Importance of Privacy & Data Security Training in Healthcare

Privacy and data security training in healthcare is crucial due to the interconnected nature of the industry, putting patient information at risk. Breaches have resulted in significant financial losses, emphasizing the need for mandatory training to safeguard patient privacy. Understanding responsibilities, policies, and procedures is essential to prevent breaches and maintain compliance with federal regulations.

• Privacy protection
• Data security training
• Healthcare industry
• Compliance regulations
• Patient information

tach645 Follow

Uploaded on Sep 14, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. HIPAA Privacy & Data Security Education 2017 Stanislaus Surgical Hospital 1

2. Why do I need Privacy & Data Security Training? The healthcare industry is very interconnected. Stanislaus Surgical Hospital Medical Services Medical Records Hospital Medical Devices Patient privacy and data security are more at risk Stanislaus Surgical Hospital 2

3. Privacy & Data Security Breaches in the news Parkview Health system (5/2014)- $800,000 PHI left on front doorstep of retired physician New York Presbyterian & Columbia University (5/2014)- $4.8 million Failure to safeguard and secure PHI on network Concentra Health Services and QCA Health Plan, Inc. (4/2014)- $1.9 million Theft of unencrypted laptops Skagit County, Washington (3/2014)- $215,000 County failure to adopt meaningful compliance progra U.S. Department of Health and Human Services, Office of Civil Rights, September 2014 Stanislaus Surgical Hospital 3

4. Privacy and Data Security Training Mandatory Essential to the mission and values of SSH Federally mandated TRAINING REASONS: Privacy and confidentiality are expected by patients. Protecting confidential information and following data security protocols is a serious matter. Everyone can help prevent breaches by staying vigilant and reporting any concerns immediately. Stanislaus Surgical Hospital 4

5. What is Your Responsibility? Read, understand and abide by all SSH Privacy and Data Security Policies and Procedures located on the Shared (G:) Drive. Understand SSH s network user responsibilities and do not assume that there is privacy on the network Understand the appropriate use of social media and smart devices Be aware of privacy or data security incident reporting requirements Understand non-compliance consequences Stanislaus Surgical Hospital 5

6. What is Stanislaus Surgical Hospitals Leadership Role? Executives, managers and supervisors are responsible for: Ensuring staff compliance with privacy and data security policies, procedures, and regulations. Assisting the SSH Privacy Officer with the hospital s legal obligation to detect and investigate potential privacy or data security breaches. Investigating any identified risks disclosed by electronic audit log reviews. Reporting known or suspected incidences to the Privacy Officer immediately. Following through with sanctions or any disciplinary actions resulting from a breach. Stanislaus Surgical Hospital 6

7. Privacy & Data Security Regulations Stanislaus Surgical Hospital 7

8. HIPPA REGULATIONS The Health Insurance Portability & Accountability Act (HIPAA) was passed by Congress in 1996. Oversight is managed by the Office of Civil Rights (OCR) through the Department of Health and Human Services (HHS) Regulations include: o Controls for the use and disclosure of Protected Health Information (PHI) Health Insurance o When a covered entity like SSH uses PHI internally for Treatment, Payment or other Healthcare Operations, or (audits, training customer service, internal analysis, etc.). Portability & Accountability o Release, transfer or provide access to a patient s PHI physically, orally, or electronically, to someone like a physician, an attorney, another provider, insurance company, billing contractor, etc, outside of SSH. Act HIPPA allows for use and disclosure of PHI without a patient s authorization when used for TPO, Treatment, Payment or Healthcare Operations, as well as uses or disclosures required by law. Stanislaus Surgical Hospital 8

9. HITECH Act - Expands HIPAA Health Effective January 1, 2009 Information Privacy and data security component of the American Recovery and Rehabilitation Act (ARRA). Technology for Enforced by the Office of Civil Rights (OCR) of the Department of Health & Human Services. Economic and Clinical Enforced through the state s Attorney General to enjoin actions and obtain damages on behalf of individuals. Health Applies HIPAA standards and penalties to Business Associates. Makes individuals subject to penalties. Stanislaus Surgical Hospital 9

10. Protecting Patient Privacy Stanislaus Surgical Hospital 10

11. What Information Must You Protect? Protected Health Information (PHI) consists of information about an individual or data elements that can be used directly or indirectly to identify an individual. Examples: Name Date of Birth Address Phone Number Social Security Number Medical Record Number Date of Death Photographs Etc. Protected means that only people who need the information should have access to it and they should only have the minimum amount of information they need to do their job. Stanislaus Surgical Hospital 11

12. PHI is not Just in the Patients Medical Record PHI includes any information that can be used to identify an individual. Paper records of all types Documents and forms Labels on patient care items Photos and graphics Insurance cards Faxes Electronic records Computer based records Biomedical equipment Portable storage media Video records (dictation) Verbal/Oral communications Observation Stanislaus Surgical Hospital 12

13. Minimum Necessary Standards Policy Disclose/release only the minimum amount of PHI data elements necessary to accomplish the intended purpose. Access the minimum necessary information to complete job responsibilities. Apply minimum necessary standards when PHI must be disclosed or provided to someone outside of SSH. (example: an attorney, contractor, business associate, auditor, etc.) Stanislaus Surgical Hospital 13

14. Safeguarding PHI & Sensitive Information Policy Do not leave documents containing PHI or confidential information unattended in fax machines, printers or copiers. Turn over or cover all PHI/confidential information when you leave your desk. from the facility without the appropriate authorization. Never remove PHI/confidential information contains PHI/confidential information in a locked room, desk or cabinet. Store portable media that into patient areas with PHI or other sensitive information without authorization. Do not allow friends, relatives or visitors Stanislaus Surgical Hospital 14

15. Safeguarding Faxes and U.S. Mail Misdirected faxes are the #1 reported privacy incident across Healthcare. Everyone must use Stanislaus Surgical Hospital s fax coversheet when faxing PHI or other confidential information. sending, including preprogrammed numbers Always verify the recipient s fax number before Report to the Privacy Officer any misdirected faxes or U.S. mail that contains or pertains to the following: Requests for or copies of medical records Billing documents, checks or other documents with PHI Privacy related complaints Documents with PHI or sensitive information Office of Civil Rights (OCR) letters Complaints about SSH. Stanislaus Surgical Hospital 15

16. Safe Disposal of PHI and Confidential Information Never dispose of paper, film, or copies containing PHI or other sensitive information in a garbage or recycle container. It must be shredded or put into a locked shredder bin. Documents with PHI should be disposed of in a manner that the PHI cannot be read or reconstructed and is rendered unusable, unreadable, or indecipherable. Stanislaus Surgical Hospital 16

17. Social Media Guidelines Stanislaus Surgical Hospital s guidelines for us of Social Media include: Never post confidential or sensitive information or photos , even though the patient s name is absent from the post. The patient s occupation/place of employment are enough to ID a patient. Never discuss or reveal sensitive or confidential information in public forums, chat or newsgroups. Inappropriate posting of information or photographs can damage Stanislaus Surgical Hospital s reputation and/or result in individual liability for the person responsible. THINK before you post. Stanislaus Surgical Hospital 17

18. Data Security Stanislaus Surgical Hospital 18

19. Data Security SSH is required by law to monitor and detect any potential privacy or data security breach including regularly monitoring user network activity. The HIPAA Security Rule: establishes standards to protect PHI and electronic PHI (ePHI) from unauthorized access or disclosure. requires that all covered entities have certain types of safeguards in place to protect ePHI: Administrative= Develop hospital-wide P&P s regarding PHI protection and periodically review PHI risk analysis Physical= Inventory of devices that contain ePHI, back up for power failure and P&P regarding locked doors, cameras, etc. Technical= Unique user ID, ePHI backup, ability to monitor system to see who has accessed a patient s PHI and terminal automatic logoffs Stanislaus Surgical Hospital 19

20. Inappropriate Access & Snooping PHI may not be accessed by any employee, contractor or physician without a legitimate business purpose (treatment, payment or healthcare operations). Every employee has the legal right to access their own medical records by following the same authorization process as other patients. It is a violation of SSH s policy for an employee to use their network credentials to access their own PHI, or the PHI of any family member, without completing the proper authorization procedures. according to Policy IS.010. Inappropriate access of PHI will result in disciplinary action Protecting PHI is everyone s job. PHI is not everyone s business. Stanislaus Surgical Hospital 20

21. Network User Policy - NUP Network access is a privilege that is granted to users to facilitate the performance of SSH s business. User activity is regularly monitored. The contents and history of a user s network activity are Stanislaus Surgical Hospital s property. Any content a user creates or receives via the network is not private nor personal. This includes: Web browsing Email and Instant Messages Application activity. Stanislaus Surgical Hospital 21

22. Mobile Device Security Only SSH approved smart phones and PDA models may be used to access the SSH network. Encryption is required for all devices that access the network. Consult SSH IT, your user manual or the vendor s website for encryption instructions. Password protection is NOT the same as encryption. Always follow Stanislaus Surgical Hospital IT guidelines when using an Iphone, Ipad or other electronic device that connects to the SSH network. Stanislaus Surgical Hospital 22

23. Portable Device & Media Security shall follow all SSH data security policies. All users of portable computers and portable media owned or issued by SSH Information systems store data on a wide variety of storage media including: o Internal and external hard drives o Internal memory o Tapes o Other Media devices These devices and tools are especially vulnerable: o Laptops and home-based personal computers o Floppy or ZIP disks and other backup media o Optical storage using CDs and DVDs o PDAs and Smart Phones o Hotel, library or other public workstations o Wireless Access Points (WAPs) o Flash memory cards and USB flash drives o Remote Access Devices including security hardware Stanislaus Surgical Hospital 23

24. Lost or Stolen Removable Media If you discover your laptop, iPhone, CD or other portable media containing PHI or sensitive information missing, call (209)232-2510 immediately to report it. Stanislaus Surgical Hospital 24

25. Sending Secure Email Any PHI or confidential information sent outside of the SSH network requires encryption. You must use the Encrypt Message button which is available in your Outlook version. A confidentiality statement will automatically be included at the bottom of the email. The required language for the confidentiality statement is located in the SSH email Policy IS.0008. Report incidences of unsecured email to you Privacy Officer. Stanislaus Surgical Hospital 25

26. Reporting Requirements Stanislaus Surgical Hospital 26

27. Investigation Response and Notification Anyone with authorized access to SSH s records or Network shall immediately report any known or suspected privacy or data security incident. Reporting options: Contact your immediate supervisor who in turn will report the incident to the Privacy Officer. Contact to the Privacy Officer directly Email debbiem@stanislaussurgical.com Call the SSH Compliance Officer at (209)232-2602 Stanislaus Surgical Hospital 27