Transcript 2014 privacy and information security training

2014 PRIVACY AND INFORMATION
SECURITY TRAINING
RESPECT FOR PRIVACY AND CONFIDENTIALITY
WHAT IS PROTECTED HEALTH INFORMATION (PHI)
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a
covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The
Privacy Rule calls this information "protected health information (PHI)."
FREQUENTLY REPORTED INCIDENTS AND WHAT YOU NEED TO KNOW…
1. Medical record documents or billing statements being mailed or handed to the wrong patient.

Be sure when you are mailing correspondence about a patient that you are sending the correct
patient’s information to the appropriately authorized recipient.

Always confirm the identity of the individual to whom you are releasing, handing or mailing patient
information; e.g. thumb through each page of information, verify caller by Name, DOB or validation
code for communication.
2. E-mails containing patient Protected Health Information (PHI) sent in a format that is not
secure.

Do not send PHI in standard, unsecured email. The File Transfer Application (FTA) is an application
that allows the user to send a secure attachment.

MyHealthatVanderbilt is a secure web portal that can be used as an alternative to email and faxing
when communicating with patients
3. Gossiping or sharing patient information with someone who is not authorized to know.

Only engage in conversation regarding patients with other faculty and staff who need the information
to do their job, according to Vanderbilt policies and regulatory requirements.

Gossiping/discussing or sharing a VUMC patient, faculty/staff member’s health information secured
through your role at VUMC, resulting in the individual filing a complaint, are all considered privacy
violations and will result in appropriate disciplinary action.
FREQUENTLY REPORTED INCIDENTS AND WHAT YOU NEED TO KNOW…CONT.
4.
5.
Staff or faculty accessing a co-worker’s or any other patient’s electronic medical record without a
legitimate business purpose or written authorization is a privacy violation regardless of the reason
and may trigger the federal breach notification requirements:

Deliberate, unauthorized access to a patient’s record and disclosure of that information for
personal use or with malicious intent is considered a privacy violation and will result in the highest
level of disciplinary action, up to and including termination of employment.

Accessing a co-worker’s medical record to look up a room number or any demographic
information is a violation under the Sanctions for Privacy and Security policy.

When looking for a patient’s medical record, attempt to use more than first and last name to
identify the correct patient; e.g. birth date or middle name.
Staff or faculty member shares User ID and Password that allows access to restricted systems and
or confidential information or PHI of others.

If you cannot remember you password, NEVER ask to use someone else’s UserID and
password. Call the VUMC HELP DESK for assistance, 343-HELP 34(3-4357), or access the
VUMC HELP DESK website: http://helpdesk.mc.vanderbilt.edu

Do not share your confidential passwords with anyone including a manager or system
administrator. Contact your LAN manager or system administrator to set up shared drives or
folders as a secure means for sharing access to files or databases without sharing individual user
identification

Sharing your user name/password or using someone else’s user name/password that allows
access to a restricted system and confidential information or PHI of others will result in
disciplinary action.
Reference Policy: IM 10-30.12 "Sanctions for Privacy and Information Security Violations"
“I RESPECT PRIVACY AND CONFIDENTIALITY”
 Never assume it is OK to share information with family or friends,
unless you know they are involved in caring for the patient, or you have
the patients permission. This includes family members of VUMC staff
or faculty.
 Giving only the minimum amount of information necessary.
Example of “minimum necessary”
 When leaving a message on a patient’s answering machine or with someone
who answers the phone simply leave a call back number and state that you
are calling from Vanderbilt Medical Center.
 Shred documents containing protected health information when finished.
 Upon patient registration let the patient give you pertinent information that will
identify the patient: Ask the patient’s Date of Birth, Address, last 4 digits of Social
Security Number to verity the information you have is correct. (Do Not give the
patient this information let them give it to you!!!)
VUMC recognizes the challenges of a busy clinical practice -high patient volume and complex work flow. But developing
work a-rounds to bypass the security controls in the EMR
creates unacceptable patient safety risks and undermines the
trust our patients place with us to protect their private
information.
EXAMPLES OF WORKING UNDER
SOMEONE ELSE’S USER ID AND
PASSWORD MIGHT INCLUDE:
Sharing ID/password with another person or working under
another person’s ID/password that allows access to
confidential information or patient information is a serious
violation of Vanderbilt policies.

Challenge: On rounds in the inpatient environment, one individual logs into the EMR on a computer as discussion
about a patient begins. Over the course of the patient review, other members of the rounding team access the
record and may review and update information about the patient under the original user’s ID.

Acceptable Correction: One member of the rounding team needs to complete the documentation or each new
reporting team member must log in using their personal ID and password.

Challenge: A clinic environment where a non-provider staff member logs on to multiple workstations across
several exam rooms and opens the medical record of each patient expected to be seen in those exam rooms so
that the provider has the record open and ready to access when he or she enters the exam room. The provider
enters the exam room and forgets that the patient medical record is not associated with the provider’s ID and enters
orders or documents findings or actions under the staff member’s ID.

Acceptable Correction: Each team member must log in to each system using their personal ID and password.
Reference Policy: IM 10-30.19: "Authorization and Access to Electronic Systems and Applications“
Reference Policy: IM10-30.12: "Sanctions for Privacy and Information Security Violations“
COMMUNICATION OF PROTECTED HEALTH INFORMATION
E-mail sent over the Internet is generally unencrypted
and not always secure.
 A secure method of communication is File Transfer
Application (FTA)
 NEVER use the full nine digit social security number in
an electronic message unless you have taken steps to
make sure the message is encrypted!
 Use the Medical Record Number as the primary
identifier for a patient and only a part of the patient’s
name (if needed), such as last name or initials.
 Limit the amount of patient information to the
“minimum necessary”.
 Do not forward your VUMC email account to other
out of network email accounts (e.g.; Gmail, Yahoo,
Hotmail, Comcast, etc.)
Find alternative ways to communicate confidential
information:
Encourage patients to use MyHealthAtVanderbilt (MHAV);
 MHAV is a secure electronic health record system for
communicating with the patient.
StarPanel message basket system provides
secure messaging among and between
VUMC clinical staff and faculty about a
specific patient.
Faxing is generally considered an insecure method
for transmitting confidential information and should
only be used when there is an urgent need to receive
the information or an alternative secure method (e.g.,
mail, courier service,
web-based authentication system, encrypted email)
does not exist or is not reasonable.
All VUMC faculty and individuals working at VUMC
must take precautions when using fax machines.






Do not assume the patient wants you to use the fax
number they used;
ALWAYS verify the recipient’s fax number before
transmitting;
**ALWAYS USE A COVER SHEET**
Don’t Forget to dial “9” if faxing outside of VUMC.
Pre-program frequently used numbers directly into
the fax machine to avoid misdirecting the information
to someone who is not the intended recipient.
TEST pre-programed fax numbers whenever
possible to eliminate faxing errors.
Reference Policy: IM 10-10.03: "Faxing Confidential Information"
SOCIAL MEDIA
Take Responsibility and Use Good Judgment. You are responsible for the material you post on personal
blogs or other social media. Be courteous, respectful, and thoughtful about how other personnel may
perceive or be affected by postings. Incomplete, inaccurate, inappropriate, threatening, harassing or poorly
worded postings may be harmful to others. They may damage relationships, undermine VUMC brand or
reputation, discourage teamwork, and negatively impact the institution’s commitment to patient care,
education, research, and community service.
Examples of Bad Judgment Reported by Other Institutions:
On YouTube:
A medical student films a doctor inserting a chest tube into a patient whose face was clearly
visible
and posted the footage.
On a Blog: A physician called a patient (using the patient name) lazy and ignorant because they had made
several visits to the emergency room after failing to monitor blood sugar levels.
On Facebook:
A group of nurses used Facebook to provide unauthorized shift change updates of their
co-workers…they did not use patient names, but they posted enough information about the
patients that the incoming nurses could prepare for their shifts. Omitting a patient’s name does not
guarantee that the person cannot be identified
If you identify yourself in any online forum as a faculty/staff member of VUMC, you must make it clear you are not
speaking for VUMC and all submissions represent your own personal views and comments.
Do Not post digital images and messages containing PHI without written authorization from the patient.
Remember recognizable markings or body parts are PHI.
Reference Policy: OP10-10.30 – "Social Media"
PATIENT PHOTOGRAPHY AND VIDEO IMAGING
VUMC may utilize Photography or Video Imaging
of a patient for purposes of identification and
patient care and treatment or as otherwise
authorized by the patient or the patient’s legal
representative.

Patient Identifiable Photography is Protected Health
Information (PHI) and use and disclosure of this PHI must
comply with all Information Privacy and Security Policies for
PHI.

Photography for purposes of patient care does not require
additional consent beyond the standard Consent for
Treatment.

Photography for purposes other than patient care generally
does require explicit consent.

Immediately upload patient photos to the EMR or another
secure server. Immediately delete the image from the
camera/device.

Do Not post Photography of patients in public areas, on
internet websites, or blogs without written or documented
verbal consent from the patient/legal representative prior to
the posting.
Click the link for instructions on
"How-To" Upload Images to Patient
Chart
UNAUTHORIZED ACCESS OR DISCLOSURE OF PATIENT INFORMATION MAY
TRIGGER FEDERAL BREACH REPORTING REQUIREMENTS
 Whenever possible, allow the patient to
determine which family members or others
involved in their care are communicated with
regarding the patient’s care and services. Do
not assume that the patient agrees for a
visitor or family member in the patient’s room
to see or hear any personal health information
(i.e. be cautious during medication
administration and treatments to prevent
inadvertently revealing a patient diagnosis in
front of others unless the patient has allowed
you to do so).

Ask the patient is it okay to discuss personal
health information in front of visitors/family
members.

Prior to accessing a patient’s medical record
for any reason other than completion of your
assigned job duties, there should be
documentation in the medical record showing
the patient has granted you permission prior
to accessing the record. Written
authorization may be in the form of a note
entered into the medical record documenting
verbal permission or, preferably, a signed
copy of an authorization form granting the
access.

You are allowed to access your own
electronic medical record but are not allowed
to access the record of your co-worker,
spouse, or family member unless there is
written authorization in the patient’s record.
Form MC 3166: "Communication with Family and others about your Care and Permission to See Your Medical Record"
THE PRIVACY OFFICE WILL DETERMINE WHETHER VIOLATIONS REQUIRE
BREACH NOTIFICATION AND REPORTING
Things You Need to Know…

When breach notification is required the
individual whose information was breached
must be notified and the incident must be
reported to the Secretary of Health and
Human Services

State of TN notification may be required
when there is a security breach of
unencrypted computerized data containing
Personal Information. (such as SSN).

The Breach Notification policy below defines
the procedures to be followed upon
discovery of known or suspected incidents
involving unauthorized acquisition, access,
use or disclosure of PHI or computerized
Personal Information so that appropriate
notification requirements are satisfied
What You Need to Do…

Report all suspected Breach of Patient Health
Information (PHI) to the Privacy Office.

Report all suspected Breach of Employee
Information (i.e. Social Security Number) to the
Privacy Office
DISCLOSURE TO LAW ENFORCEMENT
A covered entity may disclose PHI to law enforcement with the individual’s signed HIPAA authorization.
A covered entity may also disclose PHI to law enforcement without the individual’s signed HIPAA
authorization in certain incidents including:
•
To report PHI to a law enforcement official
reasonably able to prevent or lessen a serious
and imminent threat to the health or safety of
an individual or the public.
•
To report PHI that the covered entity in good
faith believes to be evidence of a crime that
occurred on the premises of the covered entity.
•
To alert law enforcement to the death of the
individual, when there is a suspicion that death
resulted from criminal conduct.
•
To respond to a request for PHI for purposes of
identifying or locating a suspect, fugitive,
material witness or missing person, but the
information must be limited to basic
demographic and health information about the
person.
•
To comply with a court order or court-ordered
warrant, a subpoena or summons issued by a
judicial officer, or an administrative request from
a law enforcement official (the administrative
request must include a written statement that the
information requested is relevant and material,
specific and limited in scope, and de-identified
information cannot be used).
•
To respond to a request for PHI about an adult
victim of a crime when the victim agrees (or in
limited circumstances if the individual is unable
to agree). Child abuse or neglect may be
reported, without a parent’s agreement, to any
law enforcement official authorized by law to
receive such reports.
For complete information, please visit the U.S. Department of Health and Human Service’s Office for Civil Rights HIPAA web site at
http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/final_hipaa_guide_law_enforcement.pdf
Reference Policy: "Releasing Patient Information and Coordinating Access to Patients by External Law Enforcement Officials and Investigators"
PRIVACY AND INFORMATION SECURITY POLICIES
Policy Review:
The following policies with implications for privacy and information security have been
updated and published in 2013.

IM 10-30.09 "Patient Request for Confidential Communications"

IM 10-30.18 "Disposal of Confidential Information"

IM 10-20.01 "Authorization to Access Medical Records: Self and Others"

IM 10-30.04 "Identity Theft Prevention and Response"

IM 10-10.01 "Business Associate Agreements“

IM 10-20.12 "Patient Safety and Confidentiality: No Information, Security
Risk, Stat, and Alias Designations"
CONTACT ONE OF THE FOLLOWING TO REPORT
PRIVACY AND INFORMATION SECURITY INCIDENTS:

Privacy Office (936-3594) or email
[email protected]

Help Desk 343-HELP (343-4357)

Anonymous Confidential Hotline (1-866-783-2287)

Department Chair
Always forward Patient complaints to Patient Relations
(343-4163)