Privacy and Security For Teammates

Similar documents
Compliance & Privacy For Teammates

Compliance & Privacy For Teammates

Compliance & Privacy Post Test

Information Privacy and Security

Privacy and Security Compliance: The. Date Presenter Name of Member Organization

HIPAA Training

Advanced HIPAA Communications and University Relations

MCCP Online Orientation

HIPAA Privacy Training for Non-Clinical Workforce

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

The Privacy & Security of Protected Health Information

HIPAA Health Insurance Portability and Accountability Act of 1996

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

HIPAA and HITECH: Privacy and Security of Protected Health Information

HIPAA PRIVACY TRAINING

HIPAA Education Program

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

East Carolina University 2010 Annual HIPAA Privacy Training

CLINICIAN S GUIDE TO HIPAA PRIVACY

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

A general review of HIPAA standards and privacy practices 2016

Compliance Program, Code of Conduct, and HIPAA

2018 Employee HIPAA Orientation (EHO) Handbook

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

HIPAA 201: Student Self-Learning Module & Test

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

Health Information Privacy Policies and Procedures

Safeguarding PHI Nutrition Services. UAMS HIPAA Office May 2015

Emergency Medical Services Division Policies Procedures Protocols

Protecting PHI for Clinical Staff and Students

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

HIPAA Privacy Rule. Best PHI Privacy Practices

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

QUESTIONS. Print Student s/faculty Name: Date of Test Completion: Site of Experience: School/University: Semester:

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

Protecting Patient Privacy It s Everyone s Responsibility

HIPAA Privacy & Security Training

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

System Office New Hire Orientation

HIPAA is the Health Insurance Portability and Accountability Act

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Privacy & Security Training

HIPAA Privacy Policies & Procedures Table of Contents

Chapter 9 Legal Aspects of Health Information Management

Title: HIPAA PRIVACY ADMINISTRATIVE

What is your start date? (Date in which you plan to begin seeing patients in the hospital). Specialty SECTION I. IDENTIFICATION DATA

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

VHA Privacy Policy Training FY VHA Privacy Office

Security Risk Analysis

NORTHWEST TERRITORIES INFORMATION AND PRIVACY COMMISSIONER Review Recommendation File: July 13, 2015

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

FCSRMC 2017 HIPAA PRESENTATION

Compliance with Personal Health Information Protection Act

PROTECTING PATIENT PRIVACY IS NOT ONLY

Your Role in Protecting Patient Privacy 2018

Methodist Le Bonheur Healthcare Corporate Compliance and HIPAA New Associate Training

OSHA & HIPAA Seminar. Northern Texas Facial & Oral Surgery

HIPAA THE PRIVACY RULE

Understanding the Privacy and Security Regulations

AN OVERVIEW OF FIPPA for FACULTY, INSTRUCTORS & ADMINISTRATORS. Information and tips on how to keep you FIPPA FRIENDLY

I. POLICY: DEFINITIONS:

Failure to comply may result in WU being liable for civil and criminal penalties under the HIPAA regulations.

Reporting a Privacy Breach to the Commissioner

HIPAA Privacy and Security Training for Researchers

National Health Information Privacy and Security Week. Understanding the HIPAA Privacy and Security Rule

Resident/Fellow Training Orientation Policies

Section: Medical Staff Office Page: 1 of 2

INFORMATION ABOUT Children s Mercy Hospitals and Clinics for our Affiliates

STAFFING AGENCY ADMINISTRATIVE POLICIES AND PROCEDURES

HIPAA & PRIVACY TRAINING FOR HEALTH PROFESSIONALS: Part 1 Denise M. Hill, JD, MPA

INFORMED CONSENT DOCUMENT. Project Title: The Contraceptive Choice Center: an innovative health services delivery and payment model

INFORMATION ABOUT CHILDREN S MERCY HOSPITALS AND CLINICS

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

Privacy and Security Training for Connecting Ontario. PACE Cardiology April, 2017

AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

Name: D.O.B.: Gender Identity: Spouse/Partner: No Yes (complete section below) Child(ren) from a previous relationship: No Yes

INVESTIGATION REPORT

VCU Health System PatientKeeper Connect. Request Instructions

SUMMARY OF NOTICE OF PRIVACY PRACTICES

HOW TO MAINTAIN A LAB NOTEBOOK- RECORD KEEPING AND HIPAA. Fern Tsien, PhD Department of Genetics LSUHSC

HIPAA for CNAs. This course has been awarded one (1.0) contact hour. This course expires on May 31, 2020.

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

PRIVACY BREACH MANAGEMENT POLICY

PERSONAL HEALTH INFORMATION PROTECTION ACT (PHIPA) Frequently Asked Questions (FAQ s) Office of Access and Privacy

INLAND EMPIRE HEALTH PLAN CODE OF BUSINESS CONDUCT AND ETHICS. Our shared commitment to honesty, integrity, transparency and accountability

Compliance and Privacy/Security Training Academic Year

RISK MANAGEMENT AND PATIENT SAFETY

Yale University. HIPAA PRIVACY FAQs

Accessing HEALTHeLINK

HIPAA Privacy & Security

WELCOME. Payment will be expected at the time of service. Please remember our 24 hour cancellation notice.

New Employee Orientation HIPAA Privacy. Marcia Matthias, MJ, RHIA, CHPC Corporate Director, Health Information/Privacy Officer

2514 Stenson Dr Cedar Park TX Fax

Patient Privacy Requirements Beyond HIPAA

PATIENT BILL OF RIGHTS & NOTICE OF PRIVACY PRACTICES

Transcription:

Privacy and Security For Teammates This self-directed learning module contains information all CRHS Teammates are expected to know in order to protect our patients, our guests, and ourselves. Target Audience: All CRHS Teammates, Students, Volunteers, and Physicians 1

Instructions Read this module and complete the post-test. If you have questions about the material, ask your new supervisor. Learning Objectives When you finish this module, you should be able to: Understand patient privacy rights Understand how patient information is kept private and confidential in a work setting Know how to use and disclose patient information Know how to safeguard patient information Know how to report a privacy concern Know how to properly use Chain of Command when you have a privacy question or concern 2

Patient Privacy is a law! The Health Insurance Portability & Accountability Act, better known as HIPAA, gives patients important rights regarding their patient information. Patient Information Any information that is created or received by CRHS about an individual Information that is related to treatment, billing, or healthcare operations Can be electronic, written, or oral Patient Information Elements Name Address Birth date Health Plan Beneficiary Number Account and other identifying numbers NOTE: ALL CRHS WORKFORCE MEMBERS (TEAMMATES, STUDENTS, VOLUNTEERS, PHYSICIANS, ETC.) ARE REQUIRED TO PROTECT THE PRIVACY AND SECURITY OF OUR PATIENTS PROTECTED HEALTH INFORMATION!! Patient Information is Everywhere! It s not just in the paper or electronic records! Here are some examples of other places you might find patient information: Telephone numbers Fax numbers Email addresses Social Security Number Medical Record Number Photographic images Characteristics which may identify the person (e.g., tattoos) Other unique identifiers These must all be removed before something is de-identified Patient status boards Financial records Fax sheets Data used for research purposes Patient identification bracelets Prescription bottle labels Detailed appointment reminders left on voicemail Photograph or video recordings of a patient 3

The Privacy Rule grants patients the following rights: Notice of Privacy Practices: Patients have the right to receive a copy of Columbus Regional Healthcare System s Notice of Privacy Practices. Copies are available on the CRHS internet website, each facility s website, and at every point of patient entry at each of the CRHS facilities/practices. Restrictions and Confidential Communications: Patients can restrict the use or disclosure of their information and request confidential communications. Inspect & Copy: Patients can inspect and/or receive a copy of their healthcare records. Amendments: Patients can request an amendment (correction) to their healthcare records. Accounting of Disclosures: Patients can request a list showing when and with whom their information has been shared. Complaints: Patients can file a complaint with a healthcare provider, insurer, and the U.S. Government if the patient believes his or her rights have been violated. Breach Notification: Patients are notified when their patient information has been compromised. Paid in Full: Patients can pay for their services in full and request that their healthcare provider not share information with their health plan. CRHS must agree to a request to restrict the disclosure of patient information to his/her health plan for a health care item or service for which the patient has paid in full out of pocket, unless otherwise required by law. NOTE: CRHS HIPAA Policies and Procedures are available on escoop. 4

TREATMENT, PAYMENT, OPERATIONS TPO Patient information should only be accessed for legitimate treatment, payment, or health care operation reasons (quality, education, risk management, etc.). All other uses or disclosures require an Authorization or a law! DO NOT: Access patient information because you are curious regardless of the reason Access patient information as a favor to family and friends Access your own information through CRHS resources Use someone else s login and password Resist Curiosity It s Not Worth It Every access to the patient record is tracked and can be audited Using someone else s login is a violation of policy and will subject you to disciplinary action Unauthorized access, including physicians, will be sanctioned 6

Dispose of Patient Information Properly! Dispose anything that contains patient information in a confidential shred bin, crosscut shredder, or medical waste receptacle. Paper All paper containing patient information must be deposited in a locked shred bin. Labels Removable labels containing patient information should be discarded in a locked shred bin or regulated medical waste receptacle. ID Bracelets ID bracelets removed by a workforce member should be disposed of in a locked shred bin. Electronic PHI (e-phi) Items containing electronic patient information should be disposed of in accordance with IS Policy. Policy Reference: Disposal Procedures for Patient Information Be on the lookout! Look for discarded patient information in areas that patients may leave their personal information (such as examination rooms, trash cans in the lobby, etc.) Post warning signs around trash/recycle cans to properly dispose patient information 7

Avoid Incidental Disclosures Incidental Disclosures happen when you are properly using and sharing patient information as part of your job, but it is inadvertently overheard or seen by someone who does not have permission to do so. Examples: discussions with patients in semiprivate rooms or ED bays, calling a patient name in the waiting room (but not discussing their medical condition), whiteboards or computers or wheels in treatment areas Avoid releasing too much information! Reasonable Safeguards Only use and disclose the minimum patient information requested or required. Avoid conversations about a patient in front of other patients, visitors, families. Lower your voice when discussing patient information in person or over the phone. Avoid conversations about patients in public places (hallways, waiting areas, elevators, cafeteria) 8

Sometimes it s okay to talk to friends and family They must be involved in the patient s care or payment, and you can only share what they need to know. The patient s friend comes with the patient into the treatment room, and the patient doesn t object to them hearing the conversation The patient s daughter is present and has questions about the charges You need to tell the patient s husband how to take care of the her during the ride home There s an emergency and you need to talk to the family to make healthcare decisions A friend comes to pick up the prescription for the patient Sometimes, it s not The patient tells us not to talk to their family about their condition A family member wants a copy of the patient s medical record (this requires a written Authorization from the patient) A neighbor is calling in curious to know what s going on (only friends and family indicated by the patient are allowed to get information) CLEAR THE ROOM You don t need written consent to share in these situations, but try to make sure the patient doesn t object: If possible, clear the room before you start talking about the patient s personal condition, and make sure the patient is okay with everyone coming back in to hear the information. If the patient is unconscious or not available, use your professional judgment to decide if it is in the patient s best interests to share the information. 9

ALWAYS VERIFY YOU HAVE THE RIGHT PATIENT! Always check at least two (2) patient identifiers (ex: name, DOB, address) to make sure you have the right patient, especially when handing out patient information. Best Practices When Mailing Patient Information: Double check mailing address. Make sure documents only contain that patient s information. Pay particular attention to: Medical records Receipts Depart summaries Discharge instructions Lab results Prescriptions Verify Someone s Identity Before You Disclose Patient Information Remember to make sure people asking for patient information are who they say they are before you disclose. Best Practices When Faxing Patient Information: Double check the fax number before faxing every time. Use HIPAA compliant fax cover sheet. Check the confirmation page. 10

If you take it, you must protect it you are responsible for all patient information in your possession! First ask yourself: can I access this information online through secure CRHS-approved portals, instead of taking it offsite? Only take the minimum patient information necessary to do the work. Always secure bags or briefcases. Remove any confidential and patient information from your vehicle or lock in your trunk. Never leave information in view or unattended! Inventory what patient information you take to make sure you return all patient information as soon as possible. Never take patient information into a public place, such as a restaurant or coffee shop. Always secure patient information in your house do not let others (including your family and friends) view or access it. If patient information or confidential information in any form is lost or stolen, notify your management or the Facility Privacy Officer immediately! Workstation on Wheels NEVER leave a workstation on wheels unattended in the hallway or in a patient s room with patient information showing! NEVER let anyone use your login it will show up as you in the medical record. Lock the workstation every time you walk away! 11

NEVER share your user ID and password with anyone. (CRHS Information Services will never ask you for your password)! DO NOT open, forward, or reply to email messages from unknown or suspicious senders. Use different passwords for different accounts. Pick strong passwords (8 characters: upper case, lower case and numbers). Reboot or shut down your computer at the end of your day to ensure security patches are properly applied. Contact the CRHS IS Help Desk at ext. 8262 or the on-call number immediately IF: You click on a suspicious link You suspect someone is using your login and password You receive unusual error messages or pop-up boxes You lose your laptop, smartphone, or other mobile device used to store CRHS data or access the CRHS network. (Contact CRHS IS Help Desk before you cancel your wireless or phone service if your device is lost or stolen!) CRHS s Acceptable Use Policy: outlines appropriate use of CRHS Resources. Review this policy before taking the post test. 12

Security Pointers Any personally owned laptops, desktops, or mobile devices used to access or store CRHS data that have received prior approval from CRHS Information Services, must be encrypted, have anti-virus software, and Good or BigFix for receiving security patches. Call the IS Help Desk for more information. Do not store patient information on hard drives. Use confidential CRHS shared drives behind our firewall. Use only encrypted flash drives approved by CRHS Information Services for patient information or other confidential information. Do not text identifiable patient information. Do not use personal cloud storage (such as ICloud, DropBox) for patient information this is not secure! Be cautious of auto-sync settings on devices to store photos, videos, documents, etc. CAUTION: AVOID SENDING EMAILS WITH PATIENT INFORMATION Only send the absolute minimum patient information needed. If sending to an email address that does not end in @carolinas.org or @crhealthcare.org, you have to SEND CERTIFIED so that the email will be encrypted. Sending without encrypting will be subject to disciplinary action. 13

Phishing: Sending a false email to gain personal information, such as a request for login or personal information through email or texting. Did you know that email phishing is the easiest way for criminals to steal information? Never give out your password to anyone, including Information Systems! Examples of Phishing Messages "We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below. "During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information." Our records indicate that your account was overcharged. You must complete the following form within 7 days to receive your refund. 14

Social media is a great tool that allows people to communicate by networking sites. Remember! The internet is a public domain and information posted on social media is not private! Communicating patient information is strictly prohibited and will subject you to sanctions. You should never post identifying information about patients OR THEIR IMAGES, etc. (Removing a patient s name is not enough to make the patient anonymous). Look at the background! A photograph taken in the hospital or office environment may inadvertently have a patient, computer screens, or whiteboards in the background with patient or internal information visible. Do not friend patients on social media have a professional and personal page, if you want. Social Media Policy Communications Environment Acceptable Use Policy 15

CRHS HIPAA Sanctions When CRHS workforce members use, access, or disclose patient information inappropriately, regardless of intent, the privacy of a patient s information may be compromised. Workforce members who inappropriately use, access, or disclose patient information are subject to disciplinary action, which may include the following: Verbal Counseling Written Counseling Final Written Counseling Termination Policy Reference: HIPAA Privacy & Security Sanctions A breach of patient information can cause harm to the reputation of CRHS with our patients and potentially subject CRHS (and you) to serious penalties! Civil and Federal Enforcements! Individuals can be found criminally liable under HIPAA Civil and criminal penalties at the State and Federal level Penalties of $100 to $1.5 million Termination dollars Institutions can be fined for failure to act 16

To report a privacy issue, or if you have a question or concern regarding privacy, you should follow the options below. You will not be penalized for reporting a potential privacy issue. Contact Your Supervisor Contact Your Facility Privacy Officer Reporting Non-Privacy Concerns? Contact the Compliance Help Line (888) 540-7247 17

Questions about Privacy and Security: Contact your Supervisor Contact your Facility Privacy Officer (FPO)* Privacy Questions: call 910-642-1785 Security Questions: call 910-642-1719 HIPAA Policies and Procedures can be found on escoop Who is my FPO? Ann Honeycutt 18

Questions 1. Patient information can only be found in electronic or paper medical records. a. True b. False 2. A primary physician refers a patient to a specialist for a consultation. The specialist s office calls the primary physician and requests the patient s medical records and insurance information. The primary physician refuses to disclose the information for fear of violating HIPAA. What is wrong with this understanding of HIPAA? a. HIPAA does not cover oral communication. b. The request by the specialist s office is for treatment purposes, so the primary physician is permitted to release the information without a signed authorization. c. Nothing. The primary physician is correct in refusing to disclose the information. 3. One of your family members recently had a procedure at the CRHS facility where you work. You want to find out the results. What should you do? a. Use your access rights as a CRHS employee to access your family member s medical record, even though you have no TPO work-related need to know. b. Ask a friend who works in the department to access the record for you. c. Wait for your family member to tell you the results, if he/she chooses to do so. 4. You need to throw away papers that contain patient information. What should you do? a. Throw the paper in the trash can. b. Dispose of the paper in a locked shred bin. c. Throw the paper away in an external dumpster. d. Leave the paper on the floor or in an unsecured box in your office. 19

5. Which one of the following is an example of how to avoid an incidental disclosure of patient information? a. Closing the office door when dictating patient information. b. Avoiding talking about one patient in front of other patients and family members. c. Avoiding talking about patient information in public places (ex: elevators, cafeterias) d. All of the above. 6. You walk into an exam room and the patient s friends and family are in the room too. What ideally should you do first? a. Start discussing the patient s condition in front of everyone, including her HIV status. b. Ask the patient in front of her friends and family if she s okay with them staying in the room. c. Ask the friends and family to step outside so you can talk with the patient alone first; then ask the patient who she is comfortable allowing back into hear the information 7. How many patient identifiers should you use when mailing, faxing, or handing out patient information? a. Zero b. One c. Two 8. You have to take patient information off-site. Which are appropriate safeguards to protect the information? a. Carry the records in a file with just a rubber band, and then leave them in your car overnight. b. Put the records in a locked briefcase or secure envelope, and then take them in with you at home. c. Take all the records with you, and then figure out later which ones you need. d. Only take the minimum information necessary, and make sure it is all returned as soon as possible. e. A and C f. B and D 20

9. Any personal mobile device used to access or store patient information must be encrypted. a. True b. False 10. You are a nurse and during one of your shifts, a well-known celebrity comes to your department for treatment. It s okay to post information or pictures about celebrity s appearance at the hospital on your Facebook or Twitter page because your profile is private and only your friends can see it. a. True b. False 11. Workforce members who inappropriately use patient information are subject to disciplinary action which may include termination. a. True b. False 12. To report a privacy issue or incident, you can report to which of the following? a. Your Supervisor b. Facility Privacy Officer c. All of the above. 21

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback