Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Databases

It Does Work Integrated Security & Confidentiality (S&C) Guidelines Across Programs:

advertisement 
Integrated Security &
Confidentiality (S&C) Guidelines
Across Programs:
It Does Work
National Security & Confidentiality Guidelines Webinar
April 10, 2012
Dena Bensen, MPH
VA HIV Surveillance Program Director
Virginia Department of Health
Outline
1. VA program background
2. Keys to successful S&C implementation
3. S&C guidelines facilitate data sharing
4. Data sharing examples
5. Annual training importance
6. Applying the guidelines to specific
program examples
7. Summary
Virginia: Integrated Programs

Agency (VDH):



Same new employee background screening
Same new employee orientation materials
Division of Disease Prevention (DDP):



Integrated HIV/STD program since 1980’s,
with Hep C & TB programs later added
Sign same S&C program guidelines/policy
Same Overall Responsible Party (ORP)
(Division Director)
Keys to Successful
Implementation




Have the Division/Office Director involved
Get all program partners at the same table
Conduct initial assessment
Obtain feedback from all staff




Data Entry Tech to Program Coordinator
Is it realistic for the end users?
Regroup after initial assessment
Listen & validate concerns
Keys to Successful
Implementation, cont.





Be realistic & compromise
“Let go” the idea that your data or program
is more important than other programs
Put your guidelines in writing
Revise your plan as needed
Learn from errors & unexpected situations


Add new guidance, policy & examples to manual
If it happens once, it can happen again
S & C Guidelines Facilitate
Data Sharing





Written standards facilitate data sharing between
programs
 You will be comfortable your data is protected
 Define uses of data sharing specific to the
program & program need
PCSI
Duplication of limited resources (data collection)
Enhance data & program quality
Increases use of data for public health action
Data Sharing Examples
VA HIV Surveillance & DDP program staff share data
based on need:


-
TB
- File exchange of specific data fields
STD-MIS
HIV surveillance “read” access to STD-MIS to make
HIV case report & obtain risk factor
ADAP
- Fields for case finding & improved data
completeness of race, sex, risk
Data Sharing Examples,
cont.


Partner Services
 Multiple STD staff have limited “read” access to HIV
Surveillance database (eHARS) for “record searching”
patients for:
Internal use (e.g., complete Field Records)
Local health department Disease Intervention
Specialists (DIS) & Partner Services (e.g.,
previously reported/tested?)
Care/Ryan White
 Access of limited Ryan White staff to eHARS HIV
Surveillance data for timely assessment of “in care”
Data Sharing Examples,
cont.

HIV Surveillance matches with:
 Vital Records
- Requires MOA
- Describes specific variables to share

Cancer
- Requires S&C signing, data recipient
agreement, & allowed uses
Data Sharing & Lessons
Learned



Share only “need to know” data
Limit database access to read only
Ideally export required variables to file


Create SQL table of specific variables vs.
access to entire database
Maps: small numbers?


Then don’t post on walls
Consider who comes into your office
Annual retraining is important




Provide reasonable safeguards for securing
confidential & sensitive information
Ensure new technologies are addressed
Address policy & program process changes
in writing
Allows supervisors to address



Intentional breach
Unintentional breach
Good vs. poor judgment
Why specify Your Guidelines
in Writing?

Email
Physical/building security
Field work
Phone
Fax

Mail




What is good judgment to one person is not
the same for everyone.
Specify Guidelines in writing:
Ex. Email Security

Provide employee guidance:

Notify supervisor of a possible email




But don’t forward email breach (e.g., patient name/identifier)
Notify sender (but don’t hit reply to email)
Employees & providers should not email patient
names/lists or other patient identifiers
Recommend email signature tagline

Borrowed from Texas Medical Monitoring Project:
Please do not reply to this email with any patient identifying information.
This includes: Name, Phone Number, DOB, Address & Medical Record
Number. Please call my confidential line at (804) 864-XXXX to coordinate
this exchange. Thank you.
Lost patient data in the news
Sent: Saturday, February 26, 2011 10:29 AM
Subject: more on HIPAA violations
 Today's Top News
1. Patient info lost on subway earns MGH $1
million HIPAA fine



XX State General Hospital will pay the U.S. government $1
million to settle what the feds are calling "potential violations of
the HIPAA Privacy Rule," according to a statement issued by
the U.S. Department of Health and Human Services. The case
involves patient information that an employee left on the
subway.
This marks the second fine related to HIPAA noncompliance in
a week.
Take home messages





Have the Division/Office Director involved &/or make
decisions
Define what variables to share with each data exchange
Document your breach procedure (e.g., email) before it
happens to prevent a breach!
Ongoing communication
 Can occur even if not in same building
Don’t have time/$$ to compile the S&C procedures? Hire
a contractor
 Perform assessment
 Write policies
Questions
Dena.bensen@vdh.virginia.gov
804-864-7959
Related documents
IV H d
IV H d
Harvard-MIT Division of Health Sciences and Technology
Harvard-MIT Division of Health Sciences and Technology
S D H ,
S D H ,
Integrated Security and Confidentiality Guidelines for HIV and STI: Chicago’s Experience
Integrated Security and Confidentiality Guidelines for HIV and STI: Chicago’s Experience
Pilot Project Data Presentation slides (PPT)
Pilot Project Data Presentation slides (PPT)
Download
advertisement