Integrated Security & Confidentiality (S&C) Guidelines Across
Download
Report
Transcript Integrated Security & Confidentiality (S&C) Guidelines Across
Integrated Security &
Confidentiality (S&C) Guidelines
Across Programs:
It Does Work
National Security & Confidentiality Guidelines Webinar
April 10, 2012
Dena Bensen, MPH
VA HIV Surveillance Program Director
Virginia Department of Health
Outline
1. VA program background
2. Keys to successful S&C implementation
3. S&C guidelines facilitate data sharing
4. Data sharing examples
5. Annual training importance
6. Applying the guidelines to specific
program examples
7. Summary
Virginia: Integrated Programs
Agency (VDH):
Same new employee background screening
Same new employee orientation materials
Division of Disease Prevention (DDP):
Integrated HIV/STD program since 1980’s,
with Hep C & TB programs later added
Sign same S&C program guidelines/policy
Same Overall Responsible Party (ORP)
(Division Director)
Keys to Successful
Implementation
Have the Division/Office Director involved
Get all program partners at the same table
Conduct initial assessment
Obtain feedback from all staff
Data Entry Tech to Program Coordinator
Is it realistic for the end users?
Regroup after initial assessment
Listen & validate concerns
Keys to Successful
Implementation, cont.
Be realistic & compromise
“Let go” the idea that your data or program
is more important than other programs
Put your guidelines in writing
Revise your plan as needed
Learn from errors & unexpected situations
Add new guidance, policy & examples to manual
If it happens once, it can happen again
S & C Guidelines Facilitate
Data Sharing
Written standards facilitate data sharing between
programs
You will be comfortable your data is protected
Define uses of data sharing specific to the
program & program need
PCSI
Duplication of limited resources (data collection)
Enhance data & program quality
Increases use of data for public health action
Data Sharing Examples
VA HIV Surveillance & DDP program staff share data
based on need:
-
TB
- File exchange of specific data fields
STD-MIS
HIV surveillance “read” access to STD-MIS to make
HIV case report & obtain risk factor
ADAP
- Fields for case finding & improved data
completeness of race, sex, risk
Data Sharing Examples,
cont.
Partner Services
Multiple STD staff have limited “read” access to HIV
Surveillance database (eHARS) for “record searching”
patients for:
Internal use (e.g., complete Field Records)
Local health department Disease Intervention
Specialists (DIS) & Partner Services (e.g.,
previously reported/tested?)
Care/Ryan White
Access of limited Ryan White staff to eHARS HIV
Surveillance data for timely assessment of “in care”
Data Sharing Examples,
cont.
HIV Surveillance matches with:
Vital Records
- Requires MOA
- Describes specific variables to share
Cancer
- Requires S&C signing, data recipient
agreement, & allowed uses
Data Sharing & Lessons
Learned
Share only “need to know” data
Limit database access to read only
Ideally export required variables to file
Create SQL table of specific variables vs.
access to entire database
Maps: small numbers?
Then don’t post on walls
Consider who comes into your office
Annual retraining is important
Provide reasonable safeguards for securing
confidential & sensitive information
Ensure new technologies are addressed
Address policy & program process changes
in writing
Allows supervisors to address
Intentional breach
Unintentional breach
Good vs. poor judgment
Why specify Your Guidelines
in Writing?
Email
Physical/building security
Field work
Phone
Fax
Mail
What is good judgment to one person is not
the same for everyone.
Specify Guidelines in writing:
Ex. Email Security
Provide employee guidance:
Notify supervisor of a possible email
But don’t forward email breach (e.g., patient name/identifier)
Notify sender (but don’t hit reply to email)
Employees & providers should not email patient
names/lists or other patient identifiers
Recommend email signature tagline
Borrowed from Texas Medical Monitoring Project:
Please do not reply to this email with any patient identifying information.
This includes: Name, Phone Number, DOB, Address & Medical Record
Number. Please call my confidential line at (804) 864-XXXX to coordinate
this exchange. Thank you.
Lost patient data in the news
Sent: Saturday, February 26, 2011 10:29 AM
Subject: more on HIPAA violations
Today's Top News
1. Patient info lost on subway earns MGH $1
million HIPAA fine
XX State General Hospital will pay the U.S. government $1
million to settle what the feds are calling "potential violations of
the HIPAA Privacy Rule," according to a statement issued by
the U.S. Department of Health and Human Services. The case
involves patient information that an employee left on the
subway.
This marks the second fine related to HIPAA noncompliance in
a week.
Take home messages
Have the Division/Office Director involved &/or make
decisions
Define what variables to share with each data exchange
Document your breach procedure (e.g., email) before it
happens to prevent a breach!
Ongoing communication
Can occur even if not in same building
Don’t have time/$$ to compile the S&C procedures? Hire
a contractor
Perform assessment
Write policies
Questions
[email protected]
804-864-7959