Privacy and  Confidentiality

Privacy and Confidentiality PowerPoint PPT Presentation


  • 73 Views
  • Uploaded on
  • Presentation posted in: General

Download Presentation

Privacy and Confidentiality

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


1. Privacy and Confidentiality Residents and Fellows Orientation 2010

2. 2 Overview What Do You Need to Know? What’s New? New Privacy State Laws New Federal Regulations- HITECH Important Privacy Concepts Privacy in the Clinical Environment Scenarios Best Privacy Practice Reminders What to do in the Event of a Privacy Breach? Resources

3. 3 What do you need to know about Privacy and HIPAA? Complete the required training Privacy Handbook Provider Training Module Confidentiality Statement Know the patient’s privacy rights New State Privacy Laws and your personal liability American Recovery and Reinvestment Act (ARRA) impact on healthcare and privacy- HITECH

4. 4 Advanced Provider HIPAA Training Review Advanced Provider Module: http://www.ucsf.edu/hipaa/ Read HIPAA Handbook (in your packet) Sign Confidentiality Statement and turn it in to your Department Manager Read Notice of Privacy Practices (NOPP) booklet: http://www.ucsfhealth.org/common/3-03ucsfhipaa.pdf

5. 5 Patient HIPAA Rights can be Hot Spots for Providers HIPAA Patient Rights: To restrict use and disclosure of their PHI New restriction for self-pay patients To request amendments to their PHI To file complaints with UCSF, UCOP and OCR that may result in civil and criminal penalties for individuals as well as the healthcare organization To request Accounting of Disclosure To inspect and receive a copy of their medical record New rights to receive on electronic copy of records To request confidential communication

6. 6 Survival Tips For HIPAA Patient Rights

7. 7 What’s New? Privacy is more than HIPAA these days New states laws and Federal Regulations are more stringent and impose increased fines/ penalties The Privacy environment is constantly changing National mandate for an Electronic Health Record State wide initiatives for a Health Information Exchange

8. 8 Major Impacts of The New Privacy State Laws:

9. 9 Major Impacts of The New Privacy State Laws:

10. 10 How Does This Impact You? Increased Fines and Civil Penalties 5 Day Notification Requirement to DPH and individuals Surveillance and Monitoring Audit Logs of Appropriate Access Personal Liability

11. 11 The answer to all legal/risk questions is… IT DEPENDS…

12. 12 Federal Regulations/Laws & Some Major Impacts “Stimulus Package” included health information technology, e.g., Electronic Health Records Multiple impacts related to Privacy Defines unsecured PHI Requires notification to the consumer w/in 60 days Individuals may be fined for wrongful disclosure Increases criminal fines and penalties for wrongful disclosure Individuals have right of civil action for wrongful disclosure Requires honoring restriction requests, when related to self pay situations. Major impact on Business Associates (BAs) More guidance from HHS expected

13. 13

14. 14 Important Privacy Concepts: Utilize these concepts when making decisions regarding Privacy Protection in the clinical environment: Treatment, Payment or Operations (TPO) You may access, use or disclosure PHI or ePHI for the purposes of TPO See Notice of Privacy Practices (NOPP) for details If your access, use or disclosure is not covered by the NOPP, then you will need to obtain an authorization from the patient prior to proceeding. PHI/ePHI Protected Health Information/Electronic Protected Health Information See HIPAA handbook for definition

15. 15 Important Privacy Concepts cont’d… Minimum Necessary Standard applies for all uses and disclosures except for treatment Access only what you need to know. Share only what you need to disclose. Incidental Use and Disclosure as long as: The disclosure is incidental to other permitted uses and disclosures. Never access, use or disclosure PHI which you are not allowed to access in the first place. Reasonable safeguards are in place to protect PHI that may be disclosed incidentally.

16. 16 Privacy in the Clinical Environment Do I need to access this information to do my job? Am I using the minimum information needed to do my job? Am I providing others with the minimum necessary information to do their job? Do I need to store this information to do my job? If yes, how will I secure this information? Ok, I can do this, should I really do it? What if this was my information? How would I feel about how it is being handled? How would this process/practice look on the front page of the Chronicle?

17. 17 Scenario 1 – Email Communication A patient emails you about new symptoms that have presented since taking a new medication. Since the patient has sent the email unencrypted, can you respond without sending your message in a secure manner?

18. 18 Scenario #1- Answers Yes No

19. 19 Correct Answer to Scenario #1 B.) NO It is your responsibility, when communicating to send any PHI securely. DO NOT use personal email accounts or personal devices.

20. 20 Secure E-Mail is easy to use at UCSF! How to use Use the secure email system when sending emails with ePHI Type in the email Subject Line the word: Secure: ePHI: PHI: Make sure you are sending your message to the correct recipient. Key points to remember This protects the information when it leaves our UCSF network environment. It does not encrypt the message within the UCSF network. However, best practice is to use the secure email system when sending ePHI anywhere. This will protect you if someone forwards your ePHI outside of the UCSF network.

21. 21 What if your personal, unencrypted laptop was stolen?

22. 22 Scenario #2- Lost/ stolen Laptop Your personal laptop contained information about your current patients. The laptop was locked in your trunk and it had a complex password on the device. Since you locked the laptop up and you had a complex password on the device, is this enough to keep you from being personally responsible for the loss of the patient information?

23. 23 Scenario #2 - Answers Yes, I cannot be responsible if someone steals my laptop. No, I am still responsible.

24. 24 Correct Answer to Scenario #2 B.) “No, I am still responsible.” The only safe harbor is to have the device encrypted

25. 25 Key to Your Survival

26. 26 PHI is Everywhere

27. 27 Best Privacy Practice Reminders Make sure you maintain access for only the systems that you have a business need Review privacy newsletters and make sure you understand them PHI/ePHI should never leave the department If unavoidable, then the materials should stay with the person without exception Limit discussion in public areas Place PHI/ePHI in the InstaShred Do not block software updates Encrypt ePHI on mobile devices; Laptops, Memory sticks etc

28. 28 Use locked doors/storage areas Lock up patient information such as paper, floppies, memory sticks, CDs, tapes or other portable media Secure devices with locks when possible, even when laptops are docked in docking stations You are responsible for securing home and mobile devices w/confidential information. If you take your laptop home, you need to keep it with you at all times while in transport. Secure building at the end of the business day Store information on a secure/encrypted server Best Privacy Practice Reminders cont’d...

29. 29 Protect your computers and mobile eDevices:

30. 30 What is my responsibility, if I suspect a breach or have questions

31. 31 What is Phishing? Wikipedia Definition Phishing is the criminally fraudulent process of attempting to acquire sensitive information, such as user names, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by email or instant messaging, and it often directs users to enter details at a fake website, whose look and feel are almost identical to the legitimate one

32. 32 Examples of Phishing What does a phishing scam look like? As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows. They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.

33. 33 Current Facts * The Internet has never been more dangerous: rogue Anti-Virus, infected computers and malicious code break new barriers as electronic crime’s sophistication and ambition grow unchecked. Rogue anti-malware programs are proliferating at an unprecedented rate. The first 6 months of 2009, the number of such programs grew 585 %. The number of unique phishing websites detected in June 2009 rose to 49,084, the second-highest number recorded since APWG began reporting this measurement. (*www.antiphising.org/phishing_archive)

34. 34 What Is the Real Risk When This Happens? Virgin mail accounts are hot commodities and can be sold for $2/account. This is double what a stolen credit card account is worth. With your User ID and PW, the cyber thief can carry out many lucrative online activities. They can access your address book, collect clues to your social networks and online banks, then they crack into those accounts and change the PW, so only they can access them. Remember, many online services require an email address in order to set up the web account, and replacement passwords are sent to that email address.

35. 35 How Does UCSF Reduce This Risk? Never provide your User ID and PW to email queries, even if it looks legitimate. Use different PWs for each online account. Adhere to UCSF’s PW policy for complex PWs and change the PW regularly. Never store spreadsheets with PHI or sensitive data in your email folders. Adhere to the Minimum Necessary standard when communicating about a patient.

36. 36 Scenario 3 A patient arrives in the ED and states that he has been seen at another ED two times in the last 24 hours for abdominal pain. He now presents with increased abdominal pain. You diagnose him with a bowel obstruction, and he goes to the OR for surgery. You know the MD at the other hospital and want to inform him about what happened to this patient. Should you contact the MD at the other ED?

37. 37 Scenario #3- Answers Yes No

38. 38 Correct Answer to Scenario #3 B.) No To do so would cause a Privacy violation If you feel strongly that the other ED should know you should: Obtain authorization from the patient to disclose this information Document the authorization in the medical record

39. 39 Remember- Privacy is bigger than HIPAA

40. 40 Your Department Manager or IT support person UCSF Privacy Officer Deborah Yano-Fong UCSF Information Security Officer (Medical Center) Jose Claudio UCSF Information Security Officer (Campus) David Rusting School of Medicine Information Security Unit Director Opinder Bawa IT Customer Support 514-4100 UCSF Police 476-1414

  • Login