louisiana careware access network user training #2: data security, confidentiality, hipaa, &...

Louisiana CAREWare Access Network User Training #2:

Data Security, Confidentiality, HIPAA,& CAREWare Sharing

November 2011

• LaCAN Policies:

• Data Security & Confidentiality

• Data Sharing in CAREWare

• HIPAA Training

• How to share in CAREWare

• Client consent for sharing

Today’s Topics

Web Folks:

Mute your phones

Do not put your phone on hold

Feel free to use chat for questions at any time OR just speak up

Call the Genesys help desk if you have technical difficulties

In-Person Folks:

Silence your cell phones

Raise your hand if you have a question

Housekeeping

What is confidential information?1. Sensitive health and risk-related information

2. Client personal identifiers

3. Potentially identifying information

4. Any other information provided to contractors for which confidentiality was assured when the individual or establishment provided the information.

Policy Review: Data Security & Confidentiality

What is potentially identifying information?Information that when viewed in conjunction with other information could possibly identify and/or be harmful to a particular person or group of people.

Examples?

General Policies1. All CAREWare users must receive confidentiality training through their employing

agency, sign the LaCAN User Confidentiality Agreement, & be provided the Louisiana STD/HIV Program Security & Confidentiality Policy since they are accessing a State data system.

2. All CAREWare access is based on need-to-know.

3. Users may access CAREWare with only their own account. If someone needs to access CAREWare and does not have an account, they must apply for one. Do not give your account information to anyone.


Computer Security1. Screens must not be readable by anyone but the direct user.

• Check from windows, doors, hallways, and other chairs in your office.

2. CAREWare computers must be in a secure area/office or behind a door that can be locked.• Do not access CAREWare from public computers, including computers designated

for client use.

3. CAREWare computers must have a Windows login password and a password-protected screensaver.


Communicating client information


BAD• Emailing identifiers, URNs, UINs,

or client IDs

• Leaving identifiers, URNs, UINs, or client IDs on voicemail

• Faxing client info unless you know the fax machine is secure

GOOD• Using secure folders to transmit

client data

• Giving client info on the phone directly to the person you are communicating with

• Faxing client info to a fax approved to receive identifying information

What is a CAREWare Security Breach?• CAREWare printouts or data files are lost or stolen.

• CAREWare printouts or data files are shown or given to someone not authorized to view them.

• Someone tries to break into an area that has a CAREWare computer, whether successful or not.

• Someone tries to “hack” into a computer that has CAREWare or into CAREWare itself.

• Any evidence, including a media story, that an unauthorized person gained access to information from CAREWare.


Common Examples?

What do you do if a CAREWare security breach occurs?

1. Call the SHP Services Data Manager (Megan Wright) at 504-568-7474 immediately. If Megan is not available, contact the SHP Data Management & Analysis Unit Manager (Dr. Debbie Wendell) at the same number.

2. Do not speak to the media. Refer all media inquiries to SHP.



What will SHP & the other LaCAN Partners do?1. Comply with all applicable federal and state requirements for the reporting and

notification of breaches of protected health information. (45 C.F.R. §§164.400 et seq., R.S. 51:3071 et seq.)

2. Ensure that any breach of confidentiality will immediately be investigated to assess causes and implement remedies. Infractions related to inappropriate access to or disclosure of confidential information may result in loss of CAREWare access, disciplinary action, termination of employment, loss of professional licensure, and/or federal, civil, or criminal penalties. (HIPAA Privacy 164.530; 45 C.F.R, §§160.300 et seq., 160.400 et seq., 160.500 et seq., 42 U.S.C. §1320d-6)

Data Security & Confidentiality PolicyQuestions?

What does data sharing mean for CAREWare users?See your clients’ services from other LaCAN agencies

See your clients’ clinical information

See your clients’ ADAP & LaHIP services

Policy Review: Data Sharing in CAREWare

Why do we want to share client data in CAREWare?Improve care coordination

Improve performance measurement

Increase the quality of our data

Sharing Policy Details• All sharing will be client-by-client

• Agencies will never see information for clients they have not served

• Starting 1/1/2012, all clients served must sign a consent form indicating share preference

• All sharing consent forms will be scanned and uploaded to the client’s CAREWare record


Procedure for Client Consent to Share1. Case manager or other appropriate agency staff will review

the consent document with the client & answer any questions.

2. Agencies will contact their designated LaCAN Partner if the client has questions they cannot answer.

3. After the client signs the form, the agency will scan it & attach to the client’s CAREWare record.

4. The original paper copy must be kept in the client’s file at the agency.


Procedure for Client Consent to Share, continued5. If the client consented to share their information, the provider

can then request services & clinical data from other LaCAN providers through CAREWare.

6. When sharing requests are received in CAREWare, LaCAN providers will grant access after verifying the client’s consent to share document in CW.

7. Any providers failing to grant access within a reasonable amount of time will be subject to having their requests granted by a LaCAN Partner.


Procedure for Deactivating Client Consent to Share1. If the client decides (at any time) to revoke sharing, agencies will review

the LaCAN Client Revocation of CAREWare Sharing document with them and have the client sign.

2. After the client signs, the agency will scan & upload the document to the client’s CAREWare record. The original paper form will remain in the client’s file.

3. The agency will immediately revoke sharing for the client’s services & clinical data in CAREWare.

4. Within 1 business day, the agency will notify their designated LaCAN Partner of the revocation. The LaCAN Partner will deactivate sharing for all agencies serving the client.


What’s already shared?

• Demographics

• Annual Review

• Custom Annual Review

• Service Tab - Vital Status

• Client Information Tab

• Emergency Contacts Tab

How to Share in CAREWare

The Client Record ContinuedStarts on Page 36 of LaCAN Manual

Client ID: This field is provider specific.

Address, City, State, Zip Code, County, and Phone Number: Enter the client’s address, city, state, and zip code here. Enter the parish name of the client under the county field.

Note: Only use ‘Include label on report’ checkbox if mail can be sent to the client’s address reported.Ethnicity & Race: is based on the client’s self-identification.

Note: For Part A New Orleans, enter the UIN number in the client field.

Demographics TabStarts on Page 36 of LaCAN Manual

Annual Review TabStarts on page 47 of LaCAN Manual

of LaCAN ManualCustom Annual Review Tab

Services TabStarts on Page 40 of LaCAN Manual

Used by all providers Only apply to your agency

Client Information TabStarts on page 75 of LaCAN Manual

Used to record other client information such as who is their case manager, SSN, and mailing preferences. Fields on this tab are shared with and editable by all of the client’s providers.

Emergency Contacts TabStarts on page 75 of LaCAN Manual

What’s able to be shared?

• Services

• Clinical Encounters

• Case Notes

• Subforms

• Appointments

Sharing Information

• Sharing will be set to level 1. This means data will be shared with providers that a client has consented and had at least one service.• Requesting • Granting • Viewing• Cancelling a Sharing Request

Sharing Request

• Open the client’s record click the service tab. At the lower left corner of the window, click service sharing New Request Select providers from the list to send a request to click request close and save

Note: This button will be grayed out for CAREWare users who do not have permissions. Contact your designated grantee for assistance. For users with General User or higher permissions, this button will only be grayed out if the client is only served at your agency.

Service tab

Encounter tab

List of providers where the client has been seen

Pending Notification

Outgoing Sharing Request Notification

Provider sending the request

Incoming Sharing Request Notification from Main Menu

Provider receiving the request

Incoming Share Request Notification by Client Record

• Client has approval request for Services, Clinical Information and Case Notes. You must select each request to grant approval.

Granting Sharing

Granting Sharing

From the drop down list, select Granted and enter the agreement date. Please leave the Expiration field blank.

Viewing Shared Services

• You are allowed to change data entered in your domain or

by someone

at your

agency

Viewing Shared Clinical Information

Cancelling a Sharing Request

Obtaining Client Consent

1. Agencies are required to collect client information in CAREWare as a condition of funding.

2. Their data is secure in CAREWare.

3. That CAREWare is a computer database, similar to what is used at their physician’s office or a hospital.

4. Only authorized personnel will have access to their information.

5. Agencies they are not served by will never see their data.

6. Identifying information is not sent to the federal government.

7. They are not required to share their services & clinical information, but there are benefits.

What we need to communicate to clients

What else?

What questions do you anticipate from clients?

What questions do you have?

What do your clients already ask you about their data?

What are ways agencies can ensure clients feel their data is protected & respected?

What cultural beliefs do we need to take into account?

The Next LaCAN Training

Referrals & Reports in CAREWare

10AM-1PMNovember 29, 2011

louisiana careware access network user training #2: data security, confidentiality, hipaa, &...

Documents

client data

careware computers

careware users

careware printouts

careware security breach

careware client consent

identifying information

careware hipaa training