Privacy and Information Security Training (2006-07)

1. Privacy and InformationSecurity Training (2006-07) VUMC Privacy Website www.mc.vanderbilt.edu/privacy

2. TheMost Common Privacy/Security Incidents Reported • Unauthorized access or disclosure of patient information • Sharing passwords, and electronic signatures • Failure to secure workstations • Failure to properly dispose of documents containing confidential information • Careless handling of personal or confidential information

3. Unauthorized Access or Disclosure of Patient Information Patient information shall be accessed and disclosed only as authorized, on a need-to-know basis, or as required by law. • Have you been concerned about a co-worker in the hospital and looked up their medical record? • Have you looked up your spouse’s record without formal authorization? These are considered Level III violations and will result in at least final written warning or Final PIC.

4. Accessing and Disclosing Patient InformationThings You Need to Know An “Authorization to Access Medical Records” form (MC1814)mustbe signed and placed into the patient’s record for you to have permission to access a record. You can obtain this form in Star Panel, by going to e-docs, or calling the Privacy Office. The Privacy Office conducts audits each month on the records of staff and faculty.

5. Accessing and Disclosing Patient InformationThings You Need to Know Entering a patient’s room and proceeding to discuss information with the patient in front of family members/visitors has resulted in inappropriate disclosures. Remember to ask family members/visitors to leave the room prior to discussing information. If the patient says it’s okay for them to stay then you can proceed with the discussion.

6. Accessing and Disclosing Patient InformationThings You Need to Know The following behaviors are considered privacy breaches under the current sanctions policy? • Gossiping about a faculty/staff member’s health information resulting in a complaint being filed is considered a Level I violation. • Gossiping/sharing PHI secured through your role at VUMC is considered a Level III violation. VUMC Sanctions Policy:http://vumcpolicies.mc.vanderbilt.edu/E-Manual/Hpolicy.nsf/AllDocs/F4FAEAD3EEB0D9C986256FE7006DE2A2

7. Sharing Passwords and Electronic Signatures Individual user names and passwords, as well as electronic signatures, must be kept confidential and shall not be shared. • What if a manager shares the password to her email account with her Administrative Assistant? • What if a resident shares her SecurID token with another resident who is having problems with his own token? Both of these are privacy/security violations and will result in disciplinary action.

8. Sharing Passwords and Electronic SignaturesThings You Need to know Sharing your VU-net user name and password with another person gives that person access to your personnel records. You are able to delegate access to your email account to someone else without sharing your password. Contact your computer support person if you need help to give someone access to your email account.

9. III.Failure to Secure Workstations Things You Need to Know • Failure to lock the computer screen may result in others documenting in the electronic medical record under your user-id. • Failure to lock the computer screen when you walk away allows unauthorized individuals to view confidential information. Be sure to lock the computer screen or log off anytime you need to walk away from the computer to protect confidentiality and data integrity.

10. IV. Failure to Dispose of Documents Containing Confidential Information Medical records, reports or other documents or information shall not be left unattended in a way that exposes confidential information. Things You Need to Know • Always dispose of confidential information in a shredder bin. • Be sure to clear your desk of any documents containing confidential information or remove them from view when leaving your desk for an extended period of time. • Photos of patients for treatment purposes must be stored in the patient’s record or in a secure database in accordance with the revised policy “Consent for Patient Photographs/Videos” OP 20-10.10.

11. V. Careless handling of personal or confidential information Personal or confidential information misdirected to the wrong person verbally or by fax or email is considered a privacy breach. Things You Need to Know When faxing: • Always use a cover sheet • Confirm the fax number before you send • Double check to make sure you enter the correct fax number.

12. Careless handling of personal or confidential information Things You Need to Know • When sending electronic messages • Use MyHealthatVanderbilt.com (a secure web-based portal) to securely communicate with patients, as opposed to standard email • If you use email, confirm the address before sending and limit the personal information sent • When discussing confidential information • Avoid being overheard by others • Just leave a name and call back number in phone messages

13. Conclusion • Some privacy/security breaches occur from individuals being careless while others occur from deliberate actions. • Follow the practices set forth in this training presentation and you will avoid committing the most frequent type of breaches that occur at VUMC. • If you have any questions or need to report a concern, please contact the Privacy Office @ 936-3594 or privacy.office@vanderbilt.edu

14. Final Instructions • To complete the training you must print off the HIPAA Test and submit it to the manager in your department for filing in your personnel file. Any questions related to this training may be submitted to the Privacy Office at privacy.office@vanderbilt.edu or call 936-3594.