Overview of the hipaa privacy rule and policies
Download
1 / 98

OVERVIEW OF THE HIPAA PRIVACY RULE and POLICIES - PowerPoint PPT Presentation


  • 236 Views
  • Uploaded on

OVERVIEW OF THE HIPAA PRIVACY RULE and POLICIES. Presented by: Barbara Lee Peace Facility Privacy Official Coliseum Medical Centers. COMPLIANCE DEADLINE. HIPAA Privacy Rule. April 14, 2003. What is HIPAA?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'OVERVIEW OF THE HIPAA PRIVACY RULE and POLICIES' - Leo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Overview of the hipaa privacy rule and policies

OVERVIEW OF THEHIPAA PRIVACY RULEandPOLICIES

Presented by:

Barbara Lee Peace

Facility Privacy Official

Coliseum Medical Centers


Compliance deadline
COMPLIANCE DEADLINE

HIPAA Privacy Rule

April 14, 2003


What is hipaa
What is HIPAA?

HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996.

  • It’s a Federal law

  • Provides continuity of healthcare coverage

  • Administrative Simplification ???



  • Transactions privacy

    • Requires standardized transaction content, formats, diagnostic & procedure codes, national identifiers for healthcare EDI transactions.

  • Privacy

    • Establishes conditions that govern the use and disclosure of individually identifiable health information.

    • Establishes patient rights in regard to their protected health information (PHI).

  • Security

    • Establishes requirements for protecting the confidentiality, availability and integrity of individually identifiable health information.


    • Civil privacy

      • For failure to comply with transaction standards

      • $100 fine per occurrence; up to $25,000 per year

  • Criminal

    • For health plans, providers and clearinghouses that knowingly and improperly disclose information or obtain information under false pretenses

    • Penalties higher for actions designed to generate monetary gain

      • up to $50,000 and one year in prison for obtaining or disclosing protected health information

      • up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"

      • up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm


  • Why do we need hipaa
    Why do we need HIPAA? privacy

    • 1996 - In Tampa, a public health worker sent to two newspapers a computer disk containing the names of 4,000 people who tested positive for HIV.

    • 2000 - Darryl Strawberry’s medical records from a visit to a New York hospital were reviewed 365 times. An audit determined less than 3% of those reviewing his records had even a remote connection to his care.

    • 2001 – An e-mail was sent out to a Prozac informational listserv members revealing the identities of other Prozac users.

    • Closer to Home


    Title ii administrative simplification
    Title II - Administrative privacy Simplification

    • Federal Law vs. State Laws

    • Protect health insurance coverage, improve access to healthcare

    • Reduce fraud and abuse

    • Establish new pt rights and privacy control by establishing common transaction sets for sending and securing pt information

    • Improve efficiency and effectiveness of healthcare

    • Reduce healthcare administrative costs (electronic transactions) ???


    Who must comply
    Who must comply? privacy

    HIPAA applies to all Covered Entities (CE) that transmit protected health information electronically such as..

    • Health Plan

    • Health Care Clearinghouse

    • Health Care Provider



    Confidentiality
    Confidentiality privacy

    • The delicate balance between all employee’s, physician’s and volunteer’s need to know and the patient’s right to privacy is at the heart of HIPAA – Privacy.


    Practicing privacy
    Practicing Privacy privacy

    • Treat all information as if it were about you or your family.

    • Access only those systems you are officially authorized to access.

    • Use only your own User ID and Password to access systems.

    • Access only the information you need to do your job.


    Practicing privacy1
    Practicing Privacy privacy

    • Refrain from discussing patient information in public places.

    • Create a “hard to guess” password and never share it.

    • Log-off or lock your computer workstation when you leave it.


    Hipaa myths
    HIPAA MYTHS privacy

    • WHITE BOARDS

    • SIGN IN SHEETS

    • PAGING

    • CALLING OUT NAMES

    • NAMES ON DOORS

    • STRUCTURES TO PREVENT DISCLOSURES


    Oral communications
    Oral Communications privacy

    • The following practices are permissible if reasonable precautions (lowering voices) are taken to minimize inadvertent disclosures to others:

    • Staff may oral communicate at the nursing stations

    • Health care professionals may discuss a pt’s treatment in a joint treatment area

    • Health care professionals may discuss a pt’s condition during patient rounds


    Common terminology abbreviations not all inclusive
    Common Terminology/Abbreviations privacy(not all inclusive)

    • Affiliated Covered Entity (ACE) – Entities under common ownership or control may designate themselves as an ACE. Uses and disclosures of PHI are permitted w/out consent or authorization under TPO.

    • Treatment, Payment or Healthcare Operations (TPO) – business practices hospital undergoes for daily functions and srvcs


    Terminology con t
    Terminology, Con’t privacy

    • Covered Entity (CE) – A health plan, healthcare clearing house, healthcare provider who transmits any health information in connection to a transaction.

    • Designated Record Set (DRS) – Includes medical record and billing information, in whole or in part, by or for the covered entity to make decisions about patients


    Terminology con t1
    Terminology, Con’t. privacy

    • Business Associate (BA) – Person, business or other entity who, on behalf of organization covered by regulations, performs or assists in performing function/activity involving use or disclosure of PHI.

    • Patient Health Information (PHI) – any identifying piece of info on pt –


    Terminology what is phi
    Terminology - privacyWhat is PHI?

    Protected Health Information (PHI) is the medical record and any other individually identifiable health information (IIHI) used or disclosed for treatment, payment, or health care operations (TPO). (Secure Bins)

    • Name

    • Address

    • Photo images

    • Any date

    • Telephone/Fax numbers

    • Social Security Number

    • Medical record number

    • Health plan beneficiary number

    • Account number

    • Any other unique identifying number, characteristic, or code.


    Terminology con t2
    Terminology, con’t privacy

    • Organized Health Care Arrangement (OHCA) – A clinically integrated care setting in which individuals typically receive health care from more than one provider, e.g., medical staff, radiologist phys group, ER phys group, volunteers, clergy, etc.


    Terminology con t notice of privacy practices nopp
    Terminology, Con’t privacyNotice of Privacy Practices (NOPP)

    • Disclosure of how PHI is used

    • Directory policy

    • Confidential Communications

    • Right to Access

    • Right to Amend

    • Accounting for Disclosures

    • Right to request restrictions on certain uses and disclosures

    • FPO contact information

    • Formal complaint process


    When can we use phi
    When can we use PHI? privacy

    We can use PHI for Treatment, Payment and Healthcare Operations (TPO).

    • Business Associates (BA)

    • Affiliated Covered Entity (ACE)

    • Organized Health Care Arrangement (OHCA)


    Do you need to know this information to do your job need to know basis appropriate access policies
    Do you need to know privacythis information to do your job?“need to know basis”(Appropriate Access Policies)


    Minimum necessary info
    MINIMUM NECESSARY INFO privacy

    • Facility uses and discloses the minimum amount of PHI necessary to accomplish the intended purpose.

    • Applies whether the hospital is sharing, examining or analyzing PHI, or whether we are responding to a request outside the facility.


    Policies
    POLICIES privacy

    9 CORPORATE POLICIES

    23 FACILITY POLICIES



    Patient privacy program requirements
    PATIENT PRIVACY PROGRAM REQUIREMENTS privacy

    • HIM.PRI.001

    • LISTS ALL PROGRAM REQUIREMENTS AND DEFINITIONS


    Privacy official policy
    Privacy Official Policy privacy

    • Policy HIM.PRI.002

    • Barbara Lee Peace , FPO

    • Facility Privacy Official,

    • Ext 1682

    • Gayla White, LSC

    • Local Security Coordinator

    • Ext 1419


    Patient privacy protection
    PATIENT PRIVACY PROTECTION privacy

    • HIM.PRI.003

    • Defines individual’s responsibility in protecting PHI

    • “Need to Know is basis” for access


    Right to access
    Right to Access privacy

    • HIM.PRI.004

    • Individuals have the right to inspect and obtain a copy of their PHI.

    • Facility/PASA will provide a readable hard copy of portions of DRS requested.

    • On-line access not available at this time

    • Individuals with system access are not permitted to access their record in any system.

    • Facility must act on request for access no later than 30 days

    • Requests should be forwarded to the HIM Dept (unless Referral/Industrial or billing info)

    • May charge for copy according to GA Code


    Right to amend
    RIGHT TO AMEND privacy

    • HIM.PRI.005

    • Individuals have the right to amend PHI contained in the DRS for as long as the information is maintained.

    • For the intent of this policy, amendis defined as the pt’s right to add to information (append) with which he/she disagrees, and does not include deleting or removing or otherwise changing the content of the record.

    • Requests for Amendment must be forward to the FPO for processing.


    Right to request privacy restrictions
    RIGHT TO REQUEST PRIVACY RESTRICTIONS privacy

    • HIM.PRI.006

    • Patients will be provided the right to request restriction of certain uses and disclosures of PHI.

    • Requests for such restrictions must be made in writing to the FPO.


    Right to request privacy restrictions1
    RIGHT TO REQUEST PRIVACY RESTRICTIONS privacy

    • No other employee or physician may process such a request unless specifically authorized by the FPO.

    • The facility is not required to act immediately and should investigate its ability to meet the request prior to agreeing to any restriction.

    • 99% of the time the request will not be honored.


    Right to request privacy restrictions2
    RIGHT TO REQUEST PRIVACY RESTRICTIONS privacy

    • Facility must permit pt to request privacy restriction. FPO or designee is only person who may agree to any restriction

    • Should not be acted on immediately, rather after investigation to ensure facility can accommodate request

    • Request must be in writing from pt

    • If denied, pt must be notified of denial.

    • Request will be filed in med rec or billing

    • Termination of request (by facility or pt)


    Notice of privacy practices
    NOTICE OF PRIVACY PRACTICES privacy

    • HIM.PRI.007 NOPP

    • NOPP must be given to every patient who physically registers for services (referrals, lab specimens thru SNF or HH, etc.) Each pt must acknowledge receipt (initialing).

    • 4 page document outlining patient’s rights and notice of all of the ways the facility uses and shares a pt’s health info.


    NOPP privacy

    • Explains ACE, OHCA, uses, disclosures, rights to access, amend, receive confidential communications, request restrictions, request accounting of disclosures, how to file complaints, name & # of FPO, and more.

    • Notice must be posted throughout the facility and on facility web site.


    NOPP privacy

    • Company-affiliated facilities may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising any rights under the HIPAA Privacy Standards


    Right to request confidential communication
    RIGHT TO REQUEST CONFIDENTIAL COMMUNICATION privacy

    • HIM.PRI.008

    • Patients can request alternate means of communication for mail and telephone calls

    • Unacceptable means include fax, e-mail and Internet communications

    • Patient must complete and sign “Request for Confidential Communications” form

    • Form must be submitted to FPO who will give a copy of the form to the patient


    Confidential communication cont d
    CONFIDENTIAL COMMUNICATION privacy(cont’d)

    • FPO must notify other parties as appropriate (PASA)

    • If alternate phone/address is not accurate, 7 days must pass and then FPO will notify all applicable parties to take appropriate action

    • Patient must complete new form for future if original alternate info is incorrect

    • If revocation desired by pt, “Conf Communication Revocation” form must be completed


    Confidential communication cont d1
    CONFIDENTIAL COMMUNICATION privacy(cont’d)

    • Patients can request alternate means of communication for mail and telephone calls

    • Unacceptable means include fax, e-mail and Internet communications

    • Patient must complete and sign “Request for Confidential Communications” form

    • Form must be submitted to FPO who will give a copy of the form to the patient


    Accounting of disclosures
    ACCOUNTING OF DISCLOSURES privacy

    • HIM.PRI.009 AOD

    • Individuals have the right to an accounting of disclosures made by the facility

    • Includes written and verbal disclosures

    • Accounting must include the date, description of what was disclosed, statement of purpose for the disclosure and to whom the disclosure was made


    Aod cont d
    AOD privacy(cont’d)

    • HIM.PRI.009

    • EXCEPTIONS from Accounting: Uses and disclosures for treatment, payment, healthcare operations (TPO).

    • *** This is not a system audit trail of user access. This is an accounting of entities to which information has been disclosed***


    Aod cont d1
    AOD privacy(cont’d)

    • Facility must document the AOD and retain the documentation for 6 years.

    • Types of uses and disclosures that must be tracked for purposes of accounting:

      • Required by law

      • Public health activities

      • Victims of abuse, neglect, or domestic violence unless the healthcare provider believes informing the individual may cause serious harm or believes the individual is responsible for the abuse, neglect, or injury.

      • Health Oversight activities

      • Judicial and administrative proceedings

      • Law enforcement purposes


    AOD privacy

    • Decedents – Coroners and medical examiners OR funeral directors

    • Cadaveric organ, eye, or tissue donation purposes

    • Research purposes where a waiver of authorization was provided by the Institutional Review Board or preparatory reviews for research purposes

    • In order to avert a serious threat to health or safety

    • Specialized gov’t functions (Military or vet activities OR Protective services for the President and others)

    • Worker’s comp necessary to comply with laws relating to worker’s comp prgms (not including disclosures related to pymt)


    AOD privacy

    • Meditech

    • Correspondence menu

    • On the Mox menu

    • Detailed instructions forthcoming



    Verification of external requestors
    VERIFICATION OF EXTERNAL REQUESTORS privacy

    • Policy assumes requestor is authorized and facility just needs to verify.

    • Identify verification

      • Valid State/Federal Photo ID

      • Minimum of 3 of the following:

    • SS#, DOB, one of the following (acct #, address, Insur Carrier,card or policy #, MR #, Birth certificate)

      • Positive match signature


    Verification cont d
    VERIFICATION privacy(CONT’D)

    • Unacceptable forms of identification:

      • Employment ID card/Student ID card

      • Membership ID cards

      • Generic billing statements (utility bills)

      • Supplemental Security card (SSI)

      • Credit cards (photo or non-photo)


    Verification cont d1
    VERIFICATION privacy(CONT’D)

    • Third –Party & Company identification methods:

      • Letterhead

      • Email address

      • Fax Coversheet with company logo

      • Photo ID

      • If in doubt, follow-up via telephone


    Opting out of directory
    OPTING OUT OF DIRECTORY privacy

    • Comparable to “no press, no info” as we know it

    • Must be in writing by pt

      • Pt access will handle if requested but

      • Nursing may have to handle

    • MUST inform of patient of effects, e.g., no delivery of flowers, callers/visitors told no such pt, pt must notify family/friends of exact location, no clergy visits


    Opting out cont d
    OPTING OUT (cont’d) privacy

    • Will be handled the same in Meditech

    • If in Directory, the following info willbe released to members of clergy & other persons who ask for patient by name:

      • Pt name

      • Location

      • Condition in general terms

      • Religious affiliation


    Opting out cont d1
    OPTING OUT (cont’d) privacy

    • Opt Out form must be distributed to PAD and other appropriate dept’s to ensure pt is listed confidential and must be documented in med rec (change to conf in Meditech)

    • If pt asks to opt out during scheduling, OR, Rad, etc. must notify Pt Access & FPO

    • Gallup Survey upload file

    • Revocation of opt out – must be in writing


    Complaint process
    COMPLAINT PROCESS privacy

    • Filed with facility & DHHS

    • To instill a measure of accountability

    • FPO must be notified

    • Complaint must be in writing

    • Steps taken to identify &/or correct any privacy deficiencies

    • Disposition of investigation by FPO to complainant and logged in complaint log


    Release to law enforcement judicial
    RELEASE TO LAW ENFORCEMENT, JUDICIAL privacy

    • State law pre-empts if more strict

    • Outlines proper acceptance & response to:

      • Court order for judicial or administrative proceedings.


    Law enforcement cont d
    LAW ENFORCEMENT (cont’d) privacy

    • Subpoena or Discovery Request Not Accompanied by court order. Pt must be given notice and ample time to object.

    • Law Enforcement – Disclosure is permitted under specific circumstances.

    • ALL requests for release of information should be referred to the HIM Dept.


    Clergy access
    CLERGY ACCESS privacy

    • Unless a pt is confidential or has requested to Opt Out of the facility directory, members of the clergy will be provided with the following information:

    • Name of pt

    • Condition in general terms

    • Location/Room Number


    Clergy access1
    CLERGY ACCESS privacy

    If the pt, during nursing assessment, asks for his or her clergy to be notified, the nursing staff should handle notification according to the facility’s current process.


    Uses and disclosures of protected health information
    USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION privacy

    • Required When:

    • Outside of TPO

    • Research

    • Psychotherapy notes (unless to carry out TPO)

    • New Authorization Form will replace existing form


    Releasing under the public good
    RELEASING UNDER THE PUBLIC GOOD privacy

    • PHI may be released to other covered health care providers w/out patient authorization for public good purposes

    • Public good exception permits disclosures in certain situations including, but not limited to, the following:


    Public good cont d
    PUBLIC GOOD privacy(cont’d)

    • Required by law

    • About victims of abuse, neglect, or domestic violence

    • Law enforcement purposes

    • For organ procurement

    • To avert a serious threat to health or safety

    • Worker’s comp or other similar program

    • Other situations (gov’t, disaster relief, etc)


    Privacy monitoring
    PRIVACY MONITORING privacy

    • Security Committee

    • Random Audits

    • Audits of employees with broad access

    • Audits across campuses

    • Audits of all employee records


    Privacy monitoring1
    PRIVACY MONITORING privacy

    • Level and Definition of Violation:

    • Level I Accidental and/or due to lack of proper education

    • Level II Purposeful break in the terms of the Confidentiality and Security Agreement or an unacceptable number of previous violations

    • Level III Purposeful break in the terms of the Confidentiality and Security Agreement or an unacceptable number of previous violations and/or accompanying verbal disclosure of patient information regarding treatment and status

    • Examples of Violations:

    • Failing to sign off a computer terminal when not using it

    • Accessing own record

    • Accessing a record without having a legitimate reason to do so

    • Sharing passwords

    • Improper use of e-mail

    • Using unlicensed software on HCA computers

    • Physician self-assigning without obtaining authorization


    Sanctions for privacy violations
    SANCTIONS FOR PRIVACY VIOLATIONS privacy

    • Security Committee

    • In current hospital policies

    • Violations must be documented

    • Levels of violation

    • Accidental/lack of education

    • Purposeful or unacceptable # of previous violations

    • Purposeful with associated potential patient harm


    Disclosures to other health care providers
    Disclosures to Other Health Care Providers privacy

    • May disclose for healthcare purposes

    • Verify requestor

    • Medical Staff is member of OHCA


    Designated record set
    Designated Record Set privacy

    • Policy HIM

      Includes:

      Medical records and billing records for CMC used in whole or part to make healthcare decisions about patients.

      **Information from another facility

      - received before patient discharged


    Privacy fundraising requirements
    Privacy Fundraising Requirements privacy

    • In general, individual patient authorization must be obtained to use or disclose a patient’s PHI for fundraising purposes.

    Does not apply to CHS


    Education requirements
    Education Requirements privacy

    4/14

    • All employees must be educated prior to entering the work force

    • Education must be at onset and at least annually

    • Must be documented


    Fax policy
    FAX POLICY privacy

    • CHECK NUMBERS

    • REPORT WRONG FAXES TO FPO

    • ALWAYS USE COVER SHSET

    • FAXBOX


    Marketing policiy
    MARKETING POLICIY privacy

    A patient authorization is required and must

    be obtained for any uses or disclosures

    of PHI for purposes of marketing

    under the HIPAA Privacy Standards.


    Deidentification
    DEIDENTIFICATION privacy

    Policy addresses how to deidentify

    data if releasing.


    Limited data set
    LIMITED DATA SET privacy

    Allows for submission of a

    limited data set in

    certain situations.


    Release to family and friends
    RELEASE TO FAMILY AND privacyFRIENDS

    Better known as “Passcode Policy”

    requires passcode at nursing units/and

    other care units when releasing info

    on patients.


    Minimum necessary information
    MINIMUM NECESSARY INFORMATION privacy

    Company wants to be sure that everyone is

    adhering to making sure that employees

    have only the minimum necessary

    information to do their jobs.


    Policies posted
    POLICIES POSTED privacy

    • ATLAS

      • Policies & Procedures

        • CHS

        • HIPAA

          • Facility

          • Corporate

          • Forms

    • MOX

      • Library

      • HIPAA


    Security
    SECURITY privacy


    Protecting our patient's privacyprivacy is part of the quality care we provide atColiseum Medical Centers – It’s the Law –


    Email and internet access
    Email and Internet Access privacy

    Email Systems and the Internet:

    -Are for business purposes only

    -Are monitored by corporate and CHS Information Services

    -Any information passing to or through them is the property of the Company

    Email Systems and Internet access may NEVER be used for:

    -Offensive jokes or language

    -Anything that degrades a race, sex, religion, etc.

    -“Hate” mail – to harass, intimidate or threaten another person

    -Forwarding chain letters

    -Emails for want ads, lost and found, notification of events (wedding or other invitations) other than HCA sponsored events

    -Access to “prohibited internet sites” containing pornography, “hate” sites, chat sites and gaming sites


    The use of HCA’s information systems assets to access such sites is STRICTLY PROHIBITED!

    -Any purpose which is illegal, against Company policy, or contrary to the Company’s best interest

    Email Systems and Internet access violations are:

    -Handled by our CHS Security Committee and will become a part of your personnel record in Human Resources

    -Grounds for disciplinary action up to, and including, termination of employment and/or legal action

    If you receive an email in violation of our policies or know of any inappropriate Email/Internet usage, please notify our Local Security Coordinator (LSC), Gayla White, or our Hospital Director of Information Services (HDIS), Joan Morstad at 765-4127 or by Outlook or MOX.

    Remember adherence is neither voluntary nor optional.


    Incident reporting
    Incident Reporting sites is STRICTLY PROHIBITED!

    Your Local Security Coordinator, Gayla White, is your first contact for questions or to report any known or potential security issues. The Hospital Director of Information Services, Joan Morstad, supports technical issues including Security and Security issues. The Facility Privacy Officer, BarbaraLee Peace, will receive complaints about patient privacy.

    A security breach is any deviation from the HCA – Information Technology and Services Policies, Procedures and Standards.

    Violation levels and respective disciplinary actions are outlined in the AA.C.ENFORCE policy located on InSight – the CHS Intranet.

    System access will be routinely reviewed through the use of conformance and monitoring audit reports viewed by the Local Security Coordinator and the Facility Security Committee.


    • Level and Definition of Violation: sites is STRICTLY PROHIBITED!

    • Level I Accidental and/or due to lack of proper education

    • Level II Purposeful break in the terms of the Confidentiality and Security Agreement or an unacceptable number of previous violations

    • Level III Purposeful break in the terms of the Confidentiality and Security Agreement or an unacceptable number of previous violations and/or accompanying verbal disclosure of patient information regarding treatment and status

    • Examples of Violations:

    • Failing to sign off a computer terminal when not using it

    • Accessing own record

    • Accessing a record without having a legitimate reason to do so

    • Sharing passwords

    • Improper use of e-mail

    • Using unlicensed software on HCA computers

    • Physician self-assigning without obtaining authorization


  • Written warning

  • Termination of user privileges or contracts

    • Termination of employment

    • REMEMBER

    • Be aware of the systems you use and report any

    • violations of policy.


  • Log in success or failure
    LOG IN SUCCESS OR FAILURE sites is STRICTLY PROHIBITED!

    Log-in success or failure is a general term for end user awareness and training including their understanding of their responsibility to ensure the protection of the information they work with and their ability to recognize normal and abnormal system functionality.

    Information Security in the healthcare industry means protecting employee and company information, but also includes the patient information gathered in behalf of a patient during treatment.


    WHAT ARE GOOD INFORMATION SECURITY PRACTICES?  sites is STRICTLY PROHIBITED!

    1.     Treat all information as if it were about you or your family.

    2.     Access only those systems you are officially authorized to access.

    3.     Take reasonable measures to shield sensitive and confidential information from casual view such as positioning workstations away from public view.

    4.     Minimize the storage of confidential information on a local workstation.

    5.     Always exit the system before leaving work.

    6.     Access only the information you need to do your job.

    Read the Information Security Guide that is available on ATLAS under Information Technology Services>Security>Awareness Education>Security Guide.


    Certain kinds of Internet/email use require large amounts of network bandwidth and, when multiplied by too many users, can actually monopolize our system resources. These “bandwidth hogs” can slow or even shut down the computer systems we need for day-to-day work.

    WHAT IMPACTS OUR SYSTEMS?

    1.     Internet images/graphics accessed on your web browser.

    2.     Pictures/graphics sent by email using the Company email system.

    3.     Internet news sites, using either streaming audio or streaming video.

    4.     MP3 (music) files downloaded from the Internet.


    Take a close look at how you use the Company’s network to ensure that your Internet habits don’t contribute to a slowdown of our systems.

    REMEMBER

    Use of the internet plays an important part in keeping our

    Company’s network performing properly.


    Need to know
    NEED TO KNOW ensure that your Internet habits don’t contribute to a slowdown of our systems.

    Workforce members only access systems they are authorized to access. 

    Never use a password that does not belong to you. 

    Never give someone else your password.

    Always request access to a system through the proper channels.

    Workforce members access only the information needed to perform a task or job. 

    Never view a patients’ information that is not in your direct care area.

    Never request information from coworkers about a family, friend or your own record.

    Never access your own record but request information from Health Information Management.


    Workforce members only share sensitive and confidential information with others having a “need to know” to perform their job.

    Never give information about patients in your care area to coworkers outside your care area. 

    Never discuss patient information in elevators, dining areas, or other public places. 

    Direct all requests for information from coworkers about their own or other records to Health Information Management.

    Keep sensitive and confidential information in a locked cabinet or drawer when not in use.

    REMEMBER

    Only access information that is needed to perform your

    Duties!!


    Password maintenance
    PASSWORD MAINTENANCE information with others having a “need to know” to perform their job.

    Did you know that guessing or using a known password makes up about 60% of all successful information security breaches? This means that creating a secure password is vital to network protection.

    You should never write down or give your User ID and password to anyone else and you should never use anyone else’s User ID and password. Using or allowing someone to use a User ID and password that was not assigned to them is like giving a stranger your Bank Card and Pin number!!


    Inferior passwords include: information with others having a “need to know” to perform their job.

    ·        Your user ID or Account Number

    ·        Your Social Security Number

    ·        Birth, death or anniversary dates

    ·        Family member names

    ·        Your name forward or backwards

    Good quality password are:

    ü           Eight characters or more

    ü           Uppercase (A) and lowercase (a) letters

    ü           Combinations of letters and numbers

    ü           Easy to type and remember

    ü           Made up of a pass phrase


    A pass phrase is unique and familiar to you, and easy to remember, but not easy to guess. Think of a phrase like “See you later.” For systems that accept numbers and special characters, you can substitute letters for words and add a special character to transform the phrase into something like CUL8ter!. For systems that do not accept numbers and special characters, your password might be CULatER.

    REMEMBER

    Your ID and password document work performed and

    Information reviewed by YOU!!


    Policies and standards
    POLICIES AND STANDARDS remember, but not easy to guess. Think of a phrase like “See you later.” For systems that accept numbers and special characters, you can substitute letters for words and add a special character to transform the phrase into something like

    HCA relies heavily on computers to meet its operational, financial, and information requirements. The computer system, related data files, and the derived information are important assets of the company.

    POLICIES: A mechanism of internal controls for routine and non-routine receipt, manipulation, storage, transmission and/or disposal of health information.

    Facility and Corporate policies are located on InSight – the CHS Intranet – under the Policies & Procedures section.


    Before being issued a password to CPCS, all employees are required to sign the AA.C.ENFORCE policy describing the requirements for discipline when confidentiality breaches of patient or hospital financial information and data are identified, and the AA.H.OWNMR policy identifying the proper procedure for employees who want to view a copy of their own medical record.

    All system users are responsible for abiding by the policies and procedures established to protect the company’s information.

    STANDARDS: The minimum-security standard requirements for processing information in a secure environment and for helping facilities comply with the proposed HIPAA (Health Insurance Portability and Accountability) Security Rule


    IT&S Standards are published on ATLAS under Information Technology & Services, in the Security section. The latest standards that have been published are:

    System Warning Banner

    Identification

    Authentication

    Encryption

    Wireless Networks

    Electronic Mail System

    Workstation Security

    Mobile Computing

    Open Network Security

    Security Awareness

    Virus Control

    IT&S Standards are published on ATLAS under Information Technology & Services, in the Security section. The latest standards that have been published are:

    System Warning Banner

    Identification

    Authentication

    Encryption

    Wireless Networks

    Electronic Mail System

    Workstation Security

    Mobile Computing

    Open Network Security

    Security Awareness

    Virus Control

    REMEMBER: Each employee is expected to become familiar

    With and abide by our policies and standards.


    Workstation security
    WORKSTATION SECURITY Technology & Services, in the Security section. The latest standards that have been published are:

    Your workstation is any terminal, instrument, device, or location where you perform work.

    Protection of the workstation and its equipment is each employee’s responsibility.

    If you leave cash out where the casual observer can see it, are you certain it will be there the next time you look? Our work-related information is even more valuable!


    Examples of sensitive information that should Technology & Services, in the Security section. The latest standards that have been published are:never be left unattended:

    Patient Identifiable Information. Never leave out any information that is directly related to or traceable to an individual patient.

    Departmental Reports.

    Employee Evaluations or Goals. Keep personal information about you between you and your manager.

    Consulting or Audit Reports. Reports that reveal intricate details about Company operations or systems should be protected from outsiders.

    To keep your workstation secure be sure to perform a “self audit” and evaluate the information you leave on top of your desk.


    Examples of secure workstations: Technology & Services, in the Security section. The latest standards that have been published are:

        PCs are secured (locked) to a heavy object whenever possible.

        When not in use, hard copy information, portable storage, or hand-held devices are kept in a secured (locked) place.

       Information on any screen or paper is shielded from casual public view.

         Terminals and desk are not left active or unlocked and unattended.    Company approved anti-virus software actively checks files and documents.

         Only company approved, licensed, and properly installed software is used.

        Portable storage such as disks and tapes are obtained from a reliable source.


    Backups of electronic information are performed regularly. Technology & Services, in the Security section. The latest standards that have been published are:

    Surge protectors are used on all equipment containing electronic information.

    It is the responsibility of all users who have laptops and other portable devices to exercise due care (i.e., locking and/or storing safely) to prevent opportunist theft or loss.

    REMEMBER

    It is your responsibility to protect the information

    resources on your individual work station.


    ad