Transcript Document 7269213

PRIVACY AND SECURITY WEEK
APRIL 11TH – 15th, 2005
PRIVACY AND SECURITY IS GOOD MEDICINE!!!
Presented by several members of the HIPAA Program Management Office:
Phil Edge
Kim Len
Grace Upleger
Source: http://www.ahima.org/hipsweek
Images in this presentation make use of the US
National Security Agency’s collection of security
awareness posters, the US Centers for Disease
Control Public Health Image Library, and the
University of Miami Ethics Program Digital Image
Repository. All images are in the public domain
VUMC is committed to protecting patient’s information

What is HIPAA?

Purpose of the HIPAA Privacy
rule is to give patients more
control over how we can use
and share their protected
health information (PHI). This
covers information in any form
(written, verbal, or electronic).

Purpose of the HIPAA Security
rule is to protect the
confidentiality, integrity and
availability of electronic
protected health information
(EPHI).
– HIPAA stands for the Health
Insurance Portability and
Accountability Act of 1996

Facets of HIPAA include Privacy (in
effect 4-14-03); Transactions and
Code Sets/Identifiers (in effect
10-16-03); and Security, slated to
go into effect 4-20-05.
When Can We Release PHI?
Treatment (e.g., referring MDs, family members)
 Payment (insurance companies or other 3rd parties)
 Administrative Functions (QI, financial analysis)
 Educational or Training Activities


Other Exceptions that Require Patient’s
Authorization

Always follow the Minimum Necessary rule
How Can We Release PHI?


Telephone: Be sure you know who is calling
– Suggested Verification Protocols
 Ask caller to provide unique patient
identifications such as middle name,
birth date, or address.
 Check that the patient has opted into
the Directory and is not a 'no info' patient (Medipac and Wiz)
Where to find if they are registered as “No Info” patient?
– After pulling up the patient’s record in Medipac and selecting the
current visit choose “All Records”.
– In the lower right hand corner of the screen you will see a field called
“Confident Lvl”. A letter “I” in this field indicates the patient is a “No
Info” patient. A letter “G” in this field indicates they are a “General
Info” patient
How Can We Release PHI?
 Call back the caller to a place of business or a
known phone number
 Check passcode or name on communication list
– Form MC3166: Communications with Family or Others
Involved in Your Care
 Can use Professional Judgment to determine what
is in the best interest of the patient.
How Can We Release PHI?
 Faxing
– Call ahead before faxing
– Make sure you enter the
correct number
– Always use a cover sheet
(VUMC Operations Policy 10-40.12: “Faxing Protected Health Information”)
How Can We Release PHI?
 Leaving Messages on an Answering Machine
– Appointment reminder messages – recommend
leaving the patient's name, physician's name, and
date/time of the appointment. No information related
to the patient's condition should be left.
– Requesting patient to call about clinical information
(i.e. test results, instructions, etc.) - message should
only confirm it is from VUMC and leave a name and a
callback number.
– Urgent matters – staff can use professional judgment
to leave more detailed message or message with
family member.
Sanctions for Privacy & Information Security Violations
Level 1 Violation: Negligent Act (Carelessness)

Examples
– Failure to properly sign off a
workstation or secure a computer.
– Emailing/Faxing a file that includes PHI
or other confidential information to the
wrong person.
– Not properly verifying individuals by
phone, in person, or in writing before
releasing PHI or other confidential
information.

Disciplinary/Corrective
Action
– Verbal Warning
Self-Reporting Accidental Acts – NEW Requirement

Self-reported Accidental Act
– Defined as “an unintentional or unexpected reportable event that
results in spite of the individual’s efforts to follow established
procedure”. (Ex: Selecting wrong pt from list of names in StarPanel)

Must be reported to one of the following:
– Privacy Office
– VUMC Help Desk
– Compliance Reporting Line
– Your manager who will report it to one of the above.

Failure to self-report an accidental breach is considered a
negligent act.

Repeated incidents of Self-Reported Accidental Acts may result in
a Level 2 violation.
Sanctions for Privacy & Information Security Violations
Level 2 Violation: Negligent Act (Not following procedure.)

Examples
– Releasing information to a
caller about a patient who is
designated as No Information
status.
– Failure to account for
disclosures within the VUMC
Disclosure Tracking system.

Disciplinary/Corrective Action
– Written Warning
Sanctions for Privacy & Information Security Violations
Level 3 Violation: Purposeful Act (Curiosity or Concern.)

Examples
 Disciplinary/Corrective
– Sharing ID/password with
Action
another coworker or using
– Final PIC (6 months probation)
another person’s ID/password.
(Was a Level 2 violation!)
– Accessing or connecting to
VUMC information systems (i.e.
computers, servers, routers,
switches) without authorization.
– Accessing and reviewing the
record of a patient out of
concern or curiosity without
written authorization.
Sanctions for Privacy & Information Security Violations
Level 4 Violation: Purposeful Act (Blatant Misuse)

Examples
– Accessing a patient record to
use information in a personal
relationship.
– Compiling a mailing list for
personal use or to be sold.
– Tampering with or
unauthorized destruction of
information.

Disciplinary/Corrective Action
– Termination
What does HIPAA Security mean
for you?

Keeping the integrity
and confidentiality of
EPHI
 Having EPHI available
when needed
What is EPHI?

EPHI includes all individually identifiable
health information related to our
patients or research subjects that is
created, maintained, or transmitted
electronically by VUMC.

We have created a number of policies
and more are coming each week.

To see the current HIPAA policies,
please visit our website at:
http://www.mc.vanderbilt.edu/HIPAA

VUMC wants to know if a Privacy or Security
incident has occurred
Examples of incidents include:
•Laptop or other mobile device is lost or stolen that contains sensitive
data
•Email or fax containing EPHI is sent to wrong individual/entity
•Belief that password or token has been compromised
•Lost data center badge or any lost identifiable access peripheral
(closet key, for example) that enables an individual to gain entry to a
computer system/network that contains EPHI
•Staff/Faculty looking at another person’s confidential data without
cause
•Other
Computer Incidents may include:
– Unusually slow processing
– Unusual messages on the
display
– Characters or text
mysteriously appearing (or
disappearing) in document
or other files
– Unusual system activity,
like opening and closing of
CD drawer
– System crashes

Vanderbilt takes these
incidents seriously and wants
to know when they occur.

HIPAA REQUIRES us to
document all Privacy and
Security incidents.

Please call the Help Desk (3HELP) or the Privacy Office
(936-3594) if you suspect
there has been a Privacy or
Security incident.
PASSWORDS

HIPAA mandates unique
identification of users. That
means you MUST have
individualized access for all
computer systems that contain
EPHI.

Remember the longer the
password, the better, as long
as you can remember it.

Passwords should include
numbers and special
characters when possible.

Someone you care about
-- even you -- may have
health information stored
here. Keep it
confidential!

If you are using a
computer and need to
step away:
– Log Off OR Lock your
computer

Enable a screen saver
with a password on your
system.
Safeguarding Availability


We have created policy to communicate the
requirements for business continuity in the event of
any disaster, including computer malfunction, so
workflow and patient care can continue.
If you manage a computer system, please be versed
in this policy which depicts HIPAA and VUMC
requirements for:
– Disaster Recovery (DR), Contingency plans, Data backup
plans, Test plans and other principles
Transmission of EPHI

Whenever possible, use
encryption to transmit
EPHI between Vanderbilt
and any outside entity.

DO NOT transmit EPHI to
entities outside of
Vanderbilt through FTP or
Telnet, unless approved
by the HIPAA Team.
Email
EMAIL helps us get business done at
VUMC. It is a great facilitator but does
have risks.
Do NOT open an attachment that you are
not expecting, even if it is from someone
you know (until confirming by voice or
email that this person truly sent the
attachment).
Be aware of any emails which might
appear to be using “social engineering” or
“phishing” to get you to open an
attachment (e.g. promises of money,
pornography, etc.).
EMAIL is not like a letter
…. but a postcard.
– Avoid sending EPHI in emails
going outside the VUMC mail
system.
– Limit the amount of patient
information incorporated into
internal emails to the
minimum necessary.
– Do not automatically forward
email to an outside or external
email destination.
Buying an IT System


VUMC and HIPAA require certain documents when
entering into a relationship with a vendor who will be, or
can potentially, view patient information.
All computer applications or services that are purchased
that will contain patient information and will be accessed,
at some point, by the vendor need a:
– Contract
– Business Associate Agreement (BAA)


New systems need to adhere to new HIPAA standards.
Check the IT Procurement link on the VUMC HIPAA
website at http://www.mc.vanderbilt.edu/HIPAA for HIPAA
and IT architecture requirements.
Acquiring a transcription service


We have developed a
new policy that requires
departments to only use
approved transcription
vendors, due to HIPAA
and contractual concerns.
We will be contacting
departments if we do not
have adequate
documentation for the
company you are using.

ALL approved vendors
will have a:
– Contract
– Business Associate
Agreement (BAA)
– Approved HIPAA Security
Survey completed
– Verification that they meet
the Transcription Standards
Accountability
All systems and media that contain EPHI
should be inventoried.
 A proper record of their location should
also be maintained.

Monitoring and Audit Trails
All systems that contain EPHI should log
system access and activity.
 The HIPAA Team will work with
departments that cannot currently meet
this requirement to develop plans for
compliance.

Disposal and Re-Use
All media, including hard drives that contain
EPHI should have the data on them completely
and permanently erased before disposal or reuse.
 Deleting a file on a computer does not
permanently remove it.
 Other measures such as overwriting, degaussing
or physical destruction should be used.

We want your computer to be in a
safe work environment.
All computer systems containing EPHI
should be secured.
 Physical access to systems that contain
EPHI should be limited whenever possible.

And we want your portable and
home devices to be safe





Use a Virtual Private Network (VPN)
Utilize the desktop anti-virus software.
(available to all Vanderbilt employees,
see NCS website).
Use strong passwords and password
protected screensavers.
Avoid storing EPHI on portable
computers and devices.
Physically safeguard your portable
device. Call VUPD immediately if lost or
stolen.
For more information, or to report an
incident, contact the following:
Privacy Office at 936-3594
or
The Help Desk at 3-HELP
THANK YOU!!!!!
QUESTIONS?