2014 PRIVACY AND INFORMATION SECURITY TRAINING

RESPECT FOR PRIVACY AND CONFIDENTIALITY

WHAT IS PROTECTED HEALTH INFORMATION (PHI)

The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."

FREQUENTLY REPORTED INCIDENTS AND WHAT YOU NEED TO KNOW…

1. Medical record documents or billing statements being mailed or handed to the wrong patient. Be sure when you are mailing correspondence about a patient that you are sending the correct

patient’s information to the appropriately authorized recipient.

Always confirm the identity of the individual to whom you are releasing, handing or mailing patient information; e.g. thumb through each page of information, verify caller by Name, DOB or validation code for communication.

2. E-mails containing patient Protected Health Information (PHI) sent in a format that is not secure. Do not send PHI in standard, unsecured email. The File Transfer Application (FTA) is an application

that allows the user to send a secure attachment.

MyHealthatVanderbilt is a secure web portal that can be used as an alternative to email and faxing when communicating with patients

3. Gossiping or sharing patient information with someone who is not authorized to know. Only engage in conversation regarding patients with other faculty and staff who need the information

to do their job, according to Vanderbilt policies and regulatory requirements.

Gossiping/discussing or sharing a VUMC patient, faculty/staff member’s health information secured through your role at VUMC, resulting in the individual filing a complaint, are all considered privacy violations and will result in appropriate disciplinary action.

FREQUENTLY REPORTED INCIDENTS AND WHAT YOU NEED TO KNOW…CONT.

4. Staff or faculty accessing a co-worker’s or any other patient’s electronic medical record without a legitimate business purpose or written authorization is a privacy violation regardless of the reason and may trigger the federal breach notification requirements:

Deliberate, unauthorized access to a patient’s record and disclosure of that information for personal use or with malicious intent is considered a privacy violation and will result in the highest level of disciplinary action, up to and including termination of employment.

Accessing a co-worker’s medical record to look up a room number or any demographic information is a violation under the Sanctions for Privacy and Security policy.

When looking for a patient’s medical record, attempt to use more than first and last name to identify the correct patient; e.g. birth date or middle name.

5. Staff or faculty member shares User ID and Password that allows access to restricted systems and or confidential information or PHI of others.

If you cannot remember you password, NEVER ask to use someone else’s UserID and password. Call the VUMC HELP DESK for assistance, 343-HELP 34(3-4357), or access the VUMC HELP DESK website: http://helpdesk.mc.vanderbilt.edu

Do not share your confidential passwords with anyone including a manager or system administrator. Contact your LAN manager or system administrator to set up shared drives or folders as a secure means for sharing access to files or databases without sharing individual user identification

Sharing your user name/password or using someone else’s user name/password that allows access to a restricted system and confidential information or PHI of others will result in disciplinary action.

Reference Policy: IM 10-30.12 "Sanctions for Privacy and Information Security Violations"

“I RESPECT PRIVACY AND CONFIDENTIALITY”

Never assume it is OK to share information with family or friends,unless you know they are involved in caring for the patient, or you havethe patients permission. This includes family members of VUMC staffor faculty.

Giving only the minimum amount of information necessary.Example of “minimum necessary” When leaving a message on a patient’s answering machine or with someone

who answers the phone simply leave a call back number and state that you are calling from Vanderbilt Medical Center.

Shred documents containing protected health information when finished.

Upon patient registration let the patient give you pertinent information that will identify the patient: Ask the patient’s Date of Birth, Address, last 4 digits of Social Security Number to verity the information you have is correct. (Do Not give the patient this information let them give it to you!!!)

VUMC recognizes the challenges of a busy clinical practice -- high patient volume and complex work flow. But developing

work a-rounds to bypass the security controls in the EMR creates unacceptable patient safety risks and undermines the trust our patients place with us to protect their private

information.

Challenge: On rounds in the inpatient environment, one individual logs into the EMR on a computer as discussion about a patient begins. Over the course of the patient review, other members of the rounding team access the record and may review and update information about the patient under the original user’s ID.

Acceptable Correction: One member of the rounding team needs to complete the documentation or each new reporting team member must log in using their personal ID and password.

Challenge: A clinic environment where a non-provider staff member logs on to multiple workstations across several exam rooms and opens the medical record of each patient expected to be seen in those exam rooms so that the provider has the record open and ready to access when he or she enters the exam room. The provider enters the exam room and forgets that the patient medical record is not associated with the provider’s ID and enters orders or documents findings or actions under the staff member’s ID.

Acceptable Correction: Each team member must log in to each system using their personal ID and password.

Sharing ID/password with another person or working under another person’s ID/password that allows access to

confidential information or patient information is a serious violation of Vanderbilt policies.

EXAMPLES OF WORKING UNDER SOMEONE ELSE’S USER ID AND

PASSWORD MIGHT INCLUDE:

Reference Policy: IM 10-30.19: "Authorization and Access to Electronic Systems and Applications“Reference Policy: IM10-30.12: "Sanctions for Privacy and Information Security Violations“

Faxing is generally considered an insecure method for transmitting confidential information and should only be used when there is an urgent need to receive the information or an alternative secure method (e.g., mail, courier service,web-based authentication system, encrypted email) does not exist or is not reasonable.

All VUMC faculty and individuals working at VUMC must take precautions when using fax machines.

Do not assume the patient wants you to use the fax number they used;ALWAYS verify the recipient’s fax number before transmitting; **ALWAYS USE A COVER SHEET**Don’t Forget to dial “9” if faxing outside of VUMC.Pre-program frequently used numbers directly into the fax machine to avoid misdirecting the information to someone who is not the intended recipient.TEST pre-programed fax numbers whenever possible to eliminate faxing errors.

E-mail sent over the Internet is generally unencrypted and not always secure. A secure method of communication is File Transfer Application (FTA)NEVER use the full nine digit social security number in an electronic message unless you have taken steps to make sure the message is encrypted!Use the Medical Record Number as the primary identifier for a patient and only a part of the patient’s name (if needed), such as last name or initials.Limit the amount of patient information to the “minimum necessary”.Do not forward your VUMC email account to other out of network email accounts (e.g.; Gmail, Yahoo, Hotmail, Comcast, etc.)

Find alternative ways to communicate confidential information: Encourage patients to use MyHealthAtVanderbilt (MHAV);

MHAV is a secure electronic health record system for communicating with the patient.

StarPanel message basket system providessecure messaging among and betweenVUMC clinical staff and faculty about aspecific patient.

COMMUNICATION OF PROTECTED HEALTH INFORMATION

Reference Policy: IM 10-10.03: "Faxing Confidential Information"

SOCIAL MEDIA

Take Responsibility and Use Good Judgment. You are responsible for the material you post on personal blogs or other social media. Be courteous, respectful, and thoughtful about how other personnel may perceive or be affected by postings. Incomplete, inaccurate, inappropriate, threatening, harassing or poorly worded postings may be harmful to others. They may damage relationships, undermine VUMC brand or reputation, discourage teamwork, and negatively impact the institution’s commitment to patient care, education, research, and community service.

Examples of Bad Judgment Reported by Other Institutions:On YouTube: A medical student films a doctor inserting a chest tube into a patient whose face was clearly visible and posted the footage.On a Blog: A physician called a patient (using the patient name) lazy and ignorant because they had made several visits to the emergency room after failing to monitor blood sugar levels.On Facebook: A group of nurses used Facebook to provide unauthorized shift change updates of their

co-workers…they did not use patient names, but they posted enough information about the patients that the incoming nurses could prepare for their shifts. Omitting a patient’s name does not guarantee that the person cannot be identified

If you identify yourself in any online forum as a faculty/staff member of VUMC, you must make it clear you are not speaking for VUMC and all submissions represent your own personal views and comments.

Do Not post digital images and messages containing PHI without written authorization from the patient. Remember recognizable markings or body parts are PHI.

Reference Policy: OP10-10.30 – "Social Media"

PATIENT PHOTOGRAPHY AND VIDEO IMAGING

VUMC may utilize Photography or Video Imaging of a patient for purposes of identification and patient care and treatment or as otherwise

authorized by the patient or the patient’s legal representative.

Patient Identifiable Photography is Protected Health Information (PHI) and use and disclosure of this PHI must comply with all Information Privacy and Security Policies for PHI.

Photography for purposes of patient care does not require additional consent beyond the standard Consent for Treatment.

Photography for purposes other than patient care generally does require explicit consent.

Immediately upload patient photos to the EMR or another secure server. Immediately delete the image from the camera/device. 

Do Not post Photography of patients in public areas, on internet websites, or blogs without written or documented verbal consent from the patient/legal representative prior to the posting.

Click the link for instructions on"How-To" Upload Images to Patient Chart

UNAUTHORIZED ACCESS OR DISCLOSURE OF PATIENT INFORMATION MAY TRIGGER FEDERAL BREACH REPORTING

REQUIREMENTS Whenever possible, allow the patient to

determine which family members or others involved in their care are communicated with regarding the patient’s care and services. Do not assume that the patient agrees for a visitor or family member in the patient’s room to see or hear any personal health information (i.e. be cautious during medication administration and treatments to prevent inadvertently revealing a patient diagnosis in front of others unless the patient has allowed you to do so).

Prior to accessing a patient’s medical record for any reason other than completion of your assigned job duties, there should be documentation in the medical record showing the patient has granted you permission prior to accessing the record. Written authorization may be in the form of a note entered into the medical record documenting verbal permission or, preferably, a signed copy of an authorization form granting the access.

Ask the patient is it okay to discuss personal health information in front of visitors/family members.

You are allowed to access your own electronic medical record but are not allowed to access the record of your co-worker, spouse, or family member unless there is written authorization in the patient’s record.

Form MC 3166: "Communication with Family and others about your Care and Permission to See Your Medical Record"

THE PRIVACY OFFICE WILL DETERMINE WHETHER VIOLATIONS REQUIRE BREACH NOTIFICATION AND REPORTING

What You Need to Do…

Report all suspected Breach of Patient Health Information (PHI) to the Privacy Office.

Report all suspected Breach of Employee Information (i.e. Social Security Number) to the Privacy Office

Things You Need to Know…

When breach notification is required the individual whose information was breached must be notified and the incident must be reported to the Secretary of Health and Human Services

State of TN notification may be required when there is a security breach of unencrypted computerized data containing Personal Information. (such as SSN).

The Breach Notification policy below defines the procedures to be followed upon discovery of known or suspected incidents involving unauthorized acquisition, access, use or disclosure of PHI or computerized Personal Information so that appropriate notification requirements are satisfied

DISCLOSURE TO LAW ENFORCEMENT

• To report PHI to a law enforcement official reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public.

• To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or an administrative request from a law enforcement official (the administrative request must include a written statement that the information requested is relevant and material, specific and limited in scope, and de-identified information cannot be used).

• To report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the premises of the covered entity.

• To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct.

• To respond to a request for PHI about an adult victim of a crime when the victim agrees (or in limited circumstances if the individual is unable to agree). Child abuse or neglect may be reported, without a parent’s agreement, to any law enforcement official authorized by law to receive such reports.

• To respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness or missing person, but the information must be limited to basic demographic and health information about the person.

For complete information, please visit the U.S. Department of Health and Human Service’s Office for Civil Rights HIPAA web site at http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/final_hipaa_guide_law_enforcement.pdf

Reference Policy: "Releasing Patient Information and Coordinating Access to Patients by External Law Enforcement Officials and Investigators"

A covered entity may disclose PHI to law enforcement with the individual’s signed HIPAA authorization.

A covered entity may also disclose PHI to law enforcement without the individual’s signed HIPAA authorization in certain incidents including:

PRIVACY AND INFORMATION SECURITY POLICIES

Policy Review:

The following policies with implications for privacy and information security have been updated and published in 2013.

IM 10-30.09 "Patient Request for Confidential Communications"

IM 10-30.18 "Disposal of Confidential Information" IM 10-20.01 "Authorization to Access Medical Records: Self and Others"

IM 10-30.04 "Identity Theft Prevention and Response" 

IM 10-10.01 "Business Associate Agreements“

IM 10-20.12 "Patient Safety and Confidentiality: No Information, Security Risk, Stat, and Alias Designations"

CONTACT ONE OF THE FOLLOWING TO REPORT

PRIVACY AND INFORMATION SECURITY INCIDENTS:

Privacy Office (936-3594) or email Privacy.Office@vanderbilt.edu

Help Desk 343-HELP (343-4357)

Anonymous Confidential Hotline (1-866-783-2287)

Department Chair

Always forward Patient complaints to Patient Relations(343-4163)