ID

Privacy Office (936
-
3594) or e
-
mail
Privacy.Office@vanderbilt.edu



Help Desk 343
-
HELP (343
-
4357)


Compliance Reporting Line (343
-
0135)


Always forward Patient privacy complaints to

Patient Affairs (322
-
6154) or the Privacy Office.


Your manager



Some privacy/security breaches occur from individuals being careless while others
occur from deliberate actions.



Follow the practices set forth in this training presentation and you will avoid
committing the most frequent type of breaches that occur at VUMC.



If you have any questions or need to report a concern, please contact the Privacy
Office at (615) 936
-
3594 or
privacy.office@vanderbilt.edu





To complete the training you must print off the
HIPAA Test
and submit it to the manager in your
department for filing in your personnel file.