1 / 21

Personal Accountability for Data Stewardship

Personal Accountability for Data Stewardship. 1 st Year Medical Students – October 18, 2012 2 nd Year Medical Students – October 9, 2012 Noella Rawlings Richard Meeks Director of Compliance Assistant Compliance Officer School of Medicine UW Medicine.

danae
Download Presentation

Personal Accountability for Data Stewardship

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Personal Accountability for Data Stewardship 1st Year Medical Students – October 18, 2012 2nd Year Medical Students – October 9, 2012 Noella Rawlings Richard Meeks Director of Compliance Assistant Compliance Officer School of Medicine UW Medicine

  2. Personal and Professional Accountability • Personal Accountability = Being answerable for the outcome of your actions or inactions • Professional Accountability = Demonstrated excellence, integrity, respect, compassion, accountability, and a commitment to altruism in all our work interactions and responsibilities. (UW Medicine Professionalism Policy)http://uwmedicine.washington.edu/Global/policies/Pages/Professional-Conduct.aspx • As the representatives of UW Medicine, we are personally, professionally, ethically, and legally responsible for our actions • Patients place their trust in us

  3. Your Accountability for Data Stewardship • Safeguard data (electronic or paper) that you use or access, including but not limited to: • Confidential – protection of data required by law • Protected health information (PHI)- protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Individual Student Records – protected by Family Educational Rights and Privacy Act (FERPA) • Individual financial information (e.g., credit card, bank) • Other personal information such as Social Security Number • Proprietary--intellectual property or trade secrets, research data

  4. Your Accountability for Data Stewardship • Safeguard data (electronic or paper) that you use or access, including but not limited to: • Restricted --data that is not regulated, but for business purposes is considered protected either by contract or best practice, including research data

  5. Tools to Assist You in Safeguarding Data • Encryption https://security.uwmedicine.org/training/dept_materials/default.asp • Complex passwords http://security.uwmedicine.org/guidance/role_based/end_user/default.asp • Locking offices and files • Education and training materials https://security.uwmedicine.org/Training/Sec_Aware/default.asp • Privacy, Confidentiality and Information Security Agreement (PCISA) • Following policies restricting removal of data from worksites

  6. Privacy, confidentiality and information security agreement • http://www.uwmedicine.org/Global/Compliance/Document/UW-Medicine-privacy-Confidentiality-Agreement.pdf • Agree to safeguard confidential and restricted information • What does this mean and why is it important?

  7. Encryption • Where to get information and help with encryption: • http://security.uwmedicine.org/guidance/technical/laptop_mobiledevice_encryption/default.asp • http://security.uwmedicine.org/Home/Communications/Laptop_Encryption_Awareness_Email_033111/default.asp • IT Services Help Desk: mcsos@u.washington.edu • DOM IT Help Desk: mailto:domhelp@u.washington.edu

  8. Safeguarding Patient Information • Comply with UW and UW Medicine policies: • Privacy: http://depts.washington.edu/comply/privacy.shtml • Information Security: http://security.uwmedicine.org/guidance/policy/default.asp • Privacy Policy PP-30 • http://depts.washington.edu/comply/docs/PP_30.pdf

  9. Personal consequences of a breach • Loss of patient and public trust • Your name is reported to: • Your Program Director, Department Chair, Executive Director and/or Unit Head • Dean of the School of Medicine and/or Vice Dean, Academic Affairs • UW Medicine Chief Health System Officer • UW Health Sciences Risk Management • UW Chief Information Security Officer • Federal and state regulatory agencies • The time you’ll spend cooperating with investigations, being retrained, and other remedial activities • Imposition of sanctions, disciplinary actions, and potential civil/criminal penalties • Your personal and professional reputation

  10. Institutional consequences of a breach • Potential loss of public trust in UW Medicine • Significant time and resources to investigate, conduct forensics, analyze findings, and determine appropriate course of action • Involvement of legal counsel, risk management, executive directors, unit heads • Federal law requirements regarding notification • Call center for each case requiring patient notification • Office of Civil Rights Investigation • Possible imposition of civil/criminal penalties, fines and sanction

  11. Breach Notification Rules • Definition of Breach: “acquisition, access, use or disclosure of PHI … that compromises the security or privacy of the PHI.” • Notification requirements apply only to “unsecured” PHI. PHI is deemed unsecured unless rendered “unusable, unreadable, or indecipherable” to unauthorized individuals by technologies or methodologies identified by HHS (currently limited to encryption or destruction). • Notification of affected individuals required if the breach poses a “significant risk of financial, reputational or other harm to the individual.”

  12. Breach Notification Rules • All breaches must be reported annually to the Office of Civil Rights. • If a breach involves 500 or more individuals, it must be reported to media which reach location(s) in which the individuals reside. • If a breach involves more than 10 individuals for whom an address is not available, the covered entity must place notice of the breach on its website for 90 days.

  13. UW Medicine Case Study #1 • Resident’s log book left in backpack, locked in trunk of car, and was stolen • PHI: patient name, EMR number, dates of service, date of birth, clinic, and procedures • 487 patients notified • Self-reported to OCR; intense OCR follow-up investigation (2 years); required hundred of hours of staff time; and resulted in substantive policy changes • Lessons Learned • Written PHI may not be taken off site without authorization from supervisor, chair or program director • Written PHI taken off site should not leave physical possession at any time

  14. UW Medicine Case Study #2 • Unencrypted hard drive stolen from unlocked office • PHI and QI data • 3948 patients involved; 324 patients notified due to risk of harm; notification to OCR; posted on UW Medicine website; likely OCR investigation forthcoming • Lessons Learned • Do not remove PHI from secured location • Password protect AND encrypt • Ensure physical security of devices at all times

  15. UW Medicine Case Study #3 • Medical student working on an IRB-approved study • PHI of 1200 patients (study data) stored on laptop and laptop stolen from home • Laptop and files containing PHI were password protected, but not encrypted • Research data considered unsecured since not encrypted • Possible notification of patients • Lessons Learned • Password protect and encrypt

  16. National Case Studies • NATIONAL EVENTS • Alaska DHHS Settles HIPAA Security Case for $1,700,000 – June 26, 2012 • HHS settles HIPAA case with BlueCross BlueShield of Tennessee (BCBST) for $1.5 million --March 13, 2012 • Resolution Agreement with General Hospital Corp. & Massachusetts General Physicians Organization, Inc.--February 14, 2011 • See http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html

  17. Basic DO’s and DON’Ts • Avoid taking confidential data off-site or downloading to portable or mobile devices • If taking confidential data with you, you MUST obtain supervisor or department head approval • Confidential or restricted data stored on mobile devices must be encrypted and your device password protected • Lock up confidential data (locking file drawer, safe, or other locked device) • Never leave confidential data in your car

  18. Medical Record Access • You can access your own medical record on-line • You cannot access your family or friends medical record on-line • If you are treating a family or friend, you must document in the medical record • Compliance actively monitors access to patient records • Random Audits • Patients of Media Interest • Patients with Privacy Alerts

  19. Smartphone Configuration • If you use your smartphone to conduct UW business, such as accessing your UW e-mail, must have: • Pass code or PIN • Automatic lock w/pass code or PIN • Tamper Wipe – Phone wiped after 10 pass code or PIN attempts • Back-up – Not to the cloud • Encryption • http://ciso.washington.edu/resources/risk-advisories/smartphone-configuration/ • http://security.uwmedicine.org/guidance/policy/electronic_data

  20. Other Resources • Office of the Chief Information Security Officer • http://ciso.washington.edu/resources/online-training/ • http://ciso.washington.edu/resources/smart-computing/ • http://ciso.washington.edu/

  21. Questions ?

More Related