Transcript UW School of Medicine Personal Accountability for Data

Personal Accountability for
Data Stewardship
1st Year Medical Students – October 18, 2012
2nd Year Medical Students – October 9, 2012
Noella Rawlings
Director of Compliance
School of Medicine
Richard Meeks
Assistant Compliance Officer
UW Medicine
1
Personal and Professional Accountability
• Personal Accountability = Being answerable for the
outcome of your actions or inactions
• Professional Accountability = Demonstrated excellence,
integrity, respect, compassion, accountability, and a
commitment to altruism in all our work interactions and
responsibilities. (UW Medicine Professionalism Policy)
http://uwmedicine.washington.edu/Global/policies/Pages/Professional-Conduct.aspx
• As the representatives of UW Medicine, we are personally,
professionally, ethically, and legally responsible for our
actions
Patients place their trust in us
2
Your Accountability for Data Stewardship
• Safeguard data (electronic or paper) that you
use or access, including but not limited to:
• Confidential – protection of data required by law
• Protected health information (PHI)- protected by the
Health Insurance Portability and Accountability Act of
1996 (HIPAA)
• Individual Student Records – protected by Family
Educational Rights and Privacy Act (FERPA)
• Individual financial information (e.g., credit card, bank)
• Other personal information such as Social Security
Number
• Proprietary--intellectual property or trade secrets,
research data
3
Your Accountability for Data Stewardship
• Safeguard data (electronic or paper) that you
use or access, including but not limited to:
• Restricted --data that is not regulated, but for
business purposes is considered protected either by
contract or best practice, including research data
4
Tools to Assist You in Safeguarding Data
• Encryption
https://security.uwmedicine.org/training/dept_materials/default.asp
• Complex passwords
http://security.uwmedicine.org/guidance/role_based/end_user/default.
asp
• Locking offices and files
• Education and training materials
https://security.uwmedicine.org/Training/Sec_Aware/default.asp
• Privacy, Confidentiality and Information
Security Agreement (PCISA)
• Following policies restricting removal of data
from worksites
5
PRIVACY, CONFIDENTIALITY AND
INFORMATION SECURITY AGREEMENT
• http://www.uwmedicine.org/Global/Com
pliance/Document/UW-Medicine-privacyConfidentiality-Agreement.pdf
• Agree to safeguard confidential and
restricted information
• What does this mean and why is it
important?
6
Encryption
• Where to get information and help with
encryption:
http://security.uwmedicine.org/guidance/technical/la
ptop_mobiledevice_encryption/default.asp
http://security.uwmedicine.org/Home/Communicatio
ns/Laptop_Encryption_Awareness_Email_033111/de
fault.asp
IT Services Help Desk: [email protected]
DOM IT Help Desk:
mailto:[email protected]
7
Safeguarding Patient Information
• Comply with UW and UW Medicine policies:
Privacy:
http://depts.washington.edu/comply/privacy.shtml
Information Security:
http://security.uwmedicine.org/guidance/policy/default
.asp
• Privacy Policy PP-30
http://depts.washington.edu/comply/docs/PP_30.pdf
8
PERSONAL CONSEQUENCES OF A
BREACH
• Loss of patient and public trust
• Your name is reported to:
• Your Program Director, Department Chair, Executive Director
and/or Unit Head
• Dean of the School of Medicine and/or Vice Dean, Academic
Affairs
• UW Medicine Chief Health System Officer
• UW Health Sciences Risk Management
• UW Chief Information Security Officer
• Federal and state regulatory agencies
• The time you’ll spend cooperating with investigations, being
retrained, and other remedial activities
• Imposition of sanctions, disciplinary actions, and potential
civil/criminal penalties
• Your personal and professional reputation
9
INSTITUTIONAL CONSEQUENCES OF A
BREACH
• Potential loss of public trust in UW Medicine
• Significant time and resources to investigate, conduct
forensics, analyze findings, and determine appropriate
course of action
• Involvement of legal counsel, risk management, executive
directors, unit heads
• Federal law requirements regarding notification
• Call center for each case requiring patient notification
• Office of Civil Rights Investigation
• Possible imposition of civil/criminal penalties, fines and
sanction
10
Breach Notification Rules
•
Definition of Breach: “acquisition, access, use or
disclosure of PHI … that compromises the security or
privacy of the PHI.”
•
Notification requirements apply only to “unsecured” PHI.
PHI is deemed unsecured unless rendered “unusable,
unreadable, or indecipherable” to unauthorized
individuals by technologies or methodologies identified by
HHS (currently limited to encryption or destruction).
•
Notification of affected individuals required if the breach
poses a “significant risk of financial, reputational or other
harm to the individual.”
11
Breach Notification Rules
• All breaches must be reported annually to the
Office of Civil Rights.
• If a breach involves 500 or more individuals, it
must be reported to media which reach
location(s) in which the individuals reside.
• If a breach involves more than 10 individuals for
whom an address is not available, the covered
entity must place notice of the breach on its
website for 90 days.
12
UW Medicine Case Study #1
• Resident’s log book left in backpack, locked in trunk of car,
and was stolen
• PHI: patient name, EMR number, dates of service, date of
birth, clinic, and procedures
• 487 patients notified
• Self-reported to OCR; intense OCR follow-up investigation
(2 years); required hundred of hours of staff time; and
resulted in substantive policy changes
• Lessons Learned
• Written PHI may not be taken off site without authorization from
supervisor, chair or program director
• Written PHI taken off site should not leave physical possession at
any time
13
UW Medicine Case Study #2
• Unencrypted hard drive stolen from unlocked
office
• PHI and QI data
• 3948 patients involved; 324 patients notified
due to risk of harm; notification to OCR; posted
on UW Medicine website; likely OCR
investigation forthcoming
• Lessons Learned
• Do not remove PHI from secured location
• Password protect AND encrypt
• Ensure physical security of devices at all times
14
UW Medicine Case Study #3
• Medical student working on an IRB-approved study
• PHI of 1200 patients (study data) stored on laptop and
laptop stolen from home
• Laptop and files containing PHI were password
protected, but not encrypted
• Research data considered unsecured since not encrypted
• Possible notification of patients
• Lessons Learned
• Password protect and encrypt
15
National Case Studies
NATIONAL EVENTS
• Alaska DHHS Settles HIPAA Security Case for
$1,700,000 – June 26, 2012
• HHS settles HIPAA case with BlueCross
BlueShield of Tennessee (BCBST) for $1.5
million --March 13, 2012
• Resolution Agreement with General Hospital
Corp. & Massachusetts General Physicians
Organization, Inc.--February 14, 2011
See http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html
16
Basic DO’s and DON’Ts
• Avoid taking confidential data off-site or
downloading to portable or mobile devices
• If taking confidential data with you, you MUST
obtain supervisor or department head approval
• Confidential or restricted data stored on mobile
devices must be encrypted and your device
password protected
• Lock up confidential data (locking file drawer, safe,
or other locked device)
• Never leave confidential data in your car
17
Medical Record Access
• You can access your own medical record on-line
• You cannot access your family or friends medical
record on-line
• If you are treating a family or friend, you must
document in the medical record
• Compliance actively monitors access to patient
records
o Random Audits
o Patients of Media Interest
o Patients with Privacy Alerts
18
Smartphone Configuration
• If you use your smartphone to conduct UW business,
such as accessing your UW e-mail, must have:
o Pass code or PIN
o Automatic lock w/pass code or PIN
o Tamper Wipe – Phone wiped after 10 pass code or PIN
attempts
o Back-up – Not to the cloud
o Encryption
• http://ciso.washington.edu/resources/riskadvisories/smartphone-configuration/
• http://security.uwmedicine.org/guidance/policy/electro
nic_data
19
Other Resources
Office of the Chief Information Security Officer
• http://ciso.washington.edu/resources/onlinetraining/
• http://ciso.washington.edu/resources/smartcomputing/
• http://ciso.washington.edu/
20
Questions ?
21