18
VANDERBILT UNIVERSITY MEDICAL CENTER 2013 Privacy and Information Security Training – Staff Information Privacy & Security Website Information Privacy and Security

Vanderbilt University medical center

  • Upload
    roscoe

  • View
    20

  • Download
    0

Embed Size (px)

DESCRIPTION

Vanderbilt University medical center. 2013 Privacy and Information Security Training – Staff Information Privacy & Security Website Information Privacy and Security. Respect For Privacy and Confidentiality. Respect For privacy and confidentiality. - PowerPoint PPT Presentation

Citation preview

Page 1: Vanderbilt University medical center

VANDERBILT UNIVERSITY MEDICAL CENTER

2013 Privacy and Information Security Training – Staff

Information Privacy & Security Website

Information Privacy and Security

Page 2: Vanderbilt University medical center

RE

SP

EC

T F

OR

PR

IVA

CY

AN

D

CO

NF

IDE

NT

IALIT

YRespect For Privacy and Confidentiality

Page 3: Vanderbilt University medical center

PR

OT

EC

TE

D H

EA

LT

H IN

FO

RM

AT

ION

(PH

I)What is Protected Health Information (PHI)

Protected Health Information (PHI) is defined as “any information, written, verbal or electronic that relates to the past, present, or future physical or mental health or condition of a person."

The following 18 identifiers are considered PHI, and must be treated with special care.

1. Names 10. Account numbers

2. All geographical identifiers 11. Certificate/license numbers

3. Dates (other than year) directly related to an individual

12. Vehicle identifiers and serial numbers, including license plate numbers

4. Phone numbers 13. Device identifiers and serial numbers

5. Fax numbers 14. Web Uniform Resource Locators (URLs)

6. Email addresses 15. Internet Protocol (IP) address numbers

7. Social Security numbers 16. Biometric identifiers, including finger, retinal and voice prints

8. Medical record numbers 17. Full face photographic images and any comparable images

9. Health insurance beneficiary numbers 18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

Page 4: Vanderbilt University medical center

PR

OT

EC

TE

D H

EA

LTH

INF

OR

MA

TIO

N (P

HI)

Cont…

Protected Health Information can be in any form:

Verbal Communication (Talking) Electronic Data

Written (Paper documentation)

Page 5: Vanderbilt University medical center

VA

ND

ER

BIL

T C

RE

DO

BE

HA

VIO

R“I respect privacy and confidentiality”

Never assume it is OK to share information with family or friends,unless you know they are involved in caring for the patient, or you havethe patients permission. This includes family members of VUMC staffor faculty.

Giving only the minimum amount of information necessary.Example of “minimum necessary”

When leaving a message on a patient’s answering machine or with someone who answers the phone simply leave a call back number and state that you are calling from Vanderbilt Medical Center.

Shred documents containing protected health information when finished.

Upon patient registration let the patient give you pertinent information that will identify the patient: Ask the patient’s Date of Birth, Address, last 4 digits of Social Security Number to verity the information you have is correct. (Do Not give the patient this information let them give it to you!!!)

Page 6: Vanderbilt University medical center

CA

RE

LE

SS

HA

ND

LIN

G O

F P

ER

SO

NA

L O

R

CO

NF

IDE

NT

IAL

INF

OR

MA

TIO

NFrequently Reported Incidents and What You Need to Know…

1. Medical record documents or billing statements being mailed or handed to the wrong patient. Be sure when you are mailing correspondence about a patient that you are sending the correct

patient’s information to the appropriately authorized recipient. Always confirm the identity of the individual to whom you are releasing, handing or mailing patient

information; e.g. thumb through each page of information, verify caller by Name, DOB or validation code for communication.

2. E-mails containing patient Protected Health Information (PHI) sent in a format that is not secure. Do not send PHI in standard, unsecured email. The File Transfer Application (FTA) is an

application that allows the user to send a secure attachment. MyHealthatVanderbilt is a secure web portal that can be used as an alternative to email and

faxing when communicating with patients

3. Gossiping or sharing patient information with someone who is not authorized to know. Only engage in conversation regarding patients with other faculty and staff who need the

information to do their job, according to Vanderbilt policies and regulatory requirements. Gossiping/discussing or sharing a VUMC patient, faculty/staff member’s health information

secured through your role at VUMC, resulting in the individual filing a complaint, are all considered privacy violations and will result in appropriate disciplinary action.

Page 7: Vanderbilt University medical center

UN

AU

TH

OR

IZE

D A

CC

ES

S O

R D

ISC

LO

SU

RE

O

F P

AT

IEN

T IN

FO

RM

AT

ION

Frequently Reported Incidents and What You Need to Know…

1.Staff or faculty accessing a co-worker’s or any other patient’s electronic medical record without a legitimate business purpose or written authorization is a privacy violation regardless of the reason and may trigger the federal breach notification requirements:

Deliberate, unauthorized access to a patient’s record and disclosure of that information for personal use or with malicious intent is considered a privacy violation and will result in the highest level of disciplinary action, up to and including termination of employment.

Accessing a co-worker’s medical record to look up a room number or any demographic information is a violation under the Sanctions for Privacy and Security policy.

2.Accidently accessing the wrong patient in the Electronic Medical Record system (StarPanel)

Do not open every patient record until you find the correct patient. When looking for a patient’s medical record, attempt to use more than first and

last name to identify the correct patient; e.g. birth date or middle name.

Reference Policy: IM 10-30.12 – Sanctions for Privacy and Information Security Violations

Page 8: Vanderbilt University medical center

WO

RK

ING

UN

DE

R/S

HA

RIN

G

US

ER

ID/P

AS

SW

OR

DS

Frequently Reported Incidents and What You Need to Know…

Staff or faculty member shares User ID and Password that allows access to restricted systems and or confidential information or PHI of others.

If you cannot remember you password, NEVER ask to use someone else’s UserID and password. Call the VUMC HELP DESK for assistance, 343-HELP 34(3-4357), or access the VUMC HELP DESK website: http://helpdesk.mc.vanderbilt.edu

Do not share your confidential passwords with anyone including a manager or system administrator. Contact your LAN manager or system administrator to set up shared drives or folders as a secure means for sharing access to files or databases without sharing individual user identification

Sharing your user name/password or using someone else’s user name/password that allows access to a restricted system and confidential information or PHI of others will result in disciplinary action.

Page 9: Vanderbilt University medical center

CR

EA

TIN

G S

TR

ON

G P

AS

SW

OR

DS

Creating Strong Passwords

Passwords are your key to secured information and systems.

Easily guessable internet passwords don’t just let you in, they let hackers in too!

Creating a strong password:

1.It is at least eight characters long.

2.Does not contain your user name, real name, or company name.

3.Does not contain a complete word.

4.Is significantly different from previous passwords.

5.Contains Uppercase/lowercase letters, numbers and symbols.

A password might meet all the criteria above and still be a weak password:

Example: Hello2U! meets all the criteria for a strong password listed above, but is still weak because it contains a complete word (Hello). H3ll02u! is a stronger alternative because it replaces some of the letters in the complete word with numbers, upper and lower case letters and symbols.

A list of the worst passwords based onmillions of stolen passwords:

1. Password 6. monkey

2. 123456 7. 1234567

3. 12345678 8. letmein

4. qwerty 9. trustno1

5. abc123 10. dragon

Page 10: Vanderbilt University medical center

WH

AT

YO

U N

EE

D T

O K

NO

WNot Locking or Logging Off Computer

1.Staff or faculty member logs onto electronic workstations in a shared work area and leaves the device allowing others to access patient information under the user identification first used.

If you fail to log off a computer or lock the screen and someone else uses the computer under your user identification, you may be held accountable for any activity that results (e.g., unauthorized access to a patient’s record, inappropriate use of the Internet).

2.Staff or faculty member accesses electronic patient information without first logging on with their own unique identification

Workstations must be secured by locking the screen or logging off whenever the user walks away. Failure to lock the computer screen may result in others using the system under someone else’s user identification which is a data integrity concern

Page 11: Vanderbilt University medical center

INT

ER

NE

T M

ON

ITO

RIN

G A

ND

FIL

TE

RIN

G F

OR

C

LIN

ICA

L WO

RK

ST

AT

ION

S (C

WS

)

WHY

To protect the integrity and confidentiality of information accessed from and utilized via all Clinical Work Station (CWS) computers while supporting work needs with reliable work stations fro the Clinical Enterprise.

CWSs are being used by staff for personal use and hindering others from access for business purposes.

Security concerns with malware, which causes the support team to rebuild machines.

HOW

Each CWS is monitored for, and access is filtered from known categories of internet sites according to the Vanderbilt University Medical Center (VUMC) Policy – Internet Monitoring and Filtering for Clinical Workstations.

The Information Privacy and Security Executive Committee reviews and oversees the approval process for categories selected to be filtered.

VUMC will monitor and Filter for malicious and non-business sites.

Internet Monitoring and Filtering for Clinical Workstations (CWS)

Page 12: Vanderbilt University medical center

INT

ER

NE

T M

ON

ITO

RIN

G A

ND

FIL

TE

RIN

G F

OR

C

LIN

ICA

L WO

RK

ST

AT

ION

S (C

WS

) Co

nt…WHAT

The site you requested has been BLOCKED for the CWS

Page 13: Vanderbilt University medical center

PA

TIE

NT

PH

OT

OG

RA

PH

Y A

ND

VID

EO

IM

AG

ING

Patient Photography and Video Imaging

VUMC may utilize photography to collect protected patient health information for purposes of identification and patient care and treatment or as otherwise authorized by the patient or the patients legal representative.

Things You Need to Know…

Photography for purposes of patient care does not require additional consent beyond the standard Consent for Treatment

Patient Identifiable Photography is considered PHI and use and disclosure of this PHI must comply with all Information and Privacy and Security Policies for PHI

Photography for purposes other than patient care does require explicit consent.

Things You Need to Know…

Immediately upload patient photos to the EMR or another secure server and delete from the device used to capture the image(s). Do not identify patient photographs with more than the minimum necessary (e.g. avoid SSN and patient phone number.

Do Not post Photography of patients in public areas, on internet websites, or blogs without written or documented verbal consent from the patient/legal representative prior to the posting

Reference Policy: IM 10-30.17 – Patient Photography and Video Imaging

Page 14: Vanderbilt University medical center

PA

TIE

NT

PH

OT

OG

RA

PH

Y A

ND

VID

EO

IM

AG

ING

Con

t…The following are Patient Photography policy changes pending

publication:

A written provider order (or an approved protocol order) or documented patient authorization is required before Patient Photography for any purposes including treatment.

Images from Patient Photography may not be used for clinical consultation without a provider order for the consultation.

All patient photographs for any purpose (except authorized media photography) including but not limited to education, training, teaching, research, and treatment purposes will be uploaded to the patient's EMR

Page 15: Vanderbilt University medical center

SO

CIA

L ME

DIA

Social Media

All faculty and staff who identify themselves with VUMC and/or use their Vanderbilt email

address in social media venues for deliberate professional engagement or

casual conversation are to follow the VUMC Credo Behaviors, Health Insurance

Portability and Accountability Act (HIPAA), Conflict of Interest Policy, privacy policies

and general etiquette.

Things You Need to Know…

If you identify yourself in any online forum as a faculty/staff member of VUMC, you must make it clear you are not speaking for VUMC and all submissions represent your own personal views and comments.

Do Not post digital images and messages containing PHI without written authorization from the patient. Remember recognizable markings or body parts are PHI.

Remember that all content contributed on all platforms becomes immediately searchable and can be immediately shared…it immediately leaves your control forever.

Reference Policy: OP 10-10.30 – Social Media Policy and Guidelines

Page 16: Vanderbilt University medical center

BR

EA

CH

NO

TIF

ICA

TIO

NThe Privacy Office will determine whether violations require breach

notification and reporting.

Things You Need to Know: When breach notification is required the

individual whose information was breached must be notified and the incident must be reported to the Secretary of Health and Human Services

State of TN notification may be required when there is a security breach of unencrypted computerized data containing Personal Information. (such as SSN).

The Breach Notification policy below defines the procedures to be followed upon discovery of known or suspected incidents involving unauthorized acquisition, access, use or disclosure of PHI or computerized Personal Information so that appropriate notification requirements are satisfied

What You Need to Do:

Report all suspected Breach of Patient Health Information (PHI) to the Privacy Office.

Report all suspected Breach of Employee Information (i.e. Social Security Number) to the Privacy Office

Reference Policy: IM 10-30.02 – Breach Notification: Unauthorized Access, Use, or Disclosure of Individually Identifiable Patient or Other

Page 17: Vanderbilt University medical center

AU

DIT

ING

Auditing

Accessing a patients Electronic Medical Record (EMR) other than for job related reasons or without written authorization from the patient is unacceptable.

The Audit Pop-up is only for StarPanel, but accessing a VUMC employee’s information in EPIC and Medipac will also trigger an audit.

StarPanel users may be prompted to enter a reason for access upon requesting the electronic medical record of an active VUMC faculty/staff

member or an active Vanderbilt University student.

Page 18: Vanderbilt University medical center

You must complete the TEST associated with this lesson.

Please read the following instructions:

1.Close this training presentation.

2.Click the TEST LINK under the 2013 Annual Training for Privacy and Information Security Training on the website.

3.Complete the test Print and give a signed copy to your manager to be marked complete!!!