1 / 27

HIPAA Privacy & Data Security Education 2017

Learn why privacy and data security training is essential in the interconnected healthcare industry. Understand your responsibilities and the leadership role of Stanislaus Surgical Hospital in protecting patient privacy and data security. Stay compliant with HIPAA and HITECH regulations.

porterd
Télécharger la présentation

HIPAA Privacy & Data Security Education 2017

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAAPrivacy & Data Security Education2017 Stanislaus Surgical Hospital

  2. Why do I need Privacy & Data Security Training? The healthcare industry is very interconnected. Stanislaus Surgical Hospital Medical Services Medical Records Hospital Medical Devices Patient privacy and data security are more at risk Stanislaus Surgical Hospital

  3. Privacy & Data Security Breaches in the news • Parkview Health system (5/2014)- $800,000 • PHI left on front doorstep of retired physician • New York Presbyterian & Columbia University (5/2014)- $4.8 million • Failure to safeguard and secure PHI on network • Concentra Health Services and QCA Health Plan, Inc. (4/2014)- $1.9 million • Theft of unencrypted laptops • Skagit County, Washington (3/2014)- $215,000 • County failure to adopt meaningful compliance progra • U.S. Department of Health and Human Services, Office of Civil Rights, September 2014 Stanislaus Surgical Hospital

  4. Privacy and Data Security Training • Mandatory • Essential to the mission and values of SSH • Federally mandated • TRAINING REASONS: • Privacy and confidentiality are expected by patients. • Protecting confidential information and following data security protocols is a serious matter. • Everyone can help prevent breaches by staying vigilant and reporting any concerns immediately. Stanislaus Surgical Hospital

  5. What is Your Responsibility? • Read, understand and abide by all SSH Privacy and Data Security Policies and Procedures located on the Shared (G:) Drive. • Understand SSH’s network user responsibilities • and do not assume that there is privacy on the • network • Understand the appropriate use of social media • and smart devices • Be aware of privacy or data security incident • reporting requirements • Understand non-compliance consequences Stanislaus Surgical Hospital

  6. What is Stanislaus Surgical Hospital’s Leadership Role? • Executives, managers and supervisors are responsible for: • Ensuring staff compliance with privacy and data security policies, • procedures, and regulations. • Assisting the SSH Privacy Officer with the hospital’s legal obligation to detect and • investigate potential privacy or data security breaches. • Investigating any identified risks disclosed by • electronic audit log reviews. • Reporting known or suspected incidences to the • Privacy Officer immediately. • Following through with sanctions or any • disciplinary actions resulting from a breach. Stanislaus Surgical Hospital

  7. Privacy & Data Security Regulations Stanislaus Surgical Hospital

  8. HIPPA REGULATIONS The Health Insurance Portability & Accountability Act (HIPAA) was passed by Congress in 1996. Oversight is managed by the Office of Civil Rights (OCR) through the Department of Health and Human Services (HHS) • Regulations include: • Controls for the use and disclosure of Protected Health Information (PHI) • When a covered entity like SSH uses PHI internally for Treatment, Payment or other Healthcare Operations, or (audits, training customer service, internal analysis, etc.). • Release, transfer or provide access to a patient’s PHI physically, orally, or electronically, to someone like a physician, an attorney, another provider, insurance company, billing contractor, etc, outside of SSH. Health Insurance Portability & Accountability Act HIPPA allows for use and disclosure of PHI without a patient’s authorization when used for TPO, Treatment, Payment or Healthcare Operations, as well as uses or disclosures required by law. Stanislaus Surgical Hospital

  9. HITECH Act - Expands HIPAA Health Information Technology for Economic and Clinical Health • Effective January 1, 2009 • Privacy and data security component of the American Recovery and Rehabilitation Act (ARRA). • Enforced by the Office of Civil Rights (OCR) of the Department of Health & Human Services. • Enforced through the state’s Attorney General to enjoin actions and obtain damages on behalf of individuals. • Applies HIPAA standards and penalties to Business Associates. • Makes individuals subject to penalties. Stanislaus Surgical Hospital

  10. Protecting Patient Privacy Stanislaus Surgical Hospital

  11. What Information Must You Protect? • Protected Health Information (PHI) – consists of information about an individual or data elements that can be used directly or indirectly to identify an individual. • Examples: • Name • Date of Birth • Address • Phone Number • Social Security Number • Medical Record Number • Date of Death • Photographs • Etc. • Protected means that only people who need the information should have access to it and they should only have the minimum amount of information they need to do their job. Stanislaus Surgical Hospital

  12. PHI is not Just in the Patient’s Medical Record • PHI includes any information that can be used to identify an • individual. • Paper records of all types • Documents and forms • Labels on patient care items • Photos and graphics • Insurance cards • Faxes • Electronic records • Computer based records • Biomedical equipment • Portable storage media • Video records (dictation) • Verbal/Oral communications • Observation Stanislaus Surgical Hospital

  13. Minimum Necessary Standards Policy • Disclose/release only the minimum amount of PHI data elements necessary to accomplish the intended purpose. • Access the minimum necessary information to complete job responsibilities. • Apply minimum necessary standards when PHI must be disclosed or provided to someone outside of SSH. • (example: an attorney, contractor, business associate, auditor, etc.) Stanislaus Surgical Hospital

  14. Safeguarding PHI & Sensitive Information Policy • Do not leave documents containing PHI or confidential information • unattended in fax machines, printers or copiers. • Turn over or cover all PHI/confidential information when you leave your desk. • Never remove PHI/confidential information • from the facility without the appropriate • authorization. • Store portable media that • contains PHI/confidential information in a • locked room, desk or cabinet. • Do not allow friends, relatives or visitors • into patient areas with PHI or other sensitive • information without authorization. Stanislaus Surgical Hospital

  15. Safeguarding Faxes and U.S. Mail Misdirected faxes are the #1 reported privacy incident across Healthcare. Everyone must use Stanislaus Surgical Hospital’s fax coversheet when faxing PHI or other confidential information. • Always verify the recipient’s fax number before • sending, including preprogrammed numbers • Report to the Privacy Officer any misdirected faxes or U.S. mail that contains or pertains to the following: • Requests for or copies of medical records • Billing documents, checks or other documents with PHI • Privacy related complaints • Documents with PHI or sensitive information • Office of Civil Rights (OCR) letters • Complaints about SSH. Stanislaus Surgical Hospital

  16. Safe Disposal of PHI and Confidential Information Never dispose of paper, film, or copies containing PHI or other sensitiveinformation in a garbage or recycle container. It must be shredded or put into a locked shredder bin. Documents with PHI should be disposed of in a manner that the PHI cannot be read or reconstructed and is rendered unusable, unreadable, or indecipherable. Stanislaus Surgical Hospital

  17. Social Media Guidelines • Stanislaus Surgical Hospital’s guidelines for us of Social Media include: • Never post confidential or sensitive information or photos , even though • the patient’s name is absent from the post. • The patient’s occupation/place of employment are enough to ID a patient. • Never discuss or reveal sensitive or confidential information in public • forums, chat or newsgroups. • Inappropriate posting of information or photographs can damage Stanislaus Surgical Hospital’s reputation and/or result in individual liability for the person responsible. • THINK before you post. Stanislaus Surgical Hospital

  18. Data Security Stanislaus Surgical Hospital

  19. Data Security • SSH is required by law to monitor and detect any potential privacy or data security breach including regularly monitoring user network activity. • The HIPAA Security Rule: • establishes standards to protect PHI and electronic PHI (ePHI) from unauthorized access or disclosure. • requires that all covered entities have certain types of safeguards in place to protect ePHI: • Administrative= Develop hospital-wide P&P’s regarding • PHI protection and periodically review PHI risk analysis • Physical= Inventory of devices that contain ePHI, back • up for power failure and P&P regarding locked doors, • cameras, etc. • Technical= Unique user ID, ePHI backup, ability to • monitor system to see who has accessed a patient’s • PHI and terminal automatic logoffs Stanislaus Surgical Hospital

  20. Inappropriate Access & Snooping • PHI may not be accessed by any employee, contractor or physician without a legitimate business purpose (treatment, payment or healthcare operations). • Every employee has the legal right to access their own medical records by following the same authorization process as other patients. • It is a violation of SSH’s policy for an employee to use their network credentials to access their own PHI, or the PHI of any family member, • without completing the proper authorization procedures. • Inappropriate access of PHI will result in disciplinary action • according to Policy IS.010. • Protecting PHI is everyone’s job. • PHI is not everyone’s business. Stanislaus Surgical Hospital

  21. Network User Policy - NUP • Network access is a privilege that is granted to users to facilitate the performance of SSH’s business. • User activity is regularly monitored. • The contents and history of a user’s network activity are Stanislaus Surgical Hospital’s property. • Any content a user creates or receives via the network is not private nor personal. • This includes: • Web browsing • Email and Instant Messages • Application activity. Stanislaus Surgical Hospital

  22. Mobile Device Security • Only SSH approved smart phones and PDA models may be used to access the • SSH network. • Encryption is required for all devices that access the network. • Consult SSH IT, your user manual or the vendor’s website for • encryption instructions. • Password protection is NOT the same as encryption. • Always follow Stanislaus Surgical Hospital IT guidelines when • using an Iphone, Ipad or other electronic device that connects to • the SSH network. Stanislaus Surgical Hospital

  23. Portable Device & Media Security • All users of portable computers and portable media owned or issued by SSH • shall follow all SSH data security policies. • Information systems store data on a wide variety of storage media including: • Internal and external hard drives • Internal memory • Tapes • Other Media devices • These devices and tools are especially vulnerable: • Laptops and home-based personal computers • Floppy or ZIP disks and other backup media • Optical storage using CDs and DVDs • PDAs and Smart Phones • Hotel, library or other public workstations • Wireless Access Points (WAPs) • Flash memory cards and USB flash drives • Remote Access Devices including security hardware Stanislaus Surgical Hospital

  24. Lost or Stolen Removable Media If you discover your laptop, iPhone, CD or other portable media containing PHI or sensitive information missing, call (209)232-2510 immediately to report it. Stanislaus Surgical Hospital

  25. Sending Secure Email • Any PHI or confidential information sent outside of the SSH network requires encryption. • You must use the “Encrypt Message” button which is available in your Outlook version. • A confidentiality statement will automatically be included at the bottom of the email. • The required language for the confidentiality statement is located • in the SSH email Policy IS.0008. • Report incidences of unsecured email to you Privacy Officer. Stanislaus Surgical Hospital

  26. Reporting Requirements Stanislaus Surgical Hospital

  27. Investigation Response and Notification • Anyone with authorized access to SSH’s records or Network shall • immediately report any known or suspected privacy or data security incident. • Reporting options: • Contact your immediate supervisor who in turn • will report the incident to the Privacy Officer. • Contact to the Privacy Officer directly • Email debbiem@stanislaussurgical.com • Call the SSH Compliance Officer at (209)232-2602 Stanislaus Surgical Hospital

More Related