Protecting PHI for Clinical Staff and Students

Similar documents
HIPAA Privacy Training for Non-Clinical Workforce

Privacy and Security For Teammates

HIPAA Training

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

MCCP Online Orientation

CLINICIAN S GUIDE TO HIPAA PRIVACY

Advanced HIPAA Communications and University Relations

Information Privacy and Security

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Privacy and Security Compliance: The. Date Presenter Name of Member Organization

HIPAA Privacy & Security Training

East Carolina University 2010 Annual HIPAA Privacy Training

HIPAA PRIVACY TRAINING

HIPAA 201: Student Self-Learning Module & Test

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

Health Information Privacy Policies and Procedures

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

HIPAA Privacy & Security Training

HIPAA Education Program

QUESTIONS. Print Student s/faculty Name: Date of Test Completion: Site of Experience: School/University: Semester:

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

Security Risk Analysis

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook

The Privacy & Security of Protected Health Information

Protecting Patient Privacy It s Everyone s Responsibility

Compliance & Privacy For Teammates

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

Emergency Medical Services Division Policies Procedures Protocols

HIPAA Health Insurance Portability and Accountability Act of 1996

Safeguarding PHI Nutrition Services. UAMS HIPAA Office May 2015

INFORMATION ABOUT CHILDREN S MERCY HOSPITALS AND CLINICS

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

HOW TO MAINTAIN A LAB NOTEBOOK- RECORD KEEPING AND HIPAA. Fern Tsien, PhD Department of Genetics LSUHSC

A general review of HIPAA standards and privacy practices 2016

Title: HIPAA PRIVACY ADMINISTRATIVE

HIPAA and HITECH: Privacy and Security of Protected Health Information

2018 Employee HIPAA Orientation (EHO) Handbook

Policy and Procedure Manual

Compliance & Privacy For Teammates

System Office New Hire Orientation

INFORMATION ABOUT Children s Mercy Hospitals and Clinics for our Affiliates

I. POLICY: DEFINITIONS:

NOTICE OF PRIVACY PRACTICES

AN OVERVIEW OF FIPPA for FACULTY, INSTRUCTORS & ADMINISTRATORS. Information and tips on how to keep you FIPPA FRIENDLY

Reporting a Privacy Breach to the Commissioner

PRIVACY POLICIES AND PROCEDURES

FCSRMC 2017 HIPAA PRESENTATION

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

DUTIES OF A CUSTODIAN

NORTHWEST TERRITORIES INFORMATION AND PRIVACY COMMISSIONER Review Recommendation File: July 13, 2015

Failure to comply may result in WU being liable for civil and criminal penalties under the HIPAA regulations.

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

What is your start date? (Date in which you plan to begin seeing patients in the hospital). Specialty SECTION I. IDENTIFICATION DATA

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

Understanding the Privacy and Security Regulations

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

Methodist Le Bonheur Healthcare Corporate Compliance and HIPAA New Associate Training

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

Accommodate reasonable requests you may have to communicate health information by alternative means or at alternative locations.

PERSONALLY IDENTIFIABLE INFORMATON (PII)

HIPAA for CNAs. This course has been awarded one (1.0) contact hour. This course expires on May 31, 2020.

HIPAA Privacy and Security Training for Researchers

Technology Standards of Practice

Compliance with Personal Health Information Protection Act

HIPAA Privacy Rule. Best PHI Privacy Practices

Yale University. HIPAA PRIVACY FAQs

Compliance Program, Code of Conduct, and HIPAA

THE PRIVACY ACT AND THE AUSTRALIAN PRIVACY PRINCIPLES FREQUENTLY ASKED QUESTIONS

The Personal Health Information Act (PHIA) Access and Privacy Office

CAPITAL SURGEONS GROUP, PLLC

Compliance & Privacy Post Test

RISK MANAGEMENT AND PATIENT SAFETY

HIPAA Are You As Compliant as You Think?

MURRAY MEDICAL CENTER HIPAA NOTICE OF PRIVACY PRACTICES

SUMMARY OF NOTICE OF PRIVACY PRACTICES

HIPAA Privacy Policies & Procedures Table of Contents

I. PURPOSE DEFINITIONS. Page 1 of 5

HIPAA is the Health Insurance Portability and Accountability Act

Associated Pediatric Dentistry Belleville, Edwardsville, O Fallon, IL

School Based Health Services Consent Form

Student Orientation Post-Assessment

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

Resident/Fellow Training Orientation Policies

IVAN FRANKO HOME Пансіон Ім. Івана Франка

Chapter 9 Legal Aspects of Health Information Management

Security Risk Analysis and 365 Days of Meaningful Use. Rodney Gauna & Val Tuerk, Object Health

HIPAA Privacy Regulations Governing Research

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

Section: Medical Staff Office Page: 1 of 2

VHA Privacy Policy Training FY VHA Privacy Office

CLINICAL SERVICES POLICY & PROCEDURE (CSPP No. 25) Clinical Photography Policy in the Pre-Hospital Setting. January 2017

Transcription:

Office of Compliance Programs Protecting PHI for Clinical Staff and Students Revised: July 24, 2017 Introduction HIPAA requires that LSUHSC-NO "have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information." {45 CFR 164.530(c)(1)} The HIPAA Privacy Rule A covered entity (e.g. LSUHSC-NO and its faculty, staff and students) may not use or disclose protected health information (PHI)about a patient without that patient's written authorization unless the use or disclosure falls under one of the exceptions. What is PHI? PHI consists of two parts: Information that personally identifies the patient (e.g. name, SSN, MRN, DOB, Date of Service, genetic information, etc.) Any information, including genetic information, whether oral or recorded in any form or medium, that: 1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and 2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. What Form Does PHI Take? PHI can be in any format, including but not limited to: Verbal (e.g. conversations) Written (e.g. computer printouts, handwritten or typed notes, filled out forms, photographs, etc.) Electronic (e.g. EHRs, spreadsheets, databases, digital images, online forms, etc.) Where Can PHI Be Found? Depending on the format, PHI can be found in: Electronic Health Records File cabinets Desks (e.g. papers, desktop computers, etc.)

Hallways, waiting rooms, elevators (e.g. converstaions with others or on the phone) Spreadsheets, Word documents, PDFs, databases, etc. Pockets (e.g. Notebooks, smartphones, flash drives) Mobile devices (e.g. laptops, tablets, USB portable hard drives, etc.) Network file servers Printers, copiers, fax machines Protecting PHI We have an obligation to protect the privacy of LSUHSC-NO patients. Simple acts can have serious consequences. What are some of the ways to help insure PHI is protected? Do you REALLY need to use PHI? While using and disclosing PHI is essential for treating patients, there are many tasks that can be accomplished without using PHI. For example, the statement, "Mr. Carbuncle is ready to have his boils lanced," contains PHI. However, the statement "Mr. Carbuncle is ready for you in Room 3," does not. Many times the use and disclosure of PHI can be reduced by simply choosing to use and disclose health information OR use and dislose identifiers but not both. Most hospitals have banned using texts or email to communicate PHI. When the identifiers are separated from the health information, it is no longer PHI and can be sent safely. In the example below, a resident has sent a text to an attending physician regarding a patient's lesion. The photograph does not include the patient's face or any unique identifying marks such as scars or tattoos. The text does not include the patient's name or any other identifiers. For that reason, the text does not contain PHI and is not subject to HIPAA.

The resident then calls and discusses the case with the attending physican. He can clarify any identifiers during the call. Scenario 1 Dr. Capaldi, a second year resident, is working the evening shift at Our Lady of Perpetual Sorrows Hospital. He is concerned about some lab values on a recently admitted patient. He phones the attending on call, Dr. Hartnell, to discuss his concerns but the list of lab values is too long to relate over the phone. Dr. Hartnell instructs Dr. Capaldi to text him the lab values. Our Lady of Perpetual Sorrows has a strict ban on texting PHI so Dr. Capaldi takes a photograph of the lab values and carefully crops out all the patient identifying information (name, MRN, etc.). He then texts the picture to Dr. Hartnell. Afterwards, Dr. Capaldi deletes the photograh from his phone. Has Dr.Capaldi violated the hospital's ban on texting PHI? Hover your mouse over or tap your finger on the box below to see the right answer. (Tap on any picture to make the answer disappear.) Yes

No Redaction Another method of separating identifiers and health information is redaction. Redaction is the process of obscuring or removing information from a document or record. It is a difficult and painstaking process to do correctly on existing documents and records. ALL instances of the information (e.g. name) and indirect references (e.g. mother s name) to the information must be identified and redacted. The redaction method must render the redacted information unrecoverable. In many cases, redaction is needed to prevent sensitive information from being breached. Records request (from someone other than the patient) Legal discovery Research Publication Article Web page Physical Redaction Physical redaction is applied to paper records and analog recordings. Methods include: Excising (cutting) the printed or recorded information with a knife or scissors. Erasing magnetically information from recordings. Obscuring information with a special redaction marker. When excising, be sure to collect all the cuttings and ensure they are destroyed by shredding or incinerating. When blacking out sections of paper documents ensure that information has been completely obscured. Use a marker especially designed for redaction. Shine bright light on and through the paper to ensure that the underlying information cannot be viewed. It may be necessary to blacken both sides of the paper or photocopy the blackened page and substitute the photocopy to ensure the underlying information cannot be viewed. Digital redaction Digital redaction is extremely difficult to perform correctly. Most computer programs are designed to preserve information, not destroy it. The majority of computer programs used for editing text do not have a redaction function. This requires the individual performing the digital redaction to have an in-depth knowledge of information is stored in a computer. Adobe Acrobat (not Acrobat Reader) version 9 and later has an effective redaction function. It is a two step process: 1. First, mark all the information in the document to be redacted. 2. Tell the program to redact the information. The program will warn you that the selected information is about to be destroyed and will become unrecoverable. You will need to confirm that is what you want before the information is actually redacted. Digital Redaction Methods That DON T WORK

Highlight Function Using the highlight function and selecting the color black produces a document that has the same appearance as a redacted document. However, the information underneath the highlight has not been destroyed. To view the redacted information, simply select the whole document and highlight it in yellow. Track Changes- Some people choose to simply delete information from their documents and save the altered version. This is effective unless the Track Changes function is turned ON. When Track Changes is active. The deleted information is preserved and can be viewed, even though it is redlined. Password protecting a document Most methods for password protecting a document are extremely weak and easily cracked. There are many free utilities available for this purpose. A search for free Adobe password remover produces over a million results. A search for free Microsoft Office password cracker produces over eight (8) million results. How to Check Digital Redaction Search the document for the redacted information. If the search function can find it, it has not been redacted. Select all the information in the document and highlight in a pastel color like yellow or light green. Does the redacted information become readable? Copy the redacted information from the document and paste it as plain text into a blank Word document. Does the redacted information become readable? Ensure Track Changes is turned OFF. REMEMBER In order for redaction to be effective, the redacted information must be unrecoverable. ALL instances of identifiers in the document must be redacted for the document. If one instance of an identifier (e.g. the patient s name, DOB, etc.) is missed, the document is considered identified information. For digital documents, use the search function to identify all instances of identifiers. For paper documents search the document from beginning to end and then from end to beginning. Get help from co-workers and fellow students in reviewing documents for identifiers. When You Really Need to Use PHI What about when it's not feasible to separate identifiers from health information and you need to use and disclose PHI (which is most of the time)? It is your responsibility to take reasonable precautions to help insure that PHI remains confidential. What are some of the precautions you can take? Verbal Never discuss a health information with a patient when others are present in the room unless you have cleared it with the patient first.discussing health information with a minor child and her/his parents is an exception. When it is anticipated that you will be speaking with relatives without the patient present (e.g. the patient is having surgery), discuss this with the patient beforehand and find out if the patient has any concerns about her or his health information being shared with loved ones. When discussing the patient's condition, whether it is a discussion with relatives or colleagues, move out of earshot of others and keep your voices low to avoid being overheard. Close exam room doors or pull curtains in patient rooms when patients are being examined/treated. On the Phone If at all possible, do not to use patient identifiers when discussing a case on the phone. Be aware of your surroundings when discussing patient information on the phone: Check to see if anyone is within earshot Use a low tone of voice

Written When leaving a voicemail message, leave the minimum information necessary. Someone other than the patient may listen to the messages. Do NOT leave any information about a patient s diagnosis or treatment on a voice mail. A message like, Please call Dr. Smith s office at your earliest convenience. is fine. A message like, Please call the LSU Clinic, is fine. (No indication of diagnosis or treatment.) A message like, This is Dr. Smith calling with the results of your STD test. is not acceptable. A message like Please call the HemOnc clinic as soon as possible. is not acceptable. (Specialty clinics reveal information about the patient s diagnosis and treatment.) Loose pieces of paper being transported from one place to another should be secured in an envelope or folder to prevent them from slipping out. Papers with PHI should not be left lying around in unsecured areas. Papers with PHI should not be brought outside the hospital unless they are being transported from one place of business to another in a secure manner. Always dispose of paper PHI in the shred bin. If you use a shredder in your office, it must be cross cut shredder that produces confetti, not long strips. Don't bring paper with PHI home. If you have documents with PHI in your work area, make sure that they are placed face down or otherwise concealed when not in use. Make sure that any room that has medical records in it is always attended by an employee. If there is not an employee with the records, store the medical records in a locked room or cabinet. If medical records are transported from one location to another, ensure that they are secured, cannot be dropped during the transport, and are not left unattended in hallways, patient waiting areas, parking garage of the hospital etc. Be aware that written PHI can show up in places other than paper. For example, a view box with an x-ray can also show PHI since the patient's name is usually noted on the x-ray. Be cautious of printed patient information, billing sheets, lab reports, notebooks with handwritten notes, report sheets for notes about patients, etc. These are items that are often left unattended in areas that are accessible by patients. They are also items that are often accidentally dropped and found by others. Faxes Verify that you have the correct information before you send it. Verify that the fax number you are using is current and correct. Always use a fax cover sheet. If it is a frequently used number, consider pre-programmed numbers (once they are verified). Call to make sure the intended recipient received the fax. Only send the required information. Make sure to update pre-programmed numbers on a regular basis. Mailings Only send the minimum information necessary. Verify that the right information is being sent to the right person. Information Handed Directly to the Patients Verify that you have the correct information going to the correct recipient. Use two identifiers to ensure you have the right patient. Thumb through the papers being sent to make sure one patient's information is not "stuck" to another PHI may be found on items such as arm bands, prescription bottles, and IV bags. Make sure that none of these are discarded in the regular trash. IV bags should have pull away labels that once torn from the bag can be disposed of in the shred bin. Paper PHI should be disposed of in shred bins. A few points about shred bins: Make sure that any shred bin that you use is locked.

Electronic Keys should not be left in the shred bin. If the shred bin is so full that you can pull papers out of it, immediately notify the department that is responsible for emptying the shred bin. For those emptying the shred bin, make sure that any bags of paper are in a secure, locked location while awaiting pick up from the shredding company. When working with disposal companies, verify the identity of the disposal company employee before turning over any PHI. REMEMBER: The paper in the shred bin has patient PHI, and is just as important to secure as a patient's medical record. Do not write your password down and place it around the computer for others to use or discover. Do not share your password with others. Do not download patient information onto jump drives or personal mobile devices that are not encrypted. Do not download patient information into folders that are not secured by LSU HCSD/HSC-NO Information Technology staff. If you have a laptop, do not store patient information on it unless it has been encrypted. Do not store PHI on personal laptops without expressed knowledge and permission of the healthcare institution. If possible, face your computer monitor away from public viewing, or use a privacy screen over the monitor. Do not leave screens open that contain patient information if you are not actively working on the computer. Ideally, PHI should remain on LSUHSC servers and accessed through Citrix or the VPN (remote.lsuhsc.edu). All electronic devices should be secured at all times. Lost or stolen electronic devices account for the majority of reported HIPAA breaches in the United States. The best defense is to not store PHI on such devices unless the device(s) is encrypted. If you carry a mobile device that has access to patient PHI, it should be password protected and encrypted. Emails Verify the individuals listed in the To:, CC:, and BCC: fields are the ones who are authorized to receive the information. Inspect any and all attachments to ensure the information is appropriate for the intended recipients Check with the IT department or your computer supporter before disposing of computers and portable storage devices such as thumb drives. Verify that processes are in place to ensure PHI is wiped from the hard drive memory of copy machines and biomedical equipment (the vendor may be contracted to do this for you). If a large amount of patient information needs to be shared, you can use secure computer folders or links. Contact your IT department for more information on this option. To share large files securely with outside entities, use LSU Health FileS (File-Sharing Solution). If you do use folders in Public Folders, or on certain drives on your local workstation, remember that identifiable patient information should not be stored there unless the folder has sufficient security to limit access to only those who need it. Other Concerns Pictures of Patients Check the policy at the institution you are working regarding photographing patients to fully understand what is or is not acceptable when it comes to taking pictures of patients. In many cases, the patient must provide written consent before a picture may be taken.

Strangers Hospitals and health care facilities are bustling places, with people moving quickly about everywhere. In such an environment, it would be easy for someone to go unnoticed while attempting to steal PHI. Should anyone come to you, with whom you are not familiar, asking for access to PHI, or to restricted areas within the hospital or health care facility where you work, it is important to verify their identity. If you have not been notified by your supervisor that there is someone who will need access to an area or information, verify with your supervisor, Security, Hospital Administrator or the Compliance department at the hospital or health care facility where you are working before granting them access. This is true, even if the person appears to have proper identification. Accessing Records Each of us only has authorization to access PHI based on a need to know basis for the purpose of fulfilling our job responsibilities. Unfortunately, some take advantage of various sources of PHI to satisfy curiosity or other motives instead. LSUHSC-NO faculty, staff and students may find themselves working and/or training in facilities that use electronic health record systems that are shared by multiple, independent health care providers. An example of such a system is the PELICAN electronic health record. In such cases, an individual must be granted permission to access the electronic record in writing by the facility that owns the record, in addition to having a job related need to view the information before accessing the electronic record. No matter why an employee or physician accesses PHI, if there is not a job specific reason to do so, the access is prohibited by LSU policy, and the HIPAA regulations! This includes access to family members information, including spouses, parents, adult children, siblings, significant others, coworkers, etc. Any such unauthorized access would be a direct violation of HIPAA regulations, and expose the person who violated them not only to disciplinary action, but also to possible legal action. If you are the caregiver of a family member or friend and need access to PHI, then a release of information form signed by the patient should be given to medical records so that you can be given information on the patient by medical records. Possession of Records What identified patient information do you have in your possession? To whom does this information belong? The patient The hospital or other healthcare institution Do you have right to have that information in your possession? Are you treating the patient. Do you have written authorization from the patient or the hospital to possess this information. When should patient information in your possession be destroyed, de-identified or turned over to the healthcare institution? When the treatment relationship ends. Change in rotation Change in employment In certain instances, at the end of the research study, if these are research records. (see CM-53 Section S) Social Media LSUHSC-NO recognizes that social networking websites and applications (i.e. Facebook, Twitter, and YouTube, etc.) are an important and timely means of communication. However, LSUHSC-NO faculty, staff,

residents, and students who use these websites and applications, must be aware that the protections of patient information required by HIPAA apply to social media as well. While it is popular to share events that happen at work or school on social media outlets in the form of posts, pictures, and/or videos, employees and students of LSUHSC-NO must be vigilant to ensure that patient information is NOT compromised in the process. Some ways to prevent PHI from being exposed on social media include: Ensure that All personal identifiers are removed (e.g. age, gender, race, before and after photographs and/or tattoos), and are NOT inadvertently included in any social media. Be familiar with the hospital's social media policy. It may have different restrictions than LSUHSC-NO's policy. In the absence of a policy, care must be exercised when posting information for educational purposes to ensure that any information posted combined with other readily available information (ex. address, telephone number, etc.) will NOT result in the identification of the patient. Policies of Affiliated Hospitals The HIPAA regulations allow hospitals to use a combination of physical, technical and administrative safeguards as necessary to protect PHI. When working in a different hospital, be mindful of the possibility that the hospital s HIPAA policies may be different from those at LSUHSC-NO.. For example, LSUHSC-NO allows access to its network from outside the campus because it has a technical control called a virtual private network (VPN) in place. Another hospital may choose not to incur the cost of a VPN and use an administrative control in the form of a policy that forbids accessing the hospital network from outside the campus. When working at another hospital, it is your responsibility to familiarize yourself with that hospital s policies and ensure that they are followed. Breaches If you become aware of a breach of PHI or suspect a breach may have occurred, it should be reported immediately to: The Compliance/Privacy Officer in the Office of Compliance Programs at LSUHSC-NO, and The appropriate official at the institution where the breach occurred if other than LSUHSC-NO. Compliance will conduct a risk assessment to determine if the breach must be reported to the patient and the U.S. Department of Health and Human Services. Timely notification of any known breach is CRITICAL as we only have 60 days from the discovery of the breach to take the necessary action required by the Breach Notification Rule. Getting Help If you have any questions, please contact the Office of Compliance Programs by: Email: nocompliance@lsuhsc.edu Phone: (504) 568-5135 Anonymous Hotline: (504) 568-4367 In Person: RCB, suite 807 Website

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback