- Количество слайдов: 18
VANDERBILT UNIVERSITY MEDICAL CENTER 2013 Privacy and Information Security Training – Staff Information Privacy & Security Website Information Privacy and Security
RESPECT FOR PRIVACY AND CONFIDENTIALITY Respect For Privacy and Confidentiality
What is Protected Health Information (PHI) The following 18 identifiers are considered PHI, and must be treated with special care. 1. Names 10. Account numbers 2. All geographical identifiers 11. Certificate/license numbers 3. Dates (other than year) directly related to an individual 12. Vehicle identifiers and serial numbers, including license plate numbers 4. Phone numbers 13. Device identifiers and serial numbers 5. Fax numbers 14. Web Uniform Resource Locators (URLs) 6. Email addresses 15. Internet Protocol (IP) address numbers 7. Social Security numbers 16. Biometric identifiers, including finger, retinal and voice prints 8. Medical record numbers 17. Full face photographic images and any comparable images 9. Health insurance beneficiary numbers 18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data PROTECTED HEALTH INFORMATION (PHI) Protected Health Information (PHI) is defined as “any information, written, verbal or electronic that relates to the past, present, or future physical or mental health or condition of a person. "
Written (Paper documentation) Verbal Communication (Talking) Electronic Data PROTECTED HEALTH INFORMATION (PHI) CONT… Protected Health Information can be in any form:
“I respect privacy and confidentiality” q Giving only the minimum amount of information necessary. Example of “minimum necessary” ü When leaving a message on a patient’s answering machine or with someone who answers the phone simply leave a call back number and state that you are calling from Vanderbilt Medical Center. q Shred documents containing protected health information when finished. q Upon patient registration let the patient give you pertinent information that will identify the patient: Ask the patient’s Date of Birth, Address, last 4 digits of Social Security Number to verity the information you have is correct. (Do Not give the patient this information let them give it to you!!!) VANDERBILT CREDO BEHAVIOR q Never assume it is OK to share information with family or friends, unless you know they are involved in caring for the patient, or you have the patients permission. This includes family members of VUMC staff or faculty.
Frequently Reported Incidents and What You Need to Know… Ø Ø Be sure when you are mailing correspondence about a patient that you are sending the correct patient’s information to the appropriately authorized recipient. Always confirm the identity of the individual to whom you are releasing, handing or mailing patient information; e. g. thumb through each page of information, verify caller by Name, DOB or validation code for communication. 2. E-mails containing patient Protected Health Information (PHI) sent in a format that is not secure. Ø Ø Do not send PHI in standard, unsecured email. The File Transfer Application (FTA) is an application that allows the user to send a secure attachment. My. Healthat. Vanderbilt is a secure web portal that can be used as an alternative to email and faxing when communicating with patients 3. Gossiping or sharing patient information with someone who is not authorized to know. Ø Ø Only engage in conversation regarding patients with other faculty and staff who need the information to do their job, according to Vanderbilt policies and regulatory requirements. Gossiping/discussing or sharing a VUMC patient, faculty/staff member’s health information secured through your role at VUMC, resulting in the individual filing a complaint, are all considered privacy violations and will result in appropriate disciplinary action. CARELESS HANDLING OF PERSONAL OR CONFIDENTIAL INFORMATION 1. Medical record documents or billing statements being mailed or handed to the wrong patient.
1. Staff or faculty accessing a co-worker’s or any other patient’s electronic medical record without a legitimate business purpose or written authorization is a privacy violation regardless of the reason and may trigger the federal breach notification requirements: Ø Deliberate, unauthorized access to a patient’s record and disclosure of that information for personal use or with malicious intent is considered a privacy violation and will result in the highest level of disciplinary action, up to and including termination of employment. Ø Accessing a co-worker’s medical record to look up a room number or any demographic information is a violation under the Sanctions for Privacy and Security policy. 2. Accidently accessing the wrong patient in the Electronic Medical Record system (Star. Panel) Ø Do not open every patient record until you find the correct patient. Ø When looking for a patient’s medical record, attempt to use more than first and last name to identify the correct patient; e. g. birth date or middle name. Reference Policy: IM 10 -30. 12 – Sanctions for Privacy and Information Security Violations UNAUTHORIZED ACCESS OR DISCLOSURE OF PATIENT INFORMATION Frequently Reported Incidents and What You Need to Know…
Frequently Reported Incidents and What You Need to Know… Ø If you cannot remember you password, NEVER ask to use someone else’s User. ID and password. Call the VUMC HELP DESK for assistance, 343 -HELP 34(3 -4357), or access the VUMC HELP DESK website: http: //helpdesk. mc. vanderbilt. edu Ø Do not share your confidential passwords with anyone including a manager or system administrator. Contact your LAN manager or system administrator to set up shared drives or folders as a secure means for sharing access to files or databases without sharing individual user identification Ø Sharing your user name/password or using someone else’s user name/password that allows access to a restricted system and confidential information or PHI of others will result in disciplinary action. WORKING UNDER/SHARING USERID/PASSWORDS Staff or faculty member shares User ID and Password that allows access to restricted systems and or confidential information or PHI of others.
Creating Strong Passwords Creating a strong password: 1. It is at least eight characters long. 2. Does not contain your user name, real name, or company name. 3. Does not contain a complete word. 4. Is significantly different from previous passwords. 5. Contains Uppercase/lowercase letters, numbers and symbols. A password might meet all the criteria above and still be a weak password: Example: Hello 2 U! meets all the criteria for a strong password listed above, but is still weak because it contains a complete word (Hello). H 3 ll 02 u! is a stronger alternative because it replaces some of the letters in the complete word with numbers, upper and lower case letters and symbols. 1. A list of the worst passwords based on millions of stolen passwords: Password 6. monkey 2. 123456 7. 1234567 3. 12345678 8. letmein 4. qwerty 9. trustno 1 5. abc 123 10. dragon CREATING STRONG PASSWORDS Passwords are your key to secured information and systems. Easily guessable internet passwords don’t just let you in, they let hackers in too!
Not Locking or Logging Off Computer 2. Staff or faculty member accesses electronic patient information without first logging on with their own unique identification Ø Workstations must be secured by locking the screen or logging off whenever the user walks away. Failure to lock the computer screen may result in others using the system under someone else’s user identification which is a data integrity concern WHAT YOU NEED TO KNOW 1. Staff or faculty member logs onto electronic workstations in a shared work area and leaves the device allowing others to access patient information under the user identification first used. Ø If you fail to log off a computer or lock the screen and someone else uses the computer under your user identification, you may be held accountable for any activity that results (e. g. , unauthorized access to a patient’s record, inappropriate use of the Internet).
WHY To protect the integrity and confidentiality of information accessed from and utilized via all Clinical Work Station (CWS) computers while supporting work needs with reliable work stations fro the Clinical Enterprise. CWSs are being used by staff for personal use and hindering others from access for business purposes. Security concerns with malware, which causes the support team to rebuild machines. HOW Each CWS is monitored for, and access is filtered from known categories of internet sites according to the Vanderbilt University Medical Center (VUMC) Policy – Internet Monitoring and Filtering for Clinical Workstations. The Information Privacy and Security Executive Committee reviews and oversees the approval process for categories selected to be filtered. VUMC will monitor and Filter for malicious and non-business sites. INTERNET MONITORING AND FILTERING FOR CLINICAL WORKSTATIONS (CWS) Internet Monitoring and Filtering for Clinical Workstations (CWS)
The site you requested has been BLOCKED for the CWS INTERNET MONITORING AND FILTERING FOR CLINICAL WORKSTATIONS (CWS) CONT… WHAT
VUMC may utilize photography to collect protected patient health information for purposes of identification and patient care and treatment or as otherwise authorized by the patient or the patients legal representative. Things You Need to Know… Photography for purposes of patient care does not require additional consent beyond the standard Consent for Treatment Patient Identifiable Photography is considered PHI and use and disclosure of this PHI must comply with all Information and Privacy and Security Policies for PHI Photography for purposes other than patient care does require explicit consent. Reference Policy: IM 10 -30. 17 – Patient Photography and Video Imaging Immediately upload patient photos to the EMR or another secure server and delete from the device used to capture the image(s). Do not identify patient photographs with more than the minimum necessary (e. g. avoid SSN and patient phone number. Do Not post Photography of patients in public areas, on internet websites, or blogs without written or documented verbal consent from the patient/legal representative prior to the posting PATIENT PHOTOGRAPHY AND VIDEO IMAGING Patient Photography and Video Imaging
A written provider order (or an approved protocol order) or documented patient authorization is required before Patient Photography for any purposes including treatment. Images from Patient Photography may not be used for clinical consultation without a provider order for the consultation. All patient photographs for any purpose (except authorized media photography) including but not limited to education, training, teaching, research, and treatment purposes will be uploaded to the patient's EMR PATIENT PHOTOGRAPHY AND VIDEO IMAGING CONT… The following are Patient Photography policy changes pending publication:
Social Media If you identify yourself in any online forum as a faculty/staff member of VUMC, you must make it clear you are not speaking for VUMC and all submissions represent your own personal views and comments. Do Not post digital images and messages containing PHI without written authorization from the patient. Remember recognizable markings or body parts are PHI. Remember that all content contributed on all platforms becomes immediately searchable and can be immediately shared…it immediately leaves your control forever. Reference Policy: OP 10 -10. 30 – Social Media Policy and Guidelines SOCIAL MEDIA All faculty and staff who identify themselves with VUMC and/or use their Vanderbilt email address in social media venues for deliberate professional engagement or casual conversation are to follow the VUMC Credo Behaviors, Health Insurance Portability and Accountability Act (HIPAA), Conflict of Interest Policy, privacy policies and general etiquette. Things You Need to Know…
The Privacy Office will determine whether violations require breach notification and reporting. ü When breach notification is required the individual whose information was breached must be notified and the incident must be reported to the Secretary of Health and Human Services ü State of TN notification may be required when there is a security breach of unencrypted computerized data containing Personal Information. (such as SSN). ü What You Need to Do: ü Report all suspected Breach of Patient Health Information (PHI) to the Privacy Office. ü Report all suspected Breach of Employee Information (i. e. Social Security Number) to the Privacy Office The Breach Notification policy below defines the procedures to be followed upon discovery of known or suspected incidents involving unauthorized acquisition, access, use or disclosure of PHI or computerized Personal Information so that appropriate notification requirements are satisfied Reference Policy: IM 10 -30. 02 – Breach Notification: Unauthorized Access, Use, or Disclosure of Individually Identifiable Patient or Other BREACH NOTIFICATION Things You Need to Know:
Auditing ü Accessing a patients Electronic Medical Record (EMR) other than for job related reasons or without written authorization from the patient is unacceptable. ü The Audit Pop-up is only for Star. Panel, but accessing a VUMC employee’s information in EPIC and Medipac will also trigger an audit. AUDITING Star. Panel users may be prompted to enter a reason for access upon requesting the electronic medical record of an active VUMC faculty/staff member or an active Vanderbilt University student.
You must complete the TEST associated with this lesson. Please read the following instructions: 1. Close this training presentation. 2. Click the TEST LINK under the 2013 Annual Training for Privacy and Information Security Training on the website. 3. Complete the test Print and give a signed copy to your manager to be marked complete!!!