1 / 33

PRIVACY AND SECURITY WEEK APRIL 11TH – 15th, 2005

Learn about the importance of HIPAA privacy and security rules in safeguarding patients' protected health information (PHI) and the consequences of violating these rules.

lwoodward
Download Presentation

PRIVACY AND SECURITY WEEK APRIL 11TH – 15th, 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PRIVACY AND SECURITY WEEKAPRIL 11TH – 15th, 2005 PRIVACY AND SECURITY IS GOOD MEDICINE!!!Presented by several members of the HIPAA Program Management Office:Phil Edge Kim LenGrace Upleger Source: http://www.ahima.org/hipsweek

  2. Images in this presentation make use of the US National Security Agency’s collection of security awareness posters, the US Centers for Disease Control Public Health Image Library, and the University of Miami Ethics Program Digital Image Repository. All images are in the public domain

  3. Purpose of the HIPAA Privacy rule is to give patients more control over how we can use and share their protected health information (PHI). This covers information in any form (written, verbal, or electronic). Purpose of the HIPAA Security rule is to protect the confidentiality, integrity and availability of electronic protected health information (EPHI). VUMC is committed to protecting patient’s information • What is HIPAA? • HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 • Facets of HIPAA include Privacy (in effect 4-14-03); Transactions and Code Sets/Identifiers (in effect 10-16-03); and Security, slated to go into effect 4-20-05.

  4. When Can We Release PHI? • Treatment (e.g., referring MDs, family members) • Payment (insurance companies or other 3rd parties) • Administrative Functions (QI, financial analysis) • Educational or Training Activities • Other Exceptions that Require Patient’s Authorization • Always follow the Minimum Necessary rule

  5. How Can We Release PHI? • Telephone: Be sure you know who is calling • Suggested Verification Protocols • Ask caller to provide unique patient identifications such as middle name, birth date, or address. • Check that the patient has opted into the Directory and is not a 'no info' patient (Medipac and Wiz) • Where to find if they are registered as “No Info” patient? • After pulling up the patient’s record in Medipac and selecting the current visit choose “All Records”. • In the lower right hand corner of the screen you will see a field called “Confident Lvl”. A letter “I” in this field indicates the patient is a “No Info” patient. A letter “G” in this field indicates they are a “General Info” patient

  6. How Can We Release PHI? • Call back the caller to a place of business or a known phone number • Check passcode or name on communication list • Form MC3166: Communications with Family or Others Involved in Your Care • Can use Professional Judgment to determine what is in the best interest of the patient.

  7. How Can We Release PHI? • Faxing • Call ahead before faxing • Make sure you enter the correct number • Always use a cover sheet (VUMC Operations Policy 10-40.12: “Faxing Protected Health Information”)

  8. How Can We Release PHI? • Leaving Messages on an Answering Machine • Appointment reminder messages – recommend leaving the patient's name, physician's name, and date/time of the appointment.  No information related to the patient's condition should be left. • Requesting patient to call about clinical information (i.e. test results, instructions, etc.) - message should only confirm it is from VUMC and leave a name and a callback number. • Urgent matters – staff can use professional judgment to leave more detailed message or message with family member.

  9. Examples Failure to properly sign off a workstation or secure a computer. Emailing/Faxing a file that includes PHI or other confidential information to the wrong person. Not properly verifying individuals by phone, in person, or in writing before releasing PHI or other confidential information. Disciplinary/Corrective Action Verbal Warning Sanctions for Privacy & Information Security ViolationsLevel 1 Violation: Negligent Act (Carelessness)

  10. Self-Reporting Accidental Acts – NEW Requirement • Self-reported Accidental Act • Defined as “an unintentional or unexpected reportable event that results in spite of the individual’s efforts to follow established procedure”. (Ex: Selecting wrong pt from list of names in StarPanel) • Must be reported to one of the following: • Privacy Office • VUMC Help Desk • Compliance Reporting Line • Your manager who will report it to one of the above. • Failure to self-report an accidental breach is considered a negligent act. • Repeated incidents of Self-Reported Accidental Actsmay result in a Level 2 violation.

  11. Examples Releasing information to a caller about a patient who is designated as No Information status. Failure to account for disclosures within the VUMC Disclosure Tracking system. Disciplinary/Corrective Action Written Warning Sanctions for Privacy & Information Security ViolationsLevel 2 Violation: Negligent Act (Not following procedure.)

  12. Examples Sharing ID/password with another coworker or using another person’s ID/password. (Was a Level 2 violation!) Accessing or connecting to VUMC information systems (i.e. computers, servers, routers, switches) without authorization. Accessing and reviewing the record of a patient out of concernor curiosity without written authorization. Disciplinary/Corrective Action Final PIC (6 months probation) Sanctions for Privacy & Information Security ViolationsLevel 3 Violation: Purposeful Act (Curiosity or Concern.)

  13. Examples Accessing a patient record to use information in a personal relationship. Compiling a mailing list for personal use or to be sold. Tampering with or unauthorized destruction of information. Disciplinary/Corrective Action Termination Sanctions for Privacy & Information Security ViolationsLevel 4 Violation: Purposeful Act (Blatant Misuse)

  14. What does HIPAA Security mean for you? • Keeping the integrity and confidentiality of EPHI • Having EPHI available when needed

  15. What is EPHI? • EPHI includes all individually identifiable health information related to our patients or research subjects that is created, maintained, or transmitted electronically by VUMC.  • We have created a number of policies and more are coming each week. • To see the current HIPAA policies, please visit our website at: http://www.mc.vanderbilt.edu/HIPAA

  16. VUMC wants to know if a Privacy or Security incident has occurredExamples of incidents include: • Laptop or other mobile device is lost or stolen that contains sensitive data • Email or fax containing EPHI is sent to wrong individual/entity • Belief that password or token has been compromised • Lost data center badge or any lost identifiable access peripheral (closet key, for example) that enables an individual to gain entry to a computer system/network that contains EPHI • Staff/Faculty looking at another person’s confidential data without cause • Other

  17. Unusually slow processing Unusual messages on the display Characters or text mysteriously appearing (or disappearing) in document or other files Unusual system activity, like opening and closing of CD drawer System crashes Computer Incidents may include:

  18. Vanderbilt takes these incidents seriously and wants to know when they occur. • HIPAA REQUIRES us to document all Privacy and Security incidents. • Please call the Help Desk (3-HELP) or the Privacy Office (936-3594) if you suspect there has been a Privacy or Security incident.

  19. PASSWORDS • HIPAA mandates unique identification of users. That means you MUST have individualized access for all computer systems that contain EPHI. • Remember the longer the password, the better, as long as you can remember it. • Passwords should include numbers and special characters when possible.

  20. Someone you care about -- even you -- may have health information stored here. Keep it confidential! • If you are using a computer and need to step away: • Log Off OR Lock your computer • Enable a screen saver with a password on your system.

  21. Safeguarding Availability • We have created policy to communicate the requirements for business continuity in the event of any disaster, including computer malfunction, so workflow and patient care can continue. • If you manage a computer system, please be versed in this policy which depicts HIPAA and VUMC requirements for: • Disaster Recovery (DR), Contingency plans, Data backup plans, Test plans and other principles

  22. Transmission of EPHI • Whenever possible, use encryption to transmit EPHI between Vanderbilt and any outside entity. • DO NOT transmit EPHI to entities outside of Vanderbilt through FTP or Telnet, unless approved by the HIPAA Team.

  23. EMAIL helps us get business done at VUMC. It is a great facilitator but does have risks. Do NOT open an attachment that you are not expecting, even if it is from someone you know (until confirming by voice or email that this person truly sent the attachment). Be aware of any emails which might appear to be using “social engineering” or “phishing” to get you to open an attachment (e.g. promises of money, pornography, etc.). Email

  24. EMAIL is not like a letter …. but a postcard. • Avoid sending EPHI in emails going outside the VUMC mail system. • Limit the amount of patient information incorporated into internal emails to the minimum necessary. • Do not automatically forward email to an outside or external email destination.

  25. Buying an IT System • VUMC and HIPAA require certain documents when entering into a relationship with a vendor who will be, or can potentially, view patient information. • All computer applications or services that are purchased that will contain patient information and will be accessed, at some point, by the vendor need a: • Contract • Business Associate Agreement (BAA) • New systems need to adhere to new HIPAA standards. • Check the IT Procurement link on the VUMC HIPAA website at http://www.mc.vanderbilt.edu/HIPAA for HIPAA and IT architecture requirements.

  26. We have developed a new policy that requires departments to only use approved transcription vendors, due to HIPAA and contractual concerns. We will be contacting departments if we do not have adequate documentation for the company you are using. ALL approved vendors will have a: Contract Business Associate Agreement (BAA) Approved HIPAA Security Survey completed Verification that they meet the Transcription Standards Acquiring a transcription service

  27. Accountability • All systems and media that contain EPHI should be inventoried. • A proper record of their location should also be maintained.

  28. Monitoring and Audit Trails • All systems that contain EPHI should log system access and activity. • The HIPAA Team will work with departments that cannot currently meet this requirement to develop plans for compliance.

  29. Disposal and Re-Use • All media, including hard drives that contain EPHI should have the data on them completely and permanently erased before disposal or re-use. • Deleting a file on a computer does not permanently remove it. • Other measures such as overwriting, degaussing or physical destruction should be used.

  30. We want your computer to be in a safe work environment. • All computer systems containing EPHI should be secured. • Physical access to systems that contain EPHI should be limited whenever possible.

  31. And we want your portable and home devices to be safe • Use a Virtual Private Network (VPN) • Utilize the desktop anti-virus software. (available to all Vanderbilt employees, see NCS website). • Use strong passwords and password protected screensavers. • Avoid storing EPHI on portable computers and devices. • Physically safeguard your portable device. Call VUPD immediately if lost or stolen.

  32. For more information, or to report an incident, contact the following: Privacy Office at 936-3594 or The Help Desk at 3-HELP

  33. THANK YOU!!!!! QUESTIONS?

More Related