Importance of Privacy & Data Security Training in Healthcare

 
HIPAA
HIPAA
Privacy & Data Security Education
Privacy & Data Security Education
2017
2017
 
1
 
Stanislaus Surgical Hospital
 
Why do I need Privacy & Data Security
Training?
 
Stanislaus Surgical Hospital
 
2
 
The healthcare industry is very interconnected.
 
Stanislaus Surgical Hospital
 
Patient privacy and data security are more at risk
 
Hospital
 
Medical
Records
 
Medical Devices
 
Medical Services
 
Privacy & Data Security Breaches
in the news
 
Stanislaus Surgical Hospital
 
3
 
 
 
Parkview Health system (5/2014)- $800,000
PHI left on front doorstep of retired
physician
New York Presbyterian & Columbia University
(5/2014)- $4.8 million
Failure to safeguard and secure PHI on
network
Concentra Health Services and QCA Health Plan,
Inc. (4/2014)- $1.9 million
Theft of unencrypted laptops
Skagit County, Washington (3/2014)- $215,000
County failure to adopt meaningful
compliance 
progra
U.S. Department of Health and Human Services, Office of Civil
Rights, September 2014
 
Privacy and Data Security Training
 
Stanislaus Surgical Hospital
 
4
 
Mandatory
 
Essential to the mission and values of SSH
 
Federally mandated
 
 
TRAINING REASONS:
Privacy and confidentiality are expected by
patients.
 
Protecting confidential information and
following data security protocols is a serious
matter.
 
Everyone can help prevent breaches by
staying vigilant and reporting any concerns
immediately.
 
What is Your Responsibility?
 
Stanislaus Surgical Hospital
 
5
 
 
Read, understand and abide by all SSH Privacy
and Data Security Policies and Procedures
located on the Shared (G:) Drive.
 
Understand SSH’s network user responsibilities
and do not assume that there is privacy on the
network
 
Understand the appropriate use of social media
and smart devices
 
Be aware of privacy or data security incident
  reporting requirements
 
Understand non-compliance consequences
 
What is Stanislaus Surgical Hospital’s Leadership Role?
 
Stanislaus Surgical Hospital
 
6
 
Executives, managers and supervisors are responsible for:
 
Ensuring staff compliance with privacy and data security policies,
  procedures, and regulations.
 
Assisting the SSH Privacy Officer with the hospital’s legal obligation to detect and
  investigate potential privacy or data security breaches.
 
Investigating any identified risks disclosed by
  electronic audit log reviews.
 
Reporting known or suspected incidences to the
  Privacy Officer immediately.
 
Following through with sanctions or any
 disciplinary actions resulting from a breach.
 
Privacy & Data Security
Regulations
 
Stanislaus Surgical Hospital
 
7
 
HIPPA REGULATIONS
 
Stanislaus Surgical Hospital
 
8
 
The Health Insurance Portability & Accountability Act (HIPAA) was passed by
Congress in 1996.  Oversight is managed by the Office of Civil Rights (OCR)
through the Department of Health and Human Services (HHS)
 
H
ealth
I
nsurance
P
ortability &
A
ccountability
A
ct
 
Regulations include:
o
Controls for the use and disclosure of Protected
Health Information (PHI)
 
o
When a covered entity like SSH uses PHI internally
for Treatment, Payment or other Healthcare
Operations, or (audits, training customer service,
internal analysis, etc.).
 
o
Release, transfer or provide access to a patient’s
PHI physically, orally, or electronically, to someone
like a physician, an attorney, another provider,
insurance company, billing contractor, etc, outside
of SSH.
 
HIPPA allows for use and disclosure of PHI without a patient’s authorization when used for TPO, Treatment, Payment or
Healthcare Operations, as well as uses or disclosures required by law
.
 
HITECH Act - Expands HIPAA
 
Stanislaus Surgical Hospital
 
9
 
H
ealth
I
nformation
T
echnology for
E
conomic and
C
linical
H
ealth
 
Effective January 1, 2009
 
 
Privacy and data security component of the American
Recovery and Rehabilitation Act (ARRA).
 
 
Enforced by the Office of Civil Rights (OCR) of the
Department of Health & Human Services.
 
 
Enforced through the state’s Attorney General to enjoin
actions and obtain damages on behalf of individuals.
 
Applies HIPAA standards and penalties to Business
Associates.
 
Makes individuals subject to penalties.
 
Protecting Patient Privacy
 
 
Stanislaus Surgical Hospital
 
10
 
What Information Must You Protect?
 
Stanislaus Surgical Hospital
 
11
 
Protected Health Information (PHI) – consists of information about an
individual or data elements that can be used directly or indirectly to
identify an individual.
 
Examples:
Name
Date of Birth
Address
Phone Number
Social Security Number
Medical Record Number
Date of Death
Photographs
Etc.
 
Protected means that only people who need the information should have
access to it and they should only have the minimum amount of information
they need to do their job.
 
PHI is not Just in the Patient’s Medical
Record
 
Stanislaus Surgical Hospital
 
12
 
PHI includes any information that can be used to identify an
individual.
 
Paper records of all types
Documents and forms
Labels on patient care items
Photos and graphics
Insurance cards
Faxes
Electronic records
Computer based records
Biomedical equipment
Portable storage media
Video records (dictation)
Verbal/Oral communications
Observation
 
Minimum Necessary Standards
Policy
 
Stanislaus Surgical Hospital
 
13
 
Disclose/release only the minimum amount of PHI data
elements necessary to accomplish the intended purpose.
 
Access the minimum necessary information to
complete job responsibilities.
 
Apply minimum necessary standards when PHI must
be disclosed or provided to someone outside of SSH.
(example: an attorney, contractor, business associate,
auditor, etc.)
 
Safeguarding PHI & Sensitive
Information Policy
 
Stanislaus Surgical Hospital
 
14
 
Do not leave documents containing PHI or confidential information
unattended in fax machines, printers or copiers.
 
Turn over or cover all PHI/confidential information when you leave your desk.
 
Never remove PHI/confidential information
from the facility without the appropriate
authorization.
 
Store portable media that
contains PHI/confidential information in a
locked room, desk or cabinet.
 
Do not allow friends, relatives or visitors
into patient areas with PHI or other sensitive
information without authorization.
 
Safeguarding Faxes and U.S. Mail
 
Stanislaus Surgical Hospital
 
15
 
Misdirected faxes are the #1 reported privacy incident across Healthcare.
 
Everyone 
must
 use Stanislaus Surgical Hospital’s fax coversheet when faxing
PHI or other confidential information.
 
Always verify the recipient’s fax number before
sending, including preprogrammed numbers
 
Report to the Privacy Officer any misdirected faxes or
U.S. mail that contains or pertains to the following:
Requests for or copies of medical records
Billing documents, checks or other documents with
PHI
Privacy related complaints
Documents with PHI or sensitive information
Office of Civil Rights (OCR) letters
Complaints about  SSH.
 
Safe Disposal of PHI and
Confidential Information
 
Stanislaus Surgical Hospital
 
16
 
Never dispose of paper, film, or copies containing PHI or other sensitive
information in a garbage or recycle container.  It must be shredded or put
into a locked shredder bin.
 
Documents with PHI should be disposed of in a manner that the PHI
cannot be read or reconstructed and is rendered unusable, unreadable, or
indecipherable.
 
Social Media Guidelines
 
Stanislaus Surgical Hospital
 
17
 
Stanislaus Surgical Hospital’s guidelines for us of Social Media include:
 
Never post confidential or sensitive information or photos , even though
the patient’s name is absent from the post.
 
The patient’s occupation/place of employment are enough to ID a patient.
 
Never discuss or reveal sensitive or confidential information in public
  forums, chat or newsgroups.
 
Inappropriate posting of information or photographs can damage Stanislaus
Surgical Hospital’s reputation and/or result in individual liability for the person
responsible.
 
THINK before you post.
 
Data Security
 
 
Stanislaus Surgical Hospital
 
18
 
Data Security
 
Stanislaus Surgical Hospital
 
19
 
SSH is required by law to monitor and detect any potential privacy or data security breach
including regularly monitoring user network activity.
 
The HIPAA Security Rule:
establishes standards to protect PHI and electronic PHI (ePHI) from unauthorized
access or disclosure.
requires that all covered entities have certain types of safeguards in place to protect
ePHI:
 
Administrative
= Develop hospital-wide P&P’s regarding
PHI protection and periodically review PHI risk analysis
 
Physical
= Inventory of devices that contain ePHI, back
  up for power failure and P&P regarding locked doors,
  cameras, etc.
 
Technical
= Unique user ID, ePHI backup, ability to
  monitor system to see who has accessed a patient’s
  PHI and terminal automatic logoffs
 
Inappropriate Access & Snooping
 
Stanislaus Surgical Hospital
 
20
 
PHI may not be accessed by any employee, contractor or physician without a legitimate
business purpose (treatment, payment or healthcare operations).
 
Every employee has the legal right to access their own medical records by following the
same authorization process as other patients.
 
It is a violation of SSH’s policy for an employee to use their network credentials to access
their own PHI, or the PHI of any  family member,
     without completing the proper authorization procedures.
 
Inappropriate access of PHI will result in disciplinary action
      according to Policy IS.010.
 
 
Protecting PHI is everyone’s job.
 
PHI is not everyone’s business.
 
 
 
 
Network User Policy - NUP
 
Stanislaus Surgical Hospital
 
21
 
Network access is a privilege that is granted to users to
facilitate the performance of SSH’s business.
 
User activity is regularly monitored.
 
The contents and history of a user’s network activity are
Stanislaus Surgical Hospital’s property.
 
Any content a user creates or receives via the network is not
private nor personal.
     This includes:
Web browsing
Email and Instant Messages
Application activity.
 
Mobile Device Security
 
Stanislaus Surgical Hospital
 
22
 
Only SSH approved smart phones and PDA models may be used to access the
SSH network.
Encryption is required for all devices that access the network.
Consult SSH IT, your user manual or the vendor’s website for
 encryption instructions.
 
Password protection is NOT the same as encryption.
 
Always follow Stanislaus Surgical Hospital IT guidelines when
using an Iphone, Ipad or other electronic device that connects to
the SSH network.
 
Portable Device & Media Security
 
Stanislaus Surgical Hospital
 
23
 
All users of portable computers and portable media owned or issued by SSH
shall follow all SSH data security policies.
 
Information systems store data on a wide variety of storage media including:
o
Internal and external hard drives
o
Internal memory
o
Tapes
o
Other Media devices
 
These devices and tools are especially vulnerable:
o
Laptops and home-based personal computers
o
Floppy or ZIP disks and other backup media
o
Optical storage using CDs and DVDs
o
PDAs and Smart Phones
o
Hotel, library or other public workstations
o
Wireless Access Points (WAPs)
o
Flash memory cards and USB flash drives
o
Remote Access Devices including security hardware
 
 
 
Lost or Stolen Removable Media
 
Stanislaus Surgical Hospital
 
24
 
If you discover your laptop, iPhone, CD or other portable media
containing PHI or sensitive information missing, call (209)232-2510
immediately to report it.
 
Sending Secure Email
 
Stanislaus Surgical Hospital
 
25
 
Any PHI or confidential information sent outside of the SSH network requires encryption.
 
You must use the “Encrypt Message” button which is  available in your Outlook version.
 
A confidentiality statement will automatically be included at the bottom of the email.
 
The required language for the confidentiality statement is located
  in the SSH email Policy IS.0008.
 
Report incidences of unsecured email to you Privacy Officer.
 
Reporting Requirements
 
 
Stanislaus Surgical Hospital
 
26
 
Investigation Response
and Notification
 
Stanislaus Surgical Hospital
 
27
 
Anyone with authorized access to SSH’s records or Network shall
immediately report any known or suspected privacy or data security incident.
 
Reporting options:
 
Contact your immediate supervisor who in turn
  will report the incident to the Privacy Officer.
Contact to the Privacy Officer directly
Email debbiem@stanislaussurgical.com
Call the SSH Compliance Officer at (209)232-2602
 
Slide Note
Embed
Share

Privacy and data security training in healthcare is crucial due to the interconnected nature of the industry, putting patient information at risk. Breaches have resulted in significant financial losses, emphasizing the need for mandatory training to safeguard patient privacy. Understanding responsibilities, policies, and procedures is essential to prevent breaches and maintain compliance with federal regulations.

  • Privacy protection
  • Data security training
  • Healthcare industry
  • Compliance regulations
  • Patient information

Uploaded on Sep 14, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. HIPAA Privacy & Data Security Education 2017 Stanislaus Surgical Hospital 1

  2. Why do I need Privacy & Data Security Training? The healthcare industry is very interconnected. Stanislaus Surgical Hospital Medical Services Medical Records Hospital Medical Devices Patient privacy and data security are more at risk Stanislaus Surgical Hospital 2

  3. Privacy & Data Security Breaches in the news Parkview Health system (5/2014)- $800,000 PHI left on front doorstep of retired physician New York Presbyterian & Columbia University (5/2014)- $4.8 million Failure to safeguard and secure PHI on network Concentra Health Services and QCA Health Plan, Inc. (4/2014)- $1.9 million Theft of unencrypted laptops Skagit County, Washington (3/2014)- $215,000 County failure to adopt meaningful compliance progra U.S. Department of Health and Human Services, Office of Civil Rights, September 2014 Stanislaus Surgical Hospital 3

  4. Privacy and Data Security Training Mandatory Essential to the mission and values of SSH Federally mandated TRAINING REASONS: Privacy and confidentiality are expected by patients. Protecting confidential information and following data security protocols is a serious matter. Everyone can help prevent breaches by staying vigilant and reporting any concerns immediately. Stanislaus Surgical Hospital 4

  5. What is Your Responsibility? Read, understand and abide by all SSH Privacy and Data Security Policies and Procedures located on the Shared (G:) Drive. Understand SSH s network user responsibilities and do not assume that there is privacy on the network Understand the appropriate use of social media and smart devices Be aware of privacy or data security incident reporting requirements Understand non-compliance consequences Stanislaus Surgical Hospital 5

  6. What is Stanislaus Surgical Hospitals Leadership Role? Executives, managers and supervisors are responsible for: Ensuring staff compliance with privacy and data security policies, procedures, and regulations. Assisting the SSH Privacy Officer with the hospital s legal obligation to detect and investigate potential privacy or data security breaches. Investigating any identified risks disclosed by electronic audit log reviews. Reporting known or suspected incidences to the Privacy Officer immediately. Following through with sanctions or any disciplinary actions resulting from a breach. Stanislaus Surgical Hospital 6

  7. Privacy & Data Security Regulations Stanislaus Surgical Hospital 7

  8. HIPPA REGULATIONS The Health Insurance Portability & Accountability Act (HIPAA) was passed by Congress in 1996. Oversight is managed by the Office of Civil Rights (OCR) through the Department of Health and Human Services (HHS) Regulations include: o Controls for the use and disclosure of Protected Health Information (PHI) Health Insurance o When a covered entity like SSH uses PHI internally for Treatment, Payment or other Healthcare Operations, or (audits, training customer service, internal analysis, etc.). Portability & Accountability o Release, transfer or provide access to a patient s PHI physically, orally, or electronically, to someone like a physician, an attorney, another provider, insurance company, billing contractor, etc, outside of SSH. Act HIPPA allows for use and disclosure of PHI without a patient s authorization when used for TPO, Treatment, Payment or Healthcare Operations, as well as uses or disclosures required by law. Stanislaus Surgical Hospital 8

  9. HITECH Act - Expands HIPAA Health Effective January 1, 2009 Information Privacy and data security component of the American Recovery and Rehabilitation Act (ARRA). Technology for Enforced by the Office of Civil Rights (OCR) of the Department of Health & Human Services. Economic and Clinical Enforced through the state s Attorney General to enjoin actions and obtain damages on behalf of individuals. Health Applies HIPAA standards and penalties to Business Associates. Makes individuals subject to penalties. Stanislaus Surgical Hospital 9

  10. Protecting Patient Privacy Stanislaus Surgical Hospital 10

  11. What Information Must You Protect? Protected Health Information (PHI) consists of information about an individual or data elements that can be used directly or indirectly to identify an individual. Examples: Name Date of Birth Address Phone Number Social Security Number Medical Record Number Date of Death Photographs Etc. Protected means that only people who need the information should have access to it and they should only have the minimum amount of information they need to do their job. Stanislaus Surgical Hospital 11

  12. PHI is not Just in the Patients Medical Record PHI includes any information that can be used to identify an individual. Paper records of all types Documents and forms Labels on patient care items Photos and graphics Insurance cards Faxes Electronic records Computer based records Biomedical equipment Portable storage media Video records (dictation) Verbal/Oral communications Observation Stanislaus Surgical Hospital 12

  13. Minimum Necessary Standards Policy Disclose/release only the minimum amount of PHI data elements necessary to accomplish the intended purpose. Access the minimum necessary information to complete job responsibilities. Apply minimum necessary standards when PHI must be disclosed or provided to someone outside of SSH. (example: an attorney, contractor, business associate, auditor, etc.) Stanislaus Surgical Hospital 13

  14. Safeguarding PHI & Sensitive Information Policy Do not leave documents containing PHI or confidential information unattended in fax machines, printers or copiers. Turn over or cover all PHI/confidential information when you leave your desk. from the facility without the appropriate authorization. Never remove PHI/confidential information contains PHI/confidential information in a locked room, desk or cabinet. Store portable media that into patient areas with PHI or other sensitive information without authorization. Do not allow friends, relatives or visitors Stanislaus Surgical Hospital 14

  15. Safeguarding Faxes and U.S. Mail Misdirected faxes are the #1 reported privacy incident across Healthcare. Everyone must use Stanislaus Surgical Hospital s fax coversheet when faxing PHI or other confidential information. sending, including preprogrammed numbers Always verify the recipient s fax number before Report to the Privacy Officer any misdirected faxes or U.S. mail that contains or pertains to the following: Requests for or copies of medical records Billing documents, checks or other documents with PHI Privacy related complaints Documents with PHI or sensitive information Office of Civil Rights (OCR) letters Complaints about SSH. Stanislaus Surgical Hospital 15

  16. Safe Disposal of PHI and Confidential Information Never dispose of paper, film, or copies containing PHI or other sensitive information in a garbage or recycle container. It must be shredded or put into a locked shredder bin. Documents with PHI should be disposed of in a manner that the PHI cannot be read or reconstructed and is rendered unusable, unreadable, or indecipherable. Stanislaus Surgical Hospital 16

  17. Social Media Guidelines Stanislaus Surgical Hospital s guidelines for us of Social Media include: Never post confidential or sensitive information or photos , even though the patient s name is absent from the post. The patient s occupation/place of employment are enough to ID a patient. Never discuss or reveal sensitive or confidential information in public forums, chat or newsgroups. Inappropriate posting of information or photographs can damage Stanislaus Surgical Hospital s reputation and/or result in individual liability for the person responsible. THINK before you post. Stanislaus Surgical Hospital 17

  18. Data Security Stanislaus Surgical Hospital 18

  19. Data Security SSH is required by law to monitor and detect any potential privacy or data security breach including regularly monitoring user network activity. The HIPAA Security Rule: establishes standards to protect PHI and electronic PHI (ePHI) from unauthorized access or disclosure. requires that all covered entities have certain types of safeguards in place to protect ePHI: Administrative= Develop hospital-wide P&P s regarding PHI protection and periodically review PHI risk analysis Physical= Inventory of devices that contain ePHI, back up for power failure and P&P regarding locked doors, cameras, etc. Technical= Unique user ID, ePHI backup, ability to monitor system to see who has accessed a patient s PHI and terminal automatic logoffs Stanislaus Surgical Hospital 19

  20. Inappropriate Access & Snooping PHI may not be accessed by any employee, contractor or physician without a legitimate business purpose (treatment, payment or healthcare operations). Every employee has the legal right to access their own medical records by following the same authorization process as other patients. It is a violation of SSH s policy for an employee to use their network credentials to access their own PHI, or the PHI of any family member, without completing the proper authorization procedures. according to Policy IS.010. Inappropriate access of PHI will result in disciplinary action Protecting PHI is everyone s job. PHI is not everyone s business. Stanislaus Surgical Hospital 20

  21. Network User Policy - NUP Network access is a privilege that is granted to users to facilitate the performance of SSH s business. User activity is regularly monitored. The contents and history of a user s network activity are Stanislaus Surgical Hospital s property. Any content a user creates or receives via the network is not private nor personal. This includes: Web browsing Email and Instant Messages Application activity. Stanislaus Surgical Hospital 21

  22. Mobile Device Security Only SSH approved smart phones and PDA models may be used to access the SSH network. Encryption is required for all devices that access the network. Consult SSH IT, your user manual or the vendor s website for encryption instructions. Password protection is NOT the same as encryption. Always follow Stanislaus Surgical Hospital IT guidelines when using an Iphone, Ipad or other electronic device that connects to the SSH network. Stanislaus Surgical Hospital 22

  23. Portable Device & Media Security shall follow all SSH data security policies. All users of portable computers and portable media owned or issued by SSH Information systems store data on a wide variety of storage media including: o Internal and external hard drives o Internal memory o Tapes o Other Media devices These devices and tools are especially vulnerable: o Laptops and home-based personal computers o Floppy or ZIP disks and other backup media o Optical storage using CDs and DVDs o PDAs and Smart Phones o Hotel, library or other public workstations o Wireless Access Points (WAPs) o Flash memory cards and USB flash drives o Remote Access Devices including security hardware Stanislaus Surgical Hospital 23

  24. Lost or Stolen Removable Media If you discover your laptop, iPhone, CD or other portable media containing PHI or sensitive information missing, call (209)232-2510 immediately to report it. Stanislaus Surgical Hospital 24

  25. Sending Secure Email Any PHI or confidential information sent outside of the SSH network requires encryption. You must use the Encrypt Message button which is available in your Outlook version. A confidentiality statement will automatically be included at the bottom of the email. The required language for the confidentiality statement is located in the SSH email Policy IS.0008. Report incidences of unsecured email to you Privacy Officer. Stanislaus Surgical Hospital 25

  26. Reporting Requirements Stanislaus Surgical Hospital 26

  27. Investigation Response and Notification Anyone with authorized access to SSH s records or Network shall immediately report any known or suspected privacy or data security incident. Reporting options: Contact your immediate supervisor who in turn will report the incident to the Privacy Officer. Contact to the Privacy Officer directly Email debbiem@stanislaussurgical.com Call the SSH Compliance Officer at (209)232-2602 Stanislaus Surgical Hospital 27

Related


More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#