UConn Health Privacy and Security Training
Download
Report
Transcript UConn Health Privacy and Security Training
Office of Audit, Compliance and Ethics
Information Technology Security
Welcome to Privacy and Security training.
This training is required as part of the UConn Health Compliance Program education.
All members of the UConn Health workforce are obligated to ensure the privacy and
security of confidential information with which they may come in contact. This
training will assist you to be aware of important privacy and security principles as
well as UConn Health policies and procedures.
Refer to the policy links throughout the training for more detailed information.
UConn Health has a responsibility to protect all types of confidential information
related to:
Patients
Research participants
Students
Employees
Social Security numbers, credit card numbers, and other financial data
Systems IDs and passwords
Institutional data and processes
Unless you have a “need to know” specific confidential information to carry out
your UConn Health responsibilities, please do not access, look at, use or share
any confidential information.
Please review the Confidentiality policy.
I will respect the privacy of my patients, for
their problems are not disclosed to me that
the world may know.
Excerpt from the Hippocratic Oath
HIPAA stands for: Health Insurance Portability and Accountability Act
The Privacy Rule:
established national standards for the protection of all forms of health information
created by “covered entities”, including health care providers.
set limits on the uses and disclosures of such information.
gave patients rights over their health records.
The Security Rule:
established national standards for the security of electronic health information (ePHI)
to protect individual ePHI created, received, used or maintained by covered entities.
outlined administrative, technical and physical procedures to ensure the
confidentiality, integrity and availability of ePHI.
HITECH stands for:
Health Information Technology for Economic and Clinical Health Act
HITECH resulted in significant changes to HIPAA Privacy and Security.
Widened the scope of privacy and security protections under HIPAA.
Includes health care information technology incentives such as:
creating a national health care infrastructure.
adopting an electronic health record (EHR) system.
Electronic data transmission is a double edged sword. Advances in technology
lead to increased vulnerability of personal information. Confidential information
is only as safe as our weakest link.
In addition to HIPAA, there are specific federal and state laws that govern the
confidentiality of mental health, substance abuse, and HIV information as well
as information related to minors.
The stricter law always applies.
Consider additional regulations that may apply to a particular situation and seek
guidance as needed.
Individually Identifiable Health Information:
Health, demographic and financial information relating to an individual’s past,
present or future physical or mental health condition or payment for health care that
identifies the individual or can reasonably be used to identify the individual.
Protected Health Information:
Individually Identifiable Health Information (including genetic information and family
history) that is maintained or transmitted in any form (written text, photos,
recordings, images, slides etc.) in any medium (verbal, paper, electronic and others).
Electronic PHI (ePHI) may be stored on computers, storage devices, or in UConn
Health patient information systems such as IDX, LCR, eHIMS, NextGen and
Pulsecheck.
De-identified Information:
Health information that does not in any way identify an individual or there is no
reasonable belief that the information can be used to identify the individual.
De-identified information is not considered PHI and, therefore, is not protected under
the HIPAA Privacy rule.
Refer to policy: Creation, Use and Disclosure of De-identified PHI
Access:
To obtain, examine or retrieve data.
Use:
Sharing, employment, application, utilization, examination, or analysis of
Individually Identifiable Health information within UConn Health.
Disclosure:
Release, transfer, providing access to, or divulging in any other manner
information outside of UConn Health.
Minimum Necessary:
The least amount of PHI needed to accomplish the intended use or
disclosure.
Refer to policy: Privacy Definitions
Obvious:
Name
Addresses including email/internet
Zip Code
Phone and fax numbers
Social security number
Medical record number
License numbers
Account numbers e.g. bank,
retirement and credit card
Fingerprints
Full or partial photo that could
identify an individual
Less obvious:
Vehicle identifiers e.g. license plates/serial
numbers
Dates including birth, death, admission and
discharge
URL and IP address
Device identifiers and serial numbers
Codes that are related to the individual or can
be translated into identifiable information
Any other unique number or characteristic
With respect to their PHI, patients under our care are entitled to:
information about their rights under HIPAA and how their PHI will be used or disclosed.
protection of the privacy and security of their health information.
access to their health information.
request corrections of information in their records.
restrict certain disclosures of their information.
notification if the privacy or security of their information is compromised.
Privacy should be seen as important as other aspects of patient care.
Respect for patient privacy goes hand in hand with respect for that individual’s dignity
and significantly contributes to overall patient satisfaction.
Patient feedback, both solicited and spontaneous, underscores how important
privacy is to the overall patient experience.
Assure patients and demonstrate in your care that their privacy is important.
Respond to patients’ privacy questions and concerns.
Patient complaints related to the privacy or security of their PHI should be
referred to the UConn Health Patient Relations Department or to the Privacy or
Security offices.
Patients may also elect to file a complaint with the U.S. Department of Health
and Human Services, Office for Civil Rights.
Refer to policy: Patient Complaint Regarding Use and Disclosure of PHI
The Notice of Privacy Practices explaining patients’ rights under HIPAA is provided to:
all new UConn Health patients (except Correctional Managed Health Care) as part of the
Consent to Treatment process.
at the time of each inpatient admission.
at each encounter in the Farmington Surgery Center, Procedure Center, Same Day Surgery,
and Emergency Department.
annually to outpatients.
Ensure the patient’s permission to communicate and any requests to restrict disclosure of
PHI to health insurers or to be excluded from appointment reminders are addressed.
If another individual signs the consent on behalf of the patient, verify that person’s identity,
his or her relationship to the patient (i.e. parent, guardian, authorized representative) and
that the person has proper authorization to access the patient’s record.
Only the individual whose email address is noted on the consent form will have access to the
medical record via the patient portal.
Patients or their authorized representatives have the right to view their own
records upon written request using approved forms.
Requests to view are first reviewed with the patient’s attending physician or
appropriate UConn Health representative.
A written response is provided to the patient for any request denial.
Copies of all such documentation are maintained in the patient’s record.
Refer to policy:
Patient Right to View His/Her Medical/Dental/Research and/or Billing Record
Most requests for patient records should be referred to the Health Information
Management (HIM) Release of Information department.
If information is needed immediately and the treating provider approves, clinical areas
may provide to the patient copies of documents such as labs, diagnostic results and
clinical notes related only to the care in that department.
Information that may not be released:
Psychotherapy notes (separate from the clinical record).
Patient information from research labs that are exempt from Clinical Laboratory
Improvement Amendment (CLIA) requirements.
Information for use in pending litigation.
Refer to policy:
Patient Right to Request Copies of His/Her Medical/Dental/Research and/or Billing Record
Patients can request amendments to the information in their medical record at any time
during or after treatment.
All amendment requests must be acted upon promptly but no later than 60 days after
the request is made.
For guidance and assistance with amendment request for:
Medical/Dental records
Research records
Billing records
contact
contact
contact
Health Information Management (HIM)
HIM or the study’s Principal Investigator
Patient Services
Refer to policy:
Patient Right to Amend His/Her Medical/Dental/Research and/or Billing Record
UConn Health must honor all patient requests:
to receive communications of PHI from UConn Health by alternative means or at
alternative locations.
to restrict certain disclosures of PHI to health plans if specific criteria are met.
Patients may also choose to be excluded from automated, verbal or written
appointment reminders.
Refer to policies:
Patient Right to Request Confidential Communications
Patient Right to Request Restrictions on Use And Disclosure of Protected Health Information
“Disclosure Tracking Logs” must be completed when PHI is released outside of
UConn Health for reasons unrelated to treatment, payment or operations and
about which the patient is unaware (e.g. to regulatory agencies, for judicial
proceedings, to medical examiners, for research purposes or to report abuse,
neglect and domestic violence).
Unauthorized disclosures that result in privacy incidents must also be
documented on the tracking log.
Refer to policy:
Accounting of Disclosures of Protected Health Information to Patients
Patient authorization to access, use or share their PHI is needed unless:
the purpose is related to treatment, payment for treatment, or “healthcare operations” such as
quality improvement, training, performance evaluations, audits; or
is required by law.
A valid authorization must include specific information to ensure the patient or representative
understands what PHI is involved, who is requesting PHI, the purpose of the request and the
right to revoke an authorization.
Authorizations intended for more than one purpose can be combined only under certain
circumstances.
Regardless of the need for patient authorization, PHI accessed, used or shared for any
purpose other than treatment, should be kept to the “minimum necessary” information required
to accomplish the pertinent task.
Refer to policies:
Authorization for Release of Information
Minimum Necessary Data
Avoiding Verbal Violations
The Privacy Rule is not intended to interfere with necessary patient care
communications. However, exercise appropriate discretion.
HIPAA recognizes that “incidental disclosures” may be unavoidable at times as
long as safeguards are in place to minimize such disclosures.
Be sensitive to your surroundings and who may be able to overhear you.
Discuss PHI in a private area if possible.
Lower your voice in open areas.
Avoid discussions in public areas such as elevators, cafeterias or near waiting rooms.
To communicate with family and friends, follow the policies that apply to your area of
practice:
Inpatient
Outpatient
Outpatient Psychiatry
Dental
The “Permission to Communicate” form allows only disclosures necessary to assist
the patient with care needs.
If others are present during a discussion with a patient, ask for the patient’s
permission to share PHI with those present. Do not assume it’s OK to discuss
specific patient information just because a family member or friend is with the patient
or has “Permission to Communicate.”
If obtaining permission is truly impossible, share only what you believe to be in the
patient’s best interest.
When calling a patient:
use the phone number designated by the patient — remember, it may be an alternate
number.
confirm that you are speaking with the patient or someone that has permission to
communicate about the patient.
do not leave PHI on answering machines or with individuals not authorized by the
patient.
and leaving a message, provide your name, that you are calling from UConn Health,
who the message is intended for, and ask that the individual return your call.
with an appointment reminder, include only date, time and location on answering
machines --no PHI or other details.
Refer to policy: Telephone/Voicemail/Answering Machine Disclosure of PHI
When a patient or other individual calls:
Follow appropriate procedures to verify the caller’s identity. Ask open ended
verification questions such as “Can you please verify your address?” rather than “Is
your address still….?”
If an individual’s identity and/or legal authority cannot be verified, do not disclose any
PHI and report the request to your supervisor or a department manager.
Forward all John Dempsey Hospital patient inquiry calls to the Information Desk or
telephone operators.
Forward media requests for patient information to the Office of Communications.
Refer to policies:
Directory Information: Disclosure of a Patient’s Information
Verification of Individuals or Entities Requesting Disclosure of Protected Health Information
Media Relations
Paper Perils
Do not leave documents unattended in offices or on unit desks/counters, printers, or fax
machines.
Avoid carrying documents with PHI or use secure options such as encrypted thumb drives.
If you must carry papers, keep track of them, double check that you have all documents when you
leave an area and shred them as soon as they are no longer needed.
Do not remove from any building except by personnel authorized to transport records such
as courier services.
Do not transport paper records in personal vehicles, remove records from UConn Health
or personally carry them from one building to another.
If a record is needed urgently for patient care, obtain Health Information Management’s (HIM)
permission to transport records personally between UConn Health locations in the same building.
Follow the steps in the policy and recommended by OCR:
Handling Paper Communications About Patients including PHI
Be particularly careful to:
Check and initial each page before mailing or handing documents with PHI. The
greatest risk exists when pages are not checked.
Use two forms of identification when preparing and when handing documents to a
recipient.
Incorporate JDH’s “Safety Absolute” principles: Verify before taking action with
patient information.
Be extra cautious with shared printers and guard against inadvertently picking
up papers that can be mistakenly included with other documents.
PHI faxed in error to a care provider or healthcare entity generally carry a low risk.
Faxes misdirected to locations that are not bound by HIPAA privacy may be a much higher
risk.
Follow the Faxing of PHI policy which includes specific OCR recommendations.
Confirm the accuracy of a fax number.
Use UConn Health-approved cover sheets for all faxes—external and internal.
Dial “9” and then the number when faxing outside of UConn Health.
Collect papers when you leave a fax machine.
Include the full name and spelling as well as location of each recipient when dictating a note
or discharge summary that will be faxed to care providers.
Store PHI only in secure cabinets or offices and lock them, especially when you
leave the area.
Dispose of PHI only in locked shredder bins. Documents with PHI must be
rendered undecipherable.
Never discard PHI in wastebaskets or recycling bins for convenience or because a
shredder bin is full.
Unsecure PHI or intact/partially shredded documents that end up in dumpsters
or landfills are at risk for privacy breaches and identity theft.
Refer to policy:
Disposal of Documents/Materials Containing PHI and Receipt, Tracking and Disposal of
Equipment and Electronic Media Containing Electronic Protected Health Information.
Patient data in photographs, radiology images, pathology slides, physiological
tracings, and audio/video recordings are all forms of PHI.
Each form carries privacy risks and may require patient authorization to use or
disclose.
The same diligence and care must be exercised when accessing, using or
disclosing non-textual PHI.
Certain patient care areas are now equipped with video monitoring equipment
designed for educational and other purposes.
Carefully consider privacy and patient dignity when video monitoring is used.
Refer to policy: Visual, Audio or Recording of Patient Data Obtained Through Any Medium
Eluding Electronic Errors
Electronic resources are university property and are to be used for UConn Health business
purposes only.
Access confidential electronic data only for valid business purposes.
There is no expectation of privacy. All data stored on UConn Health systems is discoverable
under certain circumstances.
Credit card numbers may never be collected, transmitted, or stored on UConn Health’s
computing devices and networks.
If you are no longer employed by UConn Health, you may not remove any data from UConn
Health without Privacy and Security Office approval.
Please review policies:
Information Technology Computer/Electronic Resource Use Policy
UCHC Information Security: Acceptable Use
Every system user must have and protect his or her unique login information.
Do not share passwords with any other person or allow anyone to access electronic systems
using your login information.
Using electronic resources under another person’s log on credentials creates risk for you and the
other individual and may result in sanctions.
UConn Health Information Technology will never ask for your password in email. An email asking
you to reply with your user credentials should be deleted without response.
Always log off whenever you step away from a computer on which you have been working.
You will be held responsible for electronic accesses or any activity conducted under your login.
Refer to policy: UCHC Information Security: Systems Access Control
Do not “surf” the census.
Do not look up family, friends, other employees or anyone you supervise or who
supervises you, students or anyone even if they ask you to do so.
Do not schedule appointments as a favor to family and friends.
Do not look at information out of curiosity including high profile individuals or
patients associated with newsworthy events.
Do not print clinical information.
Do not check billing or other financial information.
Do not share information with others that do not have a need to know.
Unless you need to access, use or disclose PHI to carry out an assigned job
responsibility, don’t do it.
Before you click on, open, use or disclose any information ask yourself “Do I
need this PHI to complete an assigned work-related task?”
If the answer is “yes”, it is likely OK to access, use or share the PHI
If the answer is “no” don’t do it.
If you’re wondering whether or not it is appropriate to access PHI, stop and
check with your supervisor or the Privacy Office.
Confidential data may be stored on UConn or non-UConn Health MCDs only if:
the device is encrypted by UConn Health Information Technology.
data is protected from unauthorized access and disclosure.
the minimum necessary information for a particular function is stored and only for as long as
needed to perform that function.
If a device is used to access any type of confidential UConn Health data, Information
Technology must ensure that proper security controls are installed.
As long as certain requirements are met, users may work with IT to access UConn Health’s
electronic information via their personally owned MCDs.
Personally-owned MCDs must be registered and secured at the BYOD website.
Always safeguard devices from loss or theft.
If you are no longer working at UConn Health, institutional data, UConn Health email and
WiFi settings must be completely deleted from the MCD.
Refer to policy: Mobile Computing Device (MCD) Security
UConn Health email accounts are to be used only for business purposes.
Emails sent outside of the UConn Health network that contain confidential information or
PHI must be sent securely.
Do not email confidential information or PHI to non-secure sites such as your home email
address.
Carefully check email recipients before hitting “Send” to be sure you are including the
correct individual(s).
Don’t hit “Reply to All” unless you really mean to reply to all.
Use extra care when choosing names from the address book, regarding persons with similar
names or when recipient names auto-populate in the “To” or “cc” lines.
Communicate only with individuals that have a need to know and are properly authorized to
receive confidential information, including PHI.
When sending confidential information to a UConn Health group, choose the correct
distribution list.
Click the secure icon in the upper left hand corner of the email message screen
or
Type [secure] (brackets and the word) in the email subject line or body.
[secure]
Email spam is annoying at best and may pose extreme risk to users and to UConn Health.
Phishing scams, a form of cybercrime, involve conning users by acting as legitimate
organizations to obtain personal information such as passwords and login credentials.
Ransomware is malicious software, usually loaded by clicking on links or attachments, that
is designed to block access to a computer system until a ransom is paid.
Healthcare has been specifically targeted by attackers and is especially vulnerable as
ransomware can block access electronic patient records which jeopardizes patient care and
the confidentiality of patient information.
Never click on unsolicited links or email attachments without verifying the authenticity of
the sender or message.
Contact the IT Help Desk at 860-679-4400 or [email protected] if you have any doubts.
Text messages sent without proper software are not secure.
Do not text confidential information unless a UConn Health
approved secure text application has been installed and activated.
Secure texting applications ensure that encrypted messages are
transmitted from a secure server and prevents cell phone networks
from keeping a message copy.
Information related to your UConn Health work should never be
shared on social media sites. Patient information may be identifiable
even when minimal information is posted.
All UConn Health information, especially PHI, must be scrubbed from electronic
devices by the Office of Logistics Management (OLM) before any electronic storage
media/devices are removed from a department.
When planning disposal, store computers/laptops or other devices in a locked,
secure area. Do not leave equipment in hallways or other unlocked areas.
Refer to policy:
Disposal of Documents/Materials Containing PHI and Receipt, Tracking and Disposal of
Equipment and Electronic Media Containing Electronic Protected Health Information.
UConn Health’s new electronic medical record (EMR) is under development and
scheduled to go live in April, 2018.
The EMR will replace many existing electronic systems and consolidate patient
information into a single record.
If you have questions or ideas related to patient confidentiality and the new
EMR, discuss with your manager or department UConn HealthONE
representative.
Other Privacy Pointers
Whenever possible, eliminate or limit use of social security numbers as part of
department processes and use other unique identifiers, if allowed.
When social security numbers are required, handle with the utmost care and
follow proper procedures to protect numbers from unauthorized access or
disclosure.
Hide or remove social security numbers from communications unless specifically
needed by recipients.
Under no circumstances should credit card account numbers be collected, stored
or transmitted on UConn Health devices or networks.
Credit card information may not be sent via email for any reason.
PHI in any form may be used or disclosed for research purposes provided there is a
valid participant authorization.
Research authorizations must be written in plain language and clearly articulate how
participants’ PHI will be used and with whom it will be shared.
An authorization is not required under certain circumstances as approved by the
Institutional Review Board (IRB).
When using or disclosing information as a limited data set, an appropriate data use
must be in place.
A Limited Data Set must remove direct identifiers associated with PHI but may include
other potentially identifying information.
PHI that is accessed, used or disclosed without proper authorization or outside of the
parameters outlined in the IRB protocol must be evaluated as potential breaches.
Report privacy incidents immediately to the Privacy Office and to the IRB.
Refer to policy:
Use and Disclosure of Protected Health Information for Research Purposes
If using PHI for education within UConn Health or with UConn Health students,
residents and fellows:
No patient authorization is needed but access only the PHI necessary to meet the
educational goal.
For meetings, lectures, conferences outside of UConn Health or with nonaffiliated practitioners:
information must be de-identified or
patients must give authorization.
Refer to policy: Use of Protected Health Information in Education
Business Associates (BAs) are entities that may create, receive, maintain, or transmit PHI
on behalf of UConn Health including data transmission services or storage firms that have
access to PHI even though they may not actually view the PHI.
Appropriate Business Associate Agreements (BAAs) must be implemented to outline the
respective responsibilities of UConn Health and the BA.
BAs must comply with the HIPAA Privacy and Security Rules and are directly liable for their
actions but UConn Health may also be held liable for the actions of it’s BAs.
Refer to policy: Business Associate Contracts
Marketing is communication that encourages individuals to use a particular product
or service.
Specific HIPAA Privacy rules apply to marketing situations.
Written authorization is needed when disclosing PHI related to marketing except for:
face to face communications.
nominal promotional gifts provided by UConn Health.
Patients must be informed as part of the authorization when marketing involves
financial compensation from a third party. For instance:
Patient permission is required for communications about new equipment if a
manufacturer pays UConn Health to send the information.
But, no authorization is required to announce the opening of a new building even if
building funds are donated by a third party, since the payment is not in exchange for
the announcement.
Contact the Privacy Office for guidance.
Refer to policy: HIPAA Marketing Compliance
UConn Health fundraising efforts must be coordinated through the UConn Foundation.
Only certain patient information may be shared with the Foundation.
Patients may opt out of fundraising communications:
The Notice of Privacy Practices includes the choice for opt out.
Treatment cannot be conditioned based on an individual’s choice to opt out.
UConn Health may send newsletters, brochures and other educational or event
notices to patients even if they have opted out of fundraising communications.
Refer to policy: HIPAA Fundraising Compliance
Managing Privacy and Security Incidents
Gather as many details as possible and immediately notify your supervisor and the
appropriate office:
Privacy Office: 860-679-4180 or [email protected]
Information Technology: 860-679-3528 or [email protected]
Institutional Review Board (IRB) for research incidents.
REPORTLINE: 1-888-685-2637 (to remain completely anonymous).
A “breach” is an impermissible use or disclosure of PHI that compromises the security or
privacy of that information.
The HIPAA rules require an evaluation of the following factors to determine the risk of
compromise to any PHI:
The types of PHI involved.
The unauthorized person(s) who accessed or used the PHI or to whom the PHI was disclosed.
Whether the PHI was acquired/viewed.
Mitigation efforts to reduce the risk.
Other pertinent factors.
Be aware of the “red flags” that signal possible ID theft such as:
notifications or warnings from a Consumer Reporting Agency.
suspicious documents that appear to be forged or altered.
inconsistent personal identifying information such as address and phone number.
an individual’s inability to provide any other identity authentication such as answers to
challenge questions.
suspicious, unusual or unexpected changes in account activity.
When admitting inpatients or checking in outpatients, take the time needed
to verify identification.
Trust your gut. If something doesn’t seem right, seek guidance.
Contact the Compliance Office with questions or concerns related to any
type of known or suspected identity theft.
Refer to the University of Connecticut Identity Theft Prevention Program
Synthetic identity theft often includes a combination of real and fake credentials
that are used to create new, "synthetic“ identities.
Identity thieves need only a minimal amount of information to “synthesize" an
identification.
Since only parts of an individual’s actual information is used in combination with
other individuals’ or fictitious information, it may be seen as a “typo” or an
innocent information error.
Extra vigilance is needed to ensure subtle discrepancies are not overlooked.
The Privacy and Security Offices proactively monitor access and use of confidential
information.
Individual electronic accesses to patient information systems are reviewed randomly
and when improper activity is suspected.
You may be notified and asked to justify your electronic accesses evaluated as part of a
routine monitor.
Privacy and Security “walk rounds” are conducted to educate, assist with questions
and address specific concerns.
Monitoring alone can’t eliminate risk. If you see, hear, experience, suspect or know of
a problem, say something.
Always wear your ID badge, particularly in patient care or other areas where
confidential information is located.
Progressive discipline, up to and including termination, will be pursued for individuals
responsible for inappropriate access, use or disclosure of PHI or other types of
privacy/security incidents.
Wrongful and purposeful disclosure of protected health information carries fines and
can result in incarceration.
Refer to policy:
Sanctions Policy for Privacy and Security Violations for Faculty and Staff
Privacy Office
IT Security Office
HIPAA Privacy Policies
HIPAA Security Policies
Iris Mauriello, Privacy Officer
860-679-3501 [email protected]
Denise Purington, Interim Chief
Information Officer
860-679-6232 [email protected]
Peg DeMeo, Associate Compliance Officer
860-679-1226 [email protected]
Tara Rousseau, Executive Assistant
860-679-4255 [email protected]
Ginny Pack, Associate Compliance Officer
860-679-1280 [email protected]
Privacy Office email:
[email protected]
REPORTLINE:1-888-685-2637
and require a strong commitment and team effort!!
Please review the following questions and answers
Debbie, a UConn Health nurse caring for a patient on a medical unit, approaches
the patient to obtain additional information regarding her past medical and mental
health history. The patient’s family member, who the nurse knows has “permission
to communicate”, is visiting. Since the family member has been given permission to
communicate, it is OK for Debbie to discuss all PHI pertaining to the patient in the
presence of her family member.
True
False
The correct answer is false.
Patients may provide “permission to communicate” with certain family members or others
which allows care providers to share patient information only to the degree necessary and
appropriate to assist the patient with their care needs. However, bedside or exam room
conversations may exceed this threshold.
When family members or companions are present, be sure to speak directly to the patient.
It may be appropriate to ask the family member to excuse you and leave the room so you
can speak with the patient and offer the option to agree or object before allowing the
family member to be present for a discussion.
If the patient freely approves of a family member’s presence during the discussion, then
you have fulfilled the obligation of giving the patient the opportunity to agree or object to
this disclosure of patient information.
Refer to policy: Use and Disclosure Involving Family and Friends
Following an outpatient clinic appointment, the medical assistant agrees to mail a
copy of the visit note to the patient. He prints the note on a printer shared by
several staff members.
What is the most important step before mailing the document?
a. Ensure the note is printed on UConn Health letterhead.
b. Check and initial each page to ensure all pages are intended for this patient.
c. Put a stamp on the envelope.
The correct answer is “b.”
To ensure all pages are being mailed to the intended recipient, each page must be
carefully checked and initialed by the staff member preparing the document
before placing it in the envelope.
Refer to policy: Handling Paper Communications About Patients Containing PHI
UConn Health fax cover sheets are required when faxing a document to another
department within the institution.
True
False
The correct answer is “True.”
UConn Health policy Faxing of Protected Health Information requires that an
approved cover sheet be used for all faxes, whether faxing within or outside of
UConn Health.
Dr. Dodd, a UConn Health physician, prints a surgical schedule that includes patient
names, medical record numbers and handwritten notes about each procedure. He
reviews the schedule while eating lunch and inadvertently leaves the pages on a
cafeteria table.
Which of the following is most likely to reduce the risk of compromise to the PHI?
a. A visitor discovers the papers and takes them home.
b. A UConn Health workforce member finds and gathers the papers and
immediately reports the incident to the Privacy Office.
c. A passerby finds the documents and crumples them before discarding them in
the trash.
The correct answer is “b.”
Workforce members that see and retrieve unattended documents containing
confidential information and report the finding to the Privacy Office
significantly reduce the potential risk of compromise to that information.
Emails containing confidential information that are sent outside of the UConn
Health network must be sent securely to ensure they are encrypted.
True
False
The correct answer is “True.”
Emails can be sent securely by either clicking the “secure” icon or by including
[secure] in the subject line or body of the email.
Donald, a staff member caring for an Emergency Department patient, Derick, who
has suffered a fractured leg following a ski accident recognizes that Derick is the
brother of a college buddy. After work, Donald posts a message on his Facebook
page to let other friends know about Derick’s injury.
Is this OK?
Yes
No
The correct answer is “No.”
Patient information learned in the course of one’s job responsibilities should
never be shared on social media.
Daisy, an employee in Dermatology and one of Donald’s Facebook friends,
see his post about Derick’s injury and ED visit. Curious to learn more, Daisy
accesses Derick’s electronic medical record to see what she can find out.
Is this OK?
a. Yes, since Daisy has access to the UConn Health electronic patient
information systems as part of her professional role, she may look at all
PHI stored in any system.
b. Yes, as long as Daisy views only the minimum necessary PHI to get the
scoop.
c. No, Daisy should not access PHI or any confidential information unless it
is required for her specific job responsibilities.
The correct answer is “c.”
Only PHI or confidential information needed to carry out one’s specific work
responsibilities should be accessed.
Douglas, an Orthopedic resident, is planning an educational presentation on
the topic of compound fractures. He has a spreadsheet with the names,
medical record numbers and PHI of several orthopedic patients stored on an
unencrypted laptop. He leaves the laptop in an unlocked office and returns to
discover it missing.
What could Douglas have done to better protect the PHI?
a. Ensure the laptop is properly encrypted and lock the office before leaving.
b. Put his name and phone number on the laptop for safe return.
c. Limit the amount of PHI stored to no more than five patients.
The correct answer is “a.”
To protect confidential information stored on any mobile device, including
laptops, devices should be encrypted through Information Technology’s “Bring
Your Own Device” (BYOD) program and always placed in a secure/locked area
when unattended.
A local newspaper includes an article about a well-known state official who
was involved in a serious accident and treated at John Dempsey Hospital
(JDH).
Since it was publicized that the individual was treated at JDH, it is OK for any
UConn Health employee to access and review the patient’s medical record,
regardless of whether the employee has a work-related reason to do so.
True
False
The correct answer is “False”.
Employees should never access or use a patient record unless the
access/use is required in order to complete a specific work-related task.
If you know or suspect that a Privacy or Security incident has occurred, you must
report it to your supervisor and to the Privacy or Security Office:
a. Immediately.
b. Within 48 hours.
c. Within seven days.
d. Whenever it is convenient.
The correct answer is “a.”
In order to mitigate the potential risk to the PHI, Privacy or Security
incidents must be reported to your supervisor and the appropriate
office immediately upon discovery.
Thank you for completing Privacy and Security training.
Training Questions?
Contact Ginny Pack at 860-679-1280 or [email protected]
Please complete the training attestation. Return the signed
attestation to your UConn Health supervisor or manager.