Privacy and Information Security Training (2009-2010) Privacy and Information Security Training 2009-2010 Vanderbilt University Medical Center Information.

Privacy and InformationSecurity Training

(2009-2010)

Privacy and Information Security Training 2009-2010

Vanderbilt University Medical CenterInformation Privacy & Security Website:

www.mc.vanderbilt.edu/root/vumc.php?site=InfoPrivacySecurity

Respect for Privacy and Confidentiality

You need to be familiar with a new information privacy and security policy about email that was developed and published in 2009:

Electronic Messaging of Individually Identifiable Patient and Other Sensitive Information (OP 10-40.37)

Electronic Messaging of Individually Identifiable Patient and Other Sensitive Information (OP 10-40.37)

Electronic messages (e.g. email, text messages, or instant messages) may contain personal information about patients, employees, students, or other

individuals that is regarded as sensitive or confidential.

Things You Need To Know: NEVER use the full nine-digit social

security number in an electronic message unless the message has been encrypted or otherwise secured!

Use the Medical Record Number as the primary identifier and only a part of the patient’s name (if needed), such as last name or initials.

DO NOT use a patient’s full name associated with specific health information (e.g. reason for visit, diagnosis, procedures, or test results).

Use a Vanderbilt ID number as a primary identifier for employees and students.

The MyHealthatVanderbilt patient portal is available for secure messaging between patients and clinical providers’ offices.

The StarPanel message basket system

provides secure messaging among and between VUMC clinical staff and faculty about a specific patient.

E-mail Rule of Thumb

Reference: Operations Policy, 10-40.37 “Electronic Messaging of Individually Identifiable Patient and other Sensitive Information”

NEVER send unencrypted information over the Internet that you would not write on an open-faced postcard and drop in a public mailbox

You cannot control how a message you generate is forwarded or shared after you hit the “Send” button!

So, the best protection is content control!

New Federal Regulations

The individual whose information was breached must be notified and the incident must be reported to the Secretary of Health and Human Services (HHS).

These federal regulations are in addition to the State of Tennessee notification requirements already in place for security breach of unencrypted computerized data containing Personal Information

New federal law and regulations require breach notification and reporting when a patient’s health information is accessed, used, or disclosed in a way that violates the Privacy Rule of HIPAA and poses a significant to risk of

reputational, financial, or other harm to the individual

Reference: Operations Policy, 10-40.05 “Breach Notification: Unauthorized Access, Use, or Disclosure of Individually Identifiable Patient or Other Personal Information”

Unintentional and accidental disclosures resulting from careless handling of

PHI, such as faxing or mailing patient medical or billing information to the

wrong person will trigger federal breach notification requirements.

Accessing an individual’s medical record or Personal Information without

appropriate authorization may trigger the breach notification requirements.

Personal Information is defined as an individual’s first name or first initial and

last name, in combination with a social security number; drivers license

number; and/or account number, credit or debit card number, in combination

with any required security code, access code or password.

Breach Notification Regulations

Things You Need To Know:

Encryption of computerized PHI or Personal Information is the only Safe Harbor exception to the State and Federal breach notification requirements.

Known or suspected incidents involving unauthorized access, acquisition, use or disclosure of PHI or Personal Information are reported to the VMC Privacy Office.

The Privacy Office will consult with the VMC business leader in the investigation and management of the incident including documentation of a: Risk Assessment (for potential financial, reputational, or other harm to the

individual). Recommended mitigation steps to reduce the potential for harm. Application of the applicable breach notification and reporting requirements

according to defined protocols.

Breach Notification Policy - OP 10-40-.05

Things You Need To Know:

Revised Vanderbilt University Policy:Computing Privileges and Responsibilities: Acceptable Use Policy (AUP)

The Acceptable Use Policy (AUP) establishes clear guidance as to how Vanderbilt staff, faculty, and students may use the university’s information technology resources.

The aim of the AUP is to ensure that the university’s information technology resources are used to promote the core mission of Vanderbilt in education, research and scholarship, patient care, and service.

Goals of the AUP include: That information technology resources are used for their intended purpose The use of information technology resources is consistent with principles and values that

govern use of other university facilities and services

Users should not expect that records created, stored or communicated  with  Vanderbilt information technology or in the conduct of  Vanderbilt's  business will  necessarily  be  private.

IT professionals are granted privileged access to systems and are, therefore, held to a higher standard for preserving the confidentiality and integrity of the systems and information.

Things You Need To Know:

Reference: “Computing Privileges and Responsibilities: Acceptable Use Policy” http://www.vanderbilt.edu/aup.html

Protecting Patient and Research Health Information

Authorized users who access, process, and store Protected Health Information (PHI) or Research Health Information

(RHI) on electronic computing end user devices are accountable for the protection and security of the data

including encryption of the device.

VMC policy specifies that when a legitimate business purpose exists requiring an individual to maintain identifiable Protected Health Information (PHI) or Research Health Information (RHI) on a device other than a secure network server that device must be encrypted.

Any desktop or laptop computer that is used to access or store individually identifiable PHI or RHI must be encrypted.

The centrally supported encryption solution (CheckPoint) must be used if the computer contains PHI or RHI.

Research involving VA Sensitive Information MAY NOT reside on non-VA owned equipment unless specifically designated and approved in advance by the appropriate VA officials.

Things You Need to Know:

Protecting Patient and Research Health Information

Reference: Operations Policy, 10-40.34 “Protection and Security of Protected Health Information”

Operations Policy, 10-40.35 “Protection and Security of Research Health Information”

Sharing Patient Information

To provide treatment or services for the patient

To bill or collect payment for services

As required in order to do your job as part of defined health care operations

As required or allowed by law

With appropriate authorization by the patient or the patient’s legal

representative

You must obtain authorization prior to use or disclosure of patient information except in the following circumstances:

Except for purposes of treatment, only the Minimum Necessary may be shared

Careless handling of patient information

Unauthorized access or disclosure of patient information

Sharing passwords or allowing others to work under the same user ID

The Most Common Privacy/Security Incidents Reported

Documents containing patient information faxed to the wrong recipient or fax number.

Reports or billing statements containing patient information mailed to the wrong patient or wrong address.

Patient information or documents given to the wrong patient.

Printed documents containing patient or other confidential information left unattended in a public place.

Cameras or data storage devices with unencrypted patient data or pictures lost or stolen.

Sharing sensitive patient information while visitors are present in the patient’s room without giving the patient an opportunity to object or consent.

Careless Handlingof Patient Information

Most Frequently Reported Incidents

When faxing a document always use a cover sheet that includes the sender’s full name, department or clinic name, and complete phone number and fax number. Double check and always confirm to be sure you are sending the right patient’s information to the right recipient at the confirmed fax number.

When mailing patient information always double check to be sure you are sending the correct patient’s information to the correct person at the correct address.

Always ask visitors to step out of the room before discussing clinical history or information with the patient, giving the patient the opportunity to consent to the visitor’s presence.

Do not leave documents where they are visible to others.

Always place confidential information in a shredder bin for disposal.

Careless Handlingof Patient Information

Things You Need to Know:

Most Frequently Reported Incidents

Unauthorized Access or Disclosure of Patient

Information

Staff or faculty accessing a co-worker’s medical record to locate a room number or personal contact information (home phone number or mailing address).

Staff or faculty accessing a co-worker’s or another person’s medical record without having written authorization.

Failure to ask visitors and family members to leave the room prior to discussing confidential information with the patient.

Staff inappropriately uses social networking (MySpace, Face Book, Twitter) that discloses patient information.

Things You Need to Know: Whenever possible, allow the patient to determine which family members or

others involved in their care are communicated with regarding the patient’s care and services. Do not assume that the patient agrees for a visitor or family member to see or hear any personal health information.

Prior to accessing a patient’s medical record for any reason other than completion of your assigned job duties, there should be documentation in the medical record showing the patient has granted you permission prior to accessing the record.

Written authorization should be in the form of a signed authorization form granting the access.

Unauthorized Access or Disclosure of

Patient Information

The Privacy Office regularly audits the medical records of staff and faculty for access by co-workers.

Patients may request an audit of the medical record if they believe a staff or faculty member has accessed their record without appropriate authorization.

Gossiping about a faculty/staff member’s health information resulting in the individual filing a complaint, gossiping about a patient’s health information, or gossiping or sharing PHI secured through your job role are all considered privacy violations and will result in disciplinary action.

Unauthorized Access or Disclosure of

Patient Information

Things You Need to Know:

All incidents/complaints are investigated and all violations result in disciplinary action, up to and

including termination.

Unauthorized Access or Disclosure of Patient Information

WHEN IN DOUBT

Always Get Written

Patient Authorization

Staff or faculty member logs onto electronic workstation in a shared work area and leaves the device allowing others to access patient information under the user identification first used.

Staff or faculty member accesses electronic patient information without first logging on with their own unique identification.

Individual user identification is essential to maintaining the accuracy,integrity, and confidentiality of the electronic information systems and the

patient’s medical record.

Sharing Passwords and Using Someone Else’s

User ID

Most Frequently Reported Incidents

Things You Need to Know:

Individually assigned passwords to VUMC systems, applications, or devices are confidential codes. Even though the password might not allow access to PHI it is still considered a security violation if it is shared or if you use someone else’s password to access confidential systems or information.

Sharing your user name/password or using someone else’s user name/password that allows access to confidential information or PHI of others is an even more serious violation .

If you fail to log off a computer or lock the screen and someone else uses the computer under your user identification, you may be held accountable for any activity that results (e.g., unauthorized access to a patient’s record, inappropriate use of the Internet).

Sharing Passwords and Using Someone Else’s

User ID

As explicit roles are defined within applications and systems, user ID and password will be used to drive communication and escalation of alerts and messages. Corrupting the integrity of the unique user ID and password may seriously disrupt that communication and result in harm to the patient.

Commitment to maintain the confidentiality of your user ID and password is a matter of personal integrity.

Do not share your confidential passwords with anyone including a manager or system administrator.

Contact your LAN manager or system administrator to set up shared drives, folders, or other secure means for sharing access to files or databases without sharing individual user identification.

Sharing Passwords and Using Someone Else’s

User ID

Things You Need to Know:

Privacy Office (936-3594) or e-mail [email protected]

Help Desk 343-HELP (343-4357)

Compliance Reporting Line (343-0135)

Always forward Patient privacy complaints to Patient Affairs (322-6154) or the Privacy Office.

Your manager

Report Privacy Complaints or Suspected Violations to:

FINAL INSTRUCTIONS

To complete the training you must print and complete the HIPAA Test on the next slide and submit to the manager in your department for filing in your personnel file.

Any questions related to this training may be submitted to the Privacy Office at [email protected] or call

(615) 936-3594.

NON-VUMC TRAINING 2009 – 2010 TEST

1. Why Respect Privacy and Confidentiality?

a) It’s the right thing to do

b) It’s the law

c) It’s a key driver to overall patient satisfaction.

d) It’s a Vanderbilt University Medical Center Credo Behavior

e) All of the above

2. Use only part of the patient’s name (if needed), such as last name or initials in an electronic message when the full social security number is included.a) True b) False

3. New federal law and regulations require breach notification and reporting when a patient’s health information as accessed, used, or disclosed in a way that violates the Privacy Rule of HIPAA and poses a significant to risk of reputational, financial, or other harm to the individual. a) True b) False

4. Encryption of computerized PHI or Personal Information is the Safe Harbor exception to the State and Federal breach notification requirements.a) True b) False

5. It is okay to access the medical record of your spouse if you have access to the health record system.a) True b) False

6. Vanderbilt Policy requires that any desktop or laptop computer that is used to access or store individually identifiable Patient or Research Health Information (PHI or RHI) must be encrypted.a) True b) False

7. When faxing or mailing patient information always double check and confirm you are sending the correct patient information to the correct recipient at the correct address.a) True b) False

8. The Privacy Office routinely audits the medical records of staff and faculty admitted to VUH for access by co-workers.a) True b) False

9. Sharing your user name and password or using some else’s user name or password is a violation of Vanderbilt Policy.a) True b) False

10. Gossiping about a patient’s health information or sharing PHI secured through your job role resulting in the individual filing a complaint are all considered privacy violations and will result in disciplinary action?a) True b) False

Name:

Department:

Company Name