Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

HIPAA Privacy & Security

advertisement 
HIPAA Privacy & Security
EVMS Health Services 2004 Training
Privacy & Security
• Privacy
– what should be protected
• Security
– how to protect it
Privacy
What should be protected?
Any health information
that can be used to identify
the patient
Patient Identifiers
Name
Date of Birth
Date of Visit
Social Security #
Postal Address (even zip)
Telephone/Fax #
Medical record/Chart #
Email Address/URL
Account #
Photographs
Privacy
Ways to protect patient
information:
– Turn computer screens inward
– Keep patient schedules covered
– Talk quietly – don’t use patient’s
name
– Shred documents
– Verify identity before disclosure
– Use security controls
Security
• Is a process not a product
Examples of Security Controls
– Set automatic log offs after 20
minutes
– Use screensavers w/ password
features
– Virus protection software
– Log-on trails
Security
• Weakest link in security is
people
why?
Don’t see it as important
Laziness
Averse to technology
Don’t know controls are there
People Controls
- management/leadership
• Don’t assign system passwords
until employees have Privacy
Training
• Tell staff how to safeguard
work areas
• Store confidential information
on network drive – not hard
drive
• Don’t ever share passwords
People Controls
Monitor Behavior
 Are staff logging off computers?
 Are they accessing information
not needed for their job?
 Is sensitive information removed
whenever possible (minimum
necessary rule?)
 Are fax cover sheets used?
 Are recycling bins used?
People Controls
Monitor Actions
 Is the Privacy Notice prominently
displayed?
 Are new patients being asked to
initial/sign the privacy notice
acknowledgement?
 Are accidental disclosures logged in
the patient’s disclosure log?
 Are privacy complaints being
forwarded to the privacy office?
Fax Transmittals
- controls
Always use a fax cover sheet
that lets the recipient know
who to contact “just in case”
there is a transmission error
– If you make a mistake, the
“unauthorized” disclosure must be
logged in the patient’s medical
record.
Disclosure Log
- in the medical record
We are required by law to “log”
the following types of disclosures:
• Public health
• Social Services
• Law enforcement
• Unauthorized (or accidental)
disclosures
Data bases
#1 Risk area
Do it right
 Get patient authorization (even for
prospective research)
 Protect data w/ security controls
 Limit access
 Don’t store on portable devices
 Update data fields
EVMS Privacy & Security
Manuals
• It is your responsibility to follow the EVMS
HIPAA Privacy & Security Policy &
Procedures
• Each manager is required to review the
Privacy & Security procedures with staff
• Privacy Policy & Procedures:
http://hsmail.evms.edu/compliance/compliance
web/
• Security Policy & Procedures:
http://info.evms.edu/bfis/postdocs/itac_1/hipaa_
/policies_/bov20030710secu/default.htm
Mini Quiz
Someone is caught accessing
the PHI of a co-worker. How do
you handle this situation?
 Report person to supervisor/Privacy
Office
 Tell person that she can get fired,
but don’t report to Privacy Office
 Find out what person was looking at
so you can report it
(click mouse for answer)
Report person to supervisor/Privacy
Office immediately
Mini Quiz
What are some ways to protect
patient information?
 Turn computer screens inward
 Keep schedules covered up
 Talk quietly, without using the
patient’s name
 All of the above
(click mouse for answer)
All of the above
Mini Quiz
You use an electronic device to
store/use health information. How
do you protect the information?
 Log off system when not in use
 Store information on password
protected network drive
 Keep portable devices on you or
locked up at all time
 All of the above
(click mouse for answer)
All of the above
Mini Quiz
The following are patient
identifiers:
A) Date of birth
B) Date of office visit
C) Strep throat diagnosis
D) A & C
E) A & B
(click mouse for answer)
E) A & B
Mini Quiz
A patient does not want to be
contacted by EVMS for fundraising
purposes. What should be done?
A) remove patient’s address &
telephone # from IDX
B) ask patient to complete an opt-out
fundraising form & forward to Privacy
Office
C) call the EVMS Institutional
Advancement office for advice
(click mouse for answer)
Answer is B!
Mini Quiz
Are you allowed to share
passwords?
 It is ok to give passwords to nurses,
but no one else
 IDX passwords can be shared but not
electronic medical record passwords
 No one is allowed to share passwords
– ever
(click mouse for answer)
No one is allowed to share passwords!
Privacy
- questions/concerns
Contact the Privacy Office:
Related documents
Privacy Confidentiality Minor
Privacy Confidentiality Minor
“Contrasting the early 19th versus early 21st Centuries”
“Contrasting the early 19th versus early 21st Centuries”
Central Missouri Cardiovascular Associates P
Central Missouri Cardiovascular Associates P
Acknowledgement of Privacy Practices
Acknowledgement of Privacy Practices
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Download
advertisement