overview of the hipaa privacy rule and policies
Download
Skip this Video
Download Presentation
OVERVIEW OF THE HIPAA PRIVACY RULE and POLICIES

Loading in 2 Seconds...

play fullscreen
1 / 98

OVERVIEW OF THE HIPAA PRIVACY RULE and POLICIES - PowerPoint PPT Presentation


  • 184 Views
  • Uploaded on

OVERVIEW OF THE HIPAA PRIVACY RULE and POLICIES. Presented by: Barbara Lee Peace Facility Privacy Official Coliseum Medical Centers. COMPLIANCE DEADLINE. HIPAA Privacy Rule. April 14, 2003. What is HIPAA?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' OVERVIEW OF THE HIPAA PRIVACY RULE and POLICIES' - uta-boyle


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
overview of the hipaa privacy rule and policies

OVERVIEW OF THEHIPAA PRIVACY RULEandPOLICIES

Presented by:

Barbara Lee Peace

Facility Privacy Official

Coliseum Medical Centers

compliance deadline
COMPLIANCE DEADLINE

HIPAA Privacy Rule

April 14, 2003

what is hipaa
What is HIPAA?

HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996.

  • It’s a Federal law
  • Provides continuity of healthcare coverage
  • Administrative Simplification ???
slide4

Recognized need to improve protection of health privacy

  • Response by Congress for healthcare reform
  • Affects all healthcare industry
  • HIPAA is mandatory, penalties for failure to comply
slide5

Transactions

      • Requires standardized transaction content, formats, diagnostic & procedure codes, national identifiers for healthcare EDI transactions.
  • Privacy
      • Establishes conditions that govern the use and disclosure of individually identifiable health information.
      • Establishes patient rights in regard to their protected health information (PHI).
  • Security
      • Establishes requirements for protecting the confidentiality, availability and integrity of individually identifiable health information.
slide6

Civil

      • For failure to comply with transaction standards
      • $100 fine per occurrence; up to $25,000 per year
  • Criminal
      • For health plans, providers and clearinghouses that knowingly and improperly disclose information or obtain information under false pretenses
      • Penalties higher for actions designed to generate monetary gain
        • up to $50,000 and one year in prison for obtaining or disclosing protected health information
        • up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"
        • up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm
why do we need hipaa
Why do we need HIPAA?
  • 1996 - In Tampa, a public health worker sent to two newspapers a computer disk containing the names of 4,000 people who tested positive for HIV.
  • 2000 - Darryl Strawberry’s medical records from a visit to a New York hospital were reviewed 365 times. An audit determined less than 3% of those reviewing his records had even a remote connection to his care.
  • 2001 – An e-mail was sent out to a Prozac informational listserv members revealing the identities of other Prozac users.
  • Closer to Home
title ii administrative simplification
Title II - Administrative Simplification
  • Federal Law vs. State Laws
  • Protect health insurance coverage, improve access to healthcare
  • Reduce fraud and abuse
  • Establish new pt rights and privacy control by establishing common transaction sets for sending and securing pt information
  • Improve efficiency and effectiveness of healthcare
  • Reduce healthcare administrative costs (electronic transactions) ???
who must comply
Who must comply?

HIPAA applies to all Covered Entities (CE) that transmit protected health information electronically such as..

  • Health Plan
  • Health Care Clearinghouse
  • Health Care Provider
confidentiality
Confidentiality
  • The delicate balance between all employee’s, physician’s and volunteer’s need to know and the patient’s right to privacy is at the heart of HIPAA – Privacy.
practicing privacy
Practicing Privacy
  • Treat all information as if it were about you or your family.
  • Access only those systems you are officially authorized to access.
  • Use only your own User ID and Password to access systems.
  • Access only the information you need to do your job.
practicing privacy1
Practicing Privacy
  • Refrain from discussing patient information in public places.
  • Create a “hard to guess” password and never share it.
  • Log-off or lock your computer workstation when you leave it.
hipaa myths
HIPAA MYTHS
  • WHITE BOARDS
  • SIGN IN SHEETS
  • PAGING
  • CALLING OUT NAMES
  • NAMES ON DOORS
  • STRUCTURES TO PREVENT DISCLOSURES
oral communications
Oral Communications
  • The following practices are permissible if reasonable precautions (lowering voices) are taken to minimize inadvertent disclosures to others:
  • Staff may oral communicate at the nursing stations
  • Health care professionals may discuss a pt’s treatment in a joint treatment area
  • Health care professionals may discuss a pt’s condition during patient rounds
common terminology abbreviations not all inclusive
Common Terminology/Abbreviations(not all inclusive)
  • Affiliated Covered Entity (ACE) – Entities under common ownership or control may designate themselves as an ACE. Uses and disclosures of PHI are permitted w/out consent or authorization under TPO.
  • Treatment, Payment or Healthcare Operations (TPO) – business practices hospital undergoes for daily functions and srvcs
terminology con t
Terminology, Con’t
  • Covered Entity (CE) – A health plan, healthcare clearing house, healthcare provider who transmits any health information in connection to a transaction.
  • Designated Record Set (DRS) – Includes medical record and billing information, in whole or in part, by or for the covered entity to make decisions about patients
terminology con t1
Terminology, Con’t.
  • Business Associate (BA) – Person, business or other entity who, on behalf of organization covered by regulations, performs or assists in performing function/activity involving use or disclosure of PHI.
  • Patient Health Information (PHI) – any identifying piece of info on pt –
terminology what is phi
Terminology - What is PHI?

Protected Health Information (PHI) is the medical record and any other individually identifiable health information (IIHI) used or disclosed for treatment, payment, or health care operations (TPO). (Secure Bins)

  • Name
  • Address
  • Photo images
  • Any date
  • Telephone/Fax numbers
  • Social Security Number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Any other unique identifying number, characteristic, or code.
terminology con t2
Terminology, con’t
  • Organized Health Care Arrangement (OHCA) – A clinically integrated care setting in which individuals typically receive health care from more than one provider, e.g., medical staff, radiologist phys group, ER phys group, volunteers, clergy, etc.
terminology con t notice of privacy practices nopp
Terminology, Con’tNotice of Privacy Practices (NOPP)
  • Disclosure of how PHI is used
  • Directory policy
  • Confidential Communications
  • Right to Access
  • Right to Amend
  • Accounting for Disclosures
  • Right to request restrictions on certain uses and disclosures
  • FPO contact information
  • Formal complaint process
when can we use phi
When can we use PHI?

We can use PHI for Treatment, Payment and Healthcare Operations (TPO).

  • Business Associates (BA)
  • Affiliated Covered Entity (ACE)
  • Organized Health Care Arrangement (OHCA)
do you need to know this information to do your job need to know basis appropriate access policies
Do you need to knowthis information to do your job?“need to know basis”(Appropriate Access Policies)
minimum necessary info
MINIMUM NECESSARY INFO
  • Facility uses and discloses the minimum amount of PHI necessary to accomplish the intended purpose.
  • Applies whether the hospital is sharing, examining or analyzing PHI, or whether we are responding to a request outside the facility.
policies
POLICIES

9 CORPORATE POLICIES

23 FACILITY POLICIES

patient privacy program requirements
PATIENT PRIVACY PROGRAM REQUIREMENTS
  • HIM.PRI.001
  • LISTS ALL PROGRAM REQUIREMENTS AND DEFINITIONS
privacy official policy
Privacy Official Policy
  • Policy HIM.PRI.002
  • Barbara Lee Peace , FPO
  • Facility Privacy Official,
  • Ext 1682
  • Gayla White, LSC
  • Local Security Coordinator
  • Ext 1419
patient privacy protection
PATIENT PRIVACY PROTECTION
  • HIM.PRI.003
  • Defines individual’s responsibility in protecting PHI
  • “Need to Know is basis” for access
right to access
Right to Access
  • HIM.PRI.004
  • Individuals have the right to inspect and obtain a copy of their PHI.
  • Facility/PASA will provide a readable hard copy of portions of DRS requested.
  • On-line access not available at this time
  • Individuals with system access are not permitted to access their record in any system.
  • Facility must act on request for access no later than 30 days
  • Requests should be forwarded to the HIM Dept (unless Referral/Industrial or billing info)
  • May charge for copy according to GA Code
right to amend
RIGHT TO AMEND
  • HIM.PRI.005
  • Individuals have the right to amend PHI contained in the DRS for as long as the information is maintained.
  • For the intent of this policy, amendis defined as the pt’s right to add to information (append) with which he/she disagrees, and does not include deleting or removing or otherwise changing the content of the record.
  • Requests for Amendment must be forward to the FPO for processing.
right to request privacy restrictions
RIGHT TO REQUEST PRIVACY RESTRICTIONS
  • HIM.PRI.006
  • Patients will be provided the right to request restriction of certain uses and disclosures of PHI.
  • Requests for such restrictions must be made in writing to the FPO.
right to request privacy restrictions1
RIGHT TO REQUEST PRIVACY RESTRICTIONS
  • No other employee or physician may process such a request unless specifically authorized by the FPO.
  • The facility is not required to act immediately and should investigate its ability to meet the request prior to agreeing to any restriction.
  • 99% of the time the request will not be honored.
right to request privacy restrictions2
RIGHT TO REQUEST PRIVACY RESTRICTIONS
  • Facility must permit pt to request privacy restriction. FPO or designee is only person who may agree to any restriction
  • Should not be acted on immediately, rather after investigation to ensure facility can accommodate request
  • Request must be in writing from pt
  • If denied, pt must be notified of denial.
  • Request will be filed in med rec or billing
  • Termination of request (by facility or pt)
notice of privacy practices
NOTICE OF PRIVACY PRACTICES
  • HIM.PRI.007 NOPP
  • NOPP must be given to every patient who physically registers for services (referrals, lab specimens thru SNF or HH, etc.) Each pt must acknowledge receipt (initialing).
  • 4 page document outlining patient’s rights and notice of all of the ways the facility uses and shares a pt’s health info.
slide36
NOPP
  • Explains ACE, OHCA, uses, disclosures, rights to access, amend, receive confidential communications, request restrictions, request accounting of disclosures, how to file complaints, name & # of FPO, and more.
  • Notice must be posted throughout the facility and on facility web site.
slide37
NOPP
  • Company-affiliated facilities may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising any rights under the HIPAA Privacy Standards
right to request confidential communication
RIGHT TO REQUEST CONFIDENTIAL COMMUNICATION
  • HIM.PRI.008
  • Patients can request alternate means of communication for mail and telephone calls
  • Unacceptable means include fax, e-mail and Internet communications
  • Patient must complete and sign “Request for Confidential Communications” form
  • Form must be submitted to FPO who will give a copy of the form to the patient
confidential communication cont d
CONFIDENTIAL COMMUNICATION(cont’d)
  • FPO must notify other parties as appropriate (PASA)
  • If alternate phone/address is not accurate, 7 days must pass and then FPO will notify all applicable parties to take appropriate action
  • Patient must complete new form for future if original alternate info is incorrect
  • If revocation desired by pt, “Conf Communication Revocation” form must be completed
confidential communication cont d1
CONFIDENTIAL COMMUNICATION(cont’d)
  • Patients can request alternate means of communication for mail and telephone calls
  • Unacceptable means include fax, e-mail and Internet communications
  • Patient must complete and sign “Request for Confidential Communications” form
  • Form must be submitted to FPO who will give a copy of the form to the patient
accounting of disclosures
ACCOUNTING OF DISCLOSURES
  • HIM.PRI.009 AOD
  • Individuals have the right to an accounting of disclosures made by the facility
  • Includes written and verbal disclosures
  • Accounting must include the date, description of what was disclosed, statement of purpose for the disclosure and to whom the disclosure was made
aod cont d
AOD (cont’d)
  • HIM.PRI.009
  • EXCEPTIONS from Accounting: Uses and disclosures for treatment, payment, healthcare operations (TPO).
  • *** This is not a system audit trail of user access. This is an accounting of entities to which information has been disclosed***
aod cont d1
AOD (cont’d)
  • Facility must document the AOD and retain the documentation for 6 years.
  • Types of uses and disclosures that must be tracked for purposes of accounting:
    • Required by law
    • Public health activities
    • Victims of abuse, neglect, or domestic violence unless the healthcare provider believes informing the individual may cause serious harm or believes the individual is responsible for the abuse, neglect, or injury.
    • Health Oversight activities
    • Judicial and administrative proceedings
    • Law enforcement purposes
slide44
AOD
  • Decedents – Coroners and medical examiners OR funeral directors
  • Cadaveric organ, eye, or tissue donation purposes
  • Research purposes where a waiver of authorization was provided by the Institutional Review Board or preparatory reviews for research purposes
  • In order to avert a serious threat to health or safety
  • Specialized gov’t functions (Military or vet activities OR Protective services for the President and others)
  • Worker’s comp necessary to comply with laws relating to worker’s comp prgms (not including disclosures related to pymt)
slide45
AOD
  • Meditech
  • Correspondence menu
  • On the Mox menu
  • Detailed instructions forthcoming
verification of external requestors
VERIFICATION OF EXTERNAL REQUESTORS
  • Policy assumes requestor is authorized and facility just needs to verify.
  • Identify verification
    • Valid State/Federal Photo ID
    • Minimum of 3 of the following:
  • SS#, DOB, one of the following (acct #, address, Insur Carrier,card or policy #, MR #, Birth certificate)
    • Positive match signature
verification cont d
VERIFICATION (CONT’D)
  • Unacceptable forms of identification:
    • Employment ID card/Student ID card
    • Membership ID cards
    • Generic billing statements (utility bills)
    • Supplemental Security card (SSI)
    • Credit cards (photo or non-photo)
verification cont d1
VERIFICATION (CONT’D)
  • Third –Party & Company identification methods:
    • Letterhead
    • Email address
    • Fax Coversheet with company logo
    • Photo ID
    • If in doubt, follow-up via telephone
opting out of directory
OPTING OUT OF DIRECTORY
  • Comparable to “no press, no info” as we know it
  • Must be in writing by pt
    • Pt access will handle if requested but
    • Nursing may have to handle
  • MUST inform of patient of effects, e.g., no delivery of flowers, callers/visitors told no such pt, pt must notify family/friends of exact location, no clergy visits
opting out cont d
OPTING OUT (cont’d)
  • Will be handled the same in Meditech
  • If in Directory, the following info willbe released to members of clergy & other persons who ask for patient by name:
    • Pt name
    • Location
    • Condition in general terms
    • Religious affiliation
opting out cont d1
OPTING OUT (cont’d)
  • Opt Out form must be distributed to PAD and other appropriate dept’s to ensure pt is listed confidential and must be documented in med rec (change to conf in Meditech)
  • If pt asks to opt out during scheduling, OR, Rad, etc. must notify Pt Access & FPO
  • Gallup Survey upload file
  • Revocation of opt out – must be in writing
complaint process
COMPLAINT PROCESS
  • Filed with facility & DHHS
  • To instill a measure of accountability
  • FPO must be notified
  • Complaint must be in writing
  • Steps taken to identify &/or correct any privacy deficiencies
  • Disposition of investigation by FPO to complainant and logged in complaint log
release to law enforcement judicial
RELEASE TO LAW ENFORCEMENT, JUDICIAL
  • State law pre-empts if more strict
  • Outlines proper acceptance & response to:
    • Court order for judicial or administrative proceedings.
law enforcement cont d
LAW ENFORCEMENT (cont’d)
  • Subpoena or Discovery Request Not Accompanied by court order. Pt must be given notice and ample time to object.
  • Law Enforcement – Disclosure is permitted under specific circumstances.
  • ALL requests for release of information should be referred to the HIM Dept.
clergy access
CLERGY ACCESS
  • Unless a pt is confidential or has requested to Opt Out of the facility directory, members of the clergy will be provided with the following information:
  • Name of pt
  • Condition in general terms
  • Location/Room Number
clergy access1
CLERGY ACCESS

If the pt, during nursing assessment, asks for his or her clergy to be notified, the nursing staff should handle notification according to the facility’s current process.

uses and disclosures of protected health information
USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
  • Required When:
  • Outside of TPO
  • Research
  • Psychotherapy notes (unless to carry out TPO)
  • New Authorization Form will replace existing form
releasing under the public good
RELEASING UNDER THE PUBLIC GOOD
  • PHI may be released to other covered health care providers w/out patient authorization for public good purposes
  • Public good exception permits disclosures in certain situations including, but not limited to, the following:
public good cont d
PUBLIC GOOD(cont’d)
  • Required by law
  • About victims of abuse, neglect, or domestic violence
  • Law enforcement purposes
  • For organ procurement
  • To avert a serious threat to health or safety
  • Worker’s comp or other similar program
  • Other situations (gov’t, disaster relief, etc)
privacy monitoring
PRIVACY MONITORING
  • Security Committee
  • Random Audits
  • Audits of employees with broad access
  • Audits across campuses
  • Audits of all employee records
privacy monitoring1
PRIVACY MONITORING
  • Level and Definition of Violation:
  • Level I Accidental and/or due to lack of proper education
  • Level II Purposeful break in the terms of the Confidentiality and Security Agreement or an unacceptable number of previous violations
  • Level III Purposeful break in the terms of the Confidentiality and Security Agreement or an unacceptable number of previous violations and/or accompanying verbal disclosure of patient information regarding treatment and status
  • Examples of Violations:
  • Failing to sign off a computer terminal when not using it
  • Accessing own record
  • Accessing a record without having a legitimate reason to do so
  • Sharing passwords
  • Improper use of e-mail
  • Using unlicensed software on HCA computers
  • Physician self-assigning without obtaining authorization
sanctions for privacy violations
SANCTIONS FOR PRIVACY VIOLATIONS
  • Security Committee
  • In current hospital policies
  • Violations must be documented
  • Levels of violation
  • Accidental/lack of education
  • Purposeful or unacceptable # of previous violations
  • Purposeful with associated potential patient harm
disclosures to other health care providers
Disclosures to Other Health Care Providers
  • May disclose for healthcare purposes
  • Verify requestor
  • Medical Staff is member of OHCA
designated record set
Designated Record Set
  • Policy HIM

Includes:

Medical records and billing records for CMC used in whole or part to make healthcare decisions about patients.

**Information from another facility

- received before patient discharged

privacy fundraising requirements
Privacy Fundraising Requirements
  • In general, individual patient authorization must be obtained to use or disclose a patient’s PHI for fundraising purposes.

Does not apply to CHS

education requirements
Education Requirements

4/14

  • All employees must be educated prior to entering the work force
  • Education must be at onset and at least annually
  • Must be documented
fax policy
FAX POLICY
  • CHECK NUMBERS
  • REPORT WRONG FAXES TO FPO
  • ALWAYS USE COVER SHSET
  • FAXBOX
marketing policiy
MARKETING POLICIY

A patient authorization is required and must

be obtained for any uses or disclosures

of PHI for purposes of marketing

under the HIPAA Privacy Standards.

deidentification
DEIDENTIFICATION

Policy addresses how to deidentify

data if releasing.

limited data set
LIMITED DATA SET

Allows for submission of a

limited data set in

certain situations.

release to family and friends
RELEASE TO FAMILY ANDFRIENDS

Better known as “Passcode Policy”

requires passcode at nursing units/and

other care units when releasing info

on patients.

minimum necessary information
MINIMUM NECESSARY INFORMATION

Company wants to be sure that everyone is

adhering to making sure that employees

have only the minimum necessary

information to do their jobs.

policies posted
POLICIES POSTED
  • ATLAS
    • Policies & Procedures
      • CHS
      • HIPAA
        • Facility
        • Corporate
        • Forms
  • MOX
    • Library
    • HIPAA
slide76
Protecting our patient\'sprivacy is part of the quality care we provide atColiseum Medical Centers – It’s the Law –
email and internet access
Email and Internet Access

Email Systems and the Internet:

-Are for business purposes only

-Are monitored by corporate and CHS Information Services

-Any information passing to or through them is the property of the Company

Email Systems and Internet access may NEVER be used for:

-Offensive jokes or language

-Anything that degrades a race, sex, religion, etc.

-“Hate” mail – to harass, intimidate or threaten another person

-Forwarding chain letters

-Emails for want ads, lost and found, notification of events (wedding or other invitations) other than HCA sponsored events

-Access to “prohibited internet sites” containing pornography, “hate” sites, chat sites and gaming sites

slide78

The use of HCA’s information systems assets to access such sites is STRICTLY PROHIBITED!

-Any purpose which is illegal, against Company policy, or contrary to the Company’s best interest

Email Systems and Internet access violations are:

-Handled by our CHS Security Committee and will become a part of your personnel record in Human Resources

-Grounds for disciplinary action up to, and including, termination of employment and/or legal action

If you receive an email in violation of our policies or know of any inappropriate Email/Internet usage, please notify our Local Security Coordinator (LSC), Gayla White, or our Hospital Director of Information Services (HDIS), Joan Morstad at 765-4127 or by Outlook or MOX.

Remember adherence is neither voluntary nor optional.

incident reporting
Incident Reporting

Your Local Security Coordinator, Gayla White, is your first contact for questions or to report any known or potential security issues. The Hospital Director of Information Services, Joan Morstad, supports technical issues including Security and Security issues. The Facility Privacy Officer, BarbaraLee Peace, will receive complaints about patient privacy.

A security breach is any deviation from the HCA – Information Technology and Services Policies, Procedures and Standards.

Violation levels and respective disciplinary actions are outlined in the AA.C.ENFORCE policy located on InSight – the CHS Intranet.

System access will be routinely reviewed through the use of conformance and monitoring audit reports viewed by the Local Security Coordinator and the Facility Security Committee.

slide80

Level and Definition of Violation:

  • Level I Accidental and/or due to lack of proper education
  • Level II Purposeful break in the terms of the Confidentiality and Security Agreement or an unacceptable number of previous violations
  • Level III Purposeful break in the terms of the Confidentiality and Security Agreement or an unacceptable number of previous violations and/or accompanying verbal disclosure of patient information regarding treatment and status
  • Examples of Violations:
  • Failing to sign off a computer terminal when not using it
  • Accessing own record
  • Accessing a record without having a legitimate reason to do so
  • Sharing passwords
  • Improper use of e-mail
  • Using unlicensed software on HCA computers
  • Physician self-assigning without obtaining authorization
slide81

Examples of Discipline:

      • Retraining and discussion of policy / Oral warning or reprimand
  • Written warning
  • Termination of user privileges or contracts
      • Termination of employment
      • REMEMBER
      • Be aware of the systems you use and report any
      • violations of policy.
log in success or failure
LOG IN SUCCESS OR FAILURE

Log-in success or failure is a general term for end user awareness and training including their understanding of their responsibility to ensure the protection of the information they work with and their ability to recognize normal and abnormal system functionality.

Information Security in the healthcare industry means protecting employee and company information, but also includes the patient information gathered in behalf of a patient during treatment.

slide83

WHAT ARE GOOD INFORMATION SECURITY PRACTICES? 

1.     Treat all information as if it were about you or your family.

2.     Access only those systems you are officially authorized to access.

3.     Take reasonable measures to shield sensitive and confidential information from casual view such as positioning workstations away from public view.

4.     Minimize the storage of confidential information on a local workstation.

5.     Always exit the system before leaving work.

6.     Access only the information you need to do your job.

Read the Information Security Guide that is available on ATLAS under Information Technology Services>Security>Awareness Education>Security Guide.

slide84

Certain kinds of Internet/email use require large amounts of network bandwidth and, when multiplied by too many users, can actually monopolize our system resources. These “bandwidth hogs” can slow or even shut down the computer systems we need for day-to-day work.

WHAT IMPACTS OUR SYSTEMS?

1.     Internet images/graphics accessed on your web browser.

2.     Pictures/graphics sent by email using the Company email system.

3.     Internet news sites, using either streaming audio or streaming video.

4.     MP3 (music) files downloaded from the Internet.

slide85

Take a close look at how you use the Company’s network to ensure that your Internet habits don’t contribute to a slowdown of our systems.

REMEMBER

Use of the internet plays an important part in keeping our

Company’s network performing properly.

need to know
NEED TO KNOW

Workforce members only access systems they are authorized to access. 

Never use a password that does not belong to you. 

Never give someone else your password.

Always request access to a system through the proper channels.

Workforce members access only the information needed to perform a task or job. 

Never view a patients’ information that is not in your direct care area.

Never request information from coworkers about a family, friend or your own record.

Never access your own record but request information from Health Information Management.

slide87

Workforce members only share sensitive and confidential information with others having a “need to know” to perform their job.

Never give information about patients in your care area to coworkers outside your care area. 

Never discuss patient information in elevators, dining areas, or other public places. 

Direct all requests for information from coworkers about their own or other records to Health Information Management.

Keep sensitive and confidential information in a locked cabinet or drawer when not in use.

REMEMBER

Only access information that is needed to perform your

Duties!!

password maintenance
PASSWORD MAINTENANCE

Did you know that guessing or using a known password makes up about 60% of all successful information security breaches? This means that creating a secure password is vital to network protection.

You should never write down or give your User ID and password to anyone else and you should never use anyone else’s User ID and password. Using or allowing someone to use a User ID and password that was not assigned to them is like giving a stranger your Bank Card and Pin number!!

slide89

Inferior passwords include:

·        Your user ID or Account Number

·        Your Social Security Number

·        Birth, death or anniversary dates

·        Family member names

·        Your name forward or backwards

Good quality password are:

ü           Eight characters or more

ü           Uppercase (A) and lowercase (a) letters

ü           Combinations of letters and numbers

ü           Easy to type and remember

ü           Made up of a pass phrase

slide90

A pass phrase is unique and familiar to you, and easy to remember, but not easy to guess. Think of a phrase like “See you later.” For systems that accept numbers and special characters, you can substitute letters for words and add a special character to transform the phrase into something like CUL8ter!. For systems that do not accept numbers and special characters, your password might be CULatER.

REMEMBER

Your ID and password document work performed and

Information reviewed by YOU!!

policies and standards
POLICIES AND STANDARDS

HCA relies heavily on computers to meet its operational, financial, and information requirements. The computer system, related data files, and the derived information are important assets of the company.

POLICIES: A mechanism of internal controls for routine and non-routine receipt, manipulation, storage, transmission and/or disposal of health information.

Facility and Corporate policies are located on InSight – the CHS Intranet – under the Policies & Procedures section.

slide92

Before being issued a password to CPCS, all employees are required to sign the AA.C.ENFORCE policy describing the requirements for discipline when confidentiality breaches of patient or hospital financial information and data are identified, and the AA.H.OWNMR policy identifying the proper procedure for employees who want to view a copy of their own medical record.

All system users are responsible for abiding by the policies and procedures established to protect the company’s information.

STANDARDS: The minimum-security standard requirements for processing information in a secure environment and for helping facilities comply with the proposed HIPAA (Health Insurance Portability and Accountability) Security Rule

slide93

IT&S Standards are published on ATLAS under Information Technology & Services, in the Security section. The latest standards that have been published are:

System Warning Banner

Identification

Authentication

Encryption

Wireless Networks

Electronic Mail System

Workstation Security

Mobile Computing

Open Network Security

Security Awareness

Virus Control

IT&S Standards are published on ATLAS under Information Technology & Services, in the Security section. The latest standards that have been published are:

System Warning Banner

Identification

Authentication

Encryption

Wireless Networks

Electronic Mail System

Workstation Security

Mobile Computing

Open Network Security

Security Awareness

Virus Control

REMEMBER: Each employee is expected to become familiar

With and abide by our policies and standards.

workstation security
WORKSTATION SECURITY

Your workstation is any terminal, instrument, device, or location where you perform work.

Protection of the workstation and its equipment is each employee’s responsibility.

If you leave cash out where the casual observer can see it, are you certain it will be there the next time you look? Our work-related information is even more valuable!

slide95

Examples of sensitive information that should never be left unattended:

Patient Identifiable Information. Never leave out any information that is directly related to or traceable to an individual patient.

Departmental Reports.

Employee Evaluations or Goals. Keep personal information about you between you and your manager.

Consulting or Audit Reports. Reports that reveal intricate details about Company operations or systems should be protected from outsiders.

To keep your workstation secure be sure to perform a “self audit” and evaluate the information you leave on top of your desk.

slide96

Examples of secure workstations:

    PCs are secured (locked) to a heavy object whenever possible.

    When not in use, hard copy information, portable storage, or hand-held devices are kept in a secured (locked) place.

   Information on any screen or paper is shielded from casual public view.

     Terminals and desk are not left active or unlocked and unattended.    Company approved anti-virus software actively checks files and documents.

     Only company approved, licensed, and properly installed software is used.

    Portable storage such as disks and tapes are obtained from a reliable source.

slide97

Backups of electronic information are performed regularly.

Surge protectors are used on all equipment containing electronic information.

It is the responsibility of all users who have laptops and other portable devices to exercise due care (i.e., locking and/or storing safely) to prevent opportunist theft or loss.

REMEMBER

It is your responsibility to protect the information

resources on your individual work station.

ad