40
Privacy & Data Security Refresher FY2013
Privacy & Data Security Refresher FY2013
2
The healthcare industry is becoming more interconnected
Physicians & Medical Practices
Medical RecordsEMRs & HIEs
Pharmacies & Drug Companies
Medical Services
Human Resources
Health Plans
Hospitals
Medical Devices Research
3
Privacy & Data Security Breaches Happen Every Day
4
Privacy and Data Security Refresher ObjectivesThis training session will focus on the key parts of privacy and data security regulations and Dignity Health policies that you need to understand in order to protect patient and confidential information , such as • Federal and state privacy and data security
regulations. • What information must be protected• Using Minimum Necessary standards.• Your responsibilities as a user of the
Dignity Health network.• Appropriate uses of social media, cell phones
and electronic devices.• The consequences for non-compliance.
5
What is Your Responsibility?All Dignity Health employees, business associates, contractors, and volunteers are responsible for taking an active role to protect patient and confidential information.
You are responsible for
• Reading the Privacy and Data SecurityEmployee Handbook.
• Abiding by all Dignity Health privacy anddata security policies and procedures.
• Complying with federal and state privacy and data security regulations.
• Reporting all known or suspected privacyor data security incidents.
• Understanding the consequences fornon-compliance with regulations orDignity Health policies.
6
Facility Privacy OfficialEach Dignity Health facility and system office has a designated Facility Privacy Official (FPO) or Facility Privacy Liaison (FPL).
The FPO role is responsible for: • Implementation of HIPAA and state privacy
and data security regulations. • Implementation of Dignity Health privacy
and data security policies.• Privacy and data security training. • Ensuring staff compliance with all regulations
and Dignity Health policies.• Investigation of privacy and data security
incidents.• Notifications of breaches to regulatory
agencies and patient(s).
777
Privacy & Data Security Regulations
8
HIPAA Regulations
HIPAA regulations include controls for the use and disclosure of Protected Health Information (PHI).
• Use: when Protected Health Information (PHI) is used internally for Treatment, Payment or other Healthcare Operations (audits, training, customer service, internal analysis, etc.).
• Disclosure: to release, transfer or provide access to a patient’s PHI physically, orally, or electronically to someone like a physician, an attorney, another provider, insurance company, billing contractor, etc., outside of Dignity Health.
Health
Insurance
Portability &
Accountability
Act
The Health Insurance Portability & Accountability Act (HIPAA) passed by Congress in 1996, is managed by the Office of Civil Rights (OCR) through the Department of Health and Human Services (HHS)
9
HITECH Act - Expands HIPAA
Enforced by the Office of Civil Rights (OCR) of the Department of Health & Human Services.Additional enforcement is granted through state Attorneys General to enjoin actions and obtain damages on behalf of individuals.HITECH applies HIPAA standards and penalties to Business Associates.Increased penalties for HIPAA Violations
• Maximum penalty per violation increases from $100 per violation to $50,000 maximum.
• The cap on penalties for all similar violations increased from $100,000 to $1,500,000.
• Makes individuals subject to penalties.
Health
Information
Technology for
Economic and
Clinical
Health
Effective January 1, 2009 the HITECH Act is the privacy and data security component of the American Recovery and Rehabilitation Act (ARRA)
10
California Privacy LawsCalifornia Health & Safety Code 1280.15 (SB541) impacts Hospitals. It prohibits unauthorized viewing, use or disclosure of medical records without direct need for diagnosis, treatment or other unlawful use.
• Effective January 1, 2009• Requires that breaches be reported to the
California Department of Public Health (CDPH) and patient(s) within 5 business days of discovery.
• The alleged violator’s name is required as part of reporting.
• Authorizes penalties: $25,000 per patient up to $250,000 $100 per day for failure to report.
Even if your facility is not in California, Arizona and Nevada facilities often deal with patients and PHI from California, especially our business offices.
11
California Privacy LawsCalifornia Health & Safety Code 130200 (AB211) impacts both Healthcare providers and individuals.
• Effective January 1, 2009.
• Creates the California Office of Health Information Integrity (OHII) authorized to impose fines for violations.
• Provides private right of action for patients to seek damages as a result of privacy or security incidents.
• Places liability directly on the individualwho knowingly, willfully or negligentlyobtains, discloses or uses medicalinformation inappropriately with penaltiesfrom $2,500 to $250,000 per violation.
12
California Privacy LawsCalifornia Civil Code 1798.82 takes privacy and data security beyond HIPAA. Employee information, credit card data and data not publicly available are all subject to safeguards and protections depending on their classification.
• Effective January 1, 2012.• Requires reporting of breaches to the
California Attorney General.
Personal Information: means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual. Includes one or more of these data elements:
• Name or signature• Address or telephone number• medical information• Health insurance information• Social Security number• and other personally identifiable information
13
Federal Trade Commission’s Red Flag Rules
Fair and
Accurate
Credit
Transactions
Act
(NCUA) issued the Red Flags Rules as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003.
Requires financial institutions and creditors to develop and implement written Identity Theft Prevention Program to detect, investigate, and mitigate possible identity theft.
• The final Red Flags “Rule” became effective January 1, 2008
• Enforcement Date: June 1, 2010
Dignity Health facilities are located in the three Dignity Health facilities are located in the three states with the highest rate of Identity theft.states with the highest rate of Identity theft.
In response to increasing instances of thieves using identity theft to open new accounts and misuse existing accounts, the Federal Trade Commission (FTC), federal bank regulatory agencies, and the National Credit Union Administration
14
110.1.051 Red Flag Rules PolicyA Red Flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft.
Medical ID theft is the fraudulent use of another’s identifying information to gain access to medical services.
Medical ID theft can cause serious medical record issues for the valid patient. Fictitiousrecords (labs, diagnosis, etc) can be createdand cause harm to victim in future treatment.
Red Flags Rule Impacts hospitals because wehandle patient credit card information.
The Business Owner or his/her representativeis responsible to provide training at eachDignity Health facility for all staff with access topatient financial information (functional areaslike HIM, registration, PFS staff, etc.)
15
110.1.049 Safeguarding Credit Card Information PolicyDignity Health processes about $200M in credit card transactions annually.
Payment Card Industry (PCI) has set up data security standards for processing, storing and transmitting credit card information.Breach of or noncompliance with the standardscan subject an organization to:
• Reporting to banks and payment card processors
•Liability for credit card financial losses•Fines up to $500,000 per incident•Reimbursement for credit card transactions
can be withheld.•Loss of merchant status and no longer able
to accept credit or debit cardsMost likely, a PCI breach will involve PHI,and is also subject to HIPAA liabilities.
1616
Protecting Patient Privacy
17
What Information Must You Protect?We use PHI every day for patient treatment, billing, research, and teaching. You must protect all patient PHI and other confidential information in ANY medium, whether written, verbal or electronic – including photos, videos, and x-rays.
Protected Health Information (PHI) – includes any name, number, code, photo or any data element that can be used directly or indirectly to identify an individual (i.e. name, date of birth, home address, Social Security number, phone number, images, medical record number, etc.)
Confidential or Sensitive information – not PHI, but includes data for Dignity Health employees, job applicants, fund raising contacts, financial information, etc.
Even if you do not deal with patient information directly, Confidential or Sensitive information should be treated with same precautions as PHI.
18
110.1.015 Minimum Necessary Standards Policy
• Dignity Health workforce members may onlyaccess the minimum necessary informationto complete their job responsibilities.
• Dignity Health workforce members mustapply minimum necessary standardswhen PHI must be disclosed or providedto someone outside of Dignity Health.(for example, an attorney, contractor,business associate, auditor, etc.)
• Minimum Necessary does not apply to useor disclosure of PHI for treatment purposes.
HIPAA’s Privacy Rule requires that you must make a reasonable effort to limit the use, disclosure or release of PHI to only the Minimum Necessary amount of data elements that are necessary to accomplish the intended purpose.
19
110.1.014 Safeguarding PHI & Sensitive Information PolicyProtecting patient privacy and confidential information means practicing some basic safeguards in your every day work. • Do not leave documents with PHI or confidential information unattended in
fax machines, printers or copiers.• Turn over or cover all PHI and Confidential
information when you leave your work area.• Never remove PHI or other Confidential
information from a facility without properauthorization and security measures.
• When at the office or off-site, store portablemedia that contains PHI or Confidentialinformation in a locked drawer or cabinet.
• Do not allow friends, relatives or visitors intowork areas with PHI or Sensitive informationwithout appropriate authorization.
20
Safeguarding Faxes and U.S. MailMisdirected faxes are the #1 reported privacy incident across Dignity HealthMisdirected faxes are the #1 reported privacy incident across Dignity Health.Per our 110.1.014 Safeguarding PHI and Sensitive Information Policy, everyone must use a Dignity Health fax coversheet when faxing PHI or other confidential information.
Always verify the recipient’s fax number beforesending (including preprogrammed number).
Report to FPO any misdirected fax or U.S. mailthat contains or pertains to the following:
• Requests for or copies of medical records• Billing documents, checks or other
documents with PHI• Privacy-related complaints• PHI or sensitive information• Office of Civil Rights (OCR) letters
21
Safe Disposal of PHI and Confidential InformationHIPAA requires that PHI must be kept confidential even when it is thrown away.
Never dispose of paper, film, or other hard copy containing PHI or other sensitive information in a garbage can or recycle container. It must be shredded or put into a locked shredder bin.
Paper records with PHI should be shredded or disposed of in a manner that the PHI can notbe read or reconstructed.
Pill bottles or patient care items with labels thatcontain patient information should be destroyedand never put in a recycle bin or garbage can.
Electronic media (CDs, DVDs, backup tapes, etc.)that contain PHI or confidential informationmust be cleared, overwritten, purged or destroyedso that the information can not be retrieved.
22
Social Media GuidelinesPer Dignity Health’s Standards of Conduct, employees are expected to always conduct themselves in a manner that reflects integrity, and shows respect and concern for others, including the use of Social Media.Always be respectful of your colleagues, Dignity Health, and our competitors. Never post confidential information or photo ofa patient on the internet, even if it does not include a patient’s name.Never discuss confidential information in publicforums, chat room, text message or news group. Inappropriate posts of confidential informationor photos can seriously damage Dignity Health’sreputation, and result in individual liability forthe responsible person(s).
Think about the consequences that may resultThink about the consequences that may resultfrom your communicationsfrom your communications.
23
The Reality of Social Networks
26,928 people
Level 3Kristal’s Friends’ Friends(26,928 people)
Jana’s237 Friends
Christy’s130 Friends
John’s305 Friends
Austin’s124 Friends
Average 176 friendsx Krystal’s 153 friends
= 26,928 people
Bill’s’176 Friends
Lisa’s423 Friends
Rita’s203 Friends
4.7 million people
Level 4Their Friends’ Friends(Over 4.7 million people)
Average 176 friends x 28,928 people= 4,739,328 people
Jana’sFriends’ 41,475 friends
Austin’sFriends’ 14,200 friends
Bill’sFriends’ 17,500 friends
Lisa’sFriends’ 34,200 friends
Rita’sFriends’ 64,525 friends
Christy’sFriends’ 22,750 friends
John’sFriends’ 53,375 friends
One person’s post grows exponentially based on “friending”.
Level 1Kryrstal(1 person)
Krystal posts information about a patient she treated in the ED on her Facebook page and how interesting the case was.
153 friends
Level 2Krystal’s Friends(153 friends)
JohnChristy BillJana LisaAustin Rita
2424
Data Security
25
Data SecurityDignity Health is required by law to monitor and detect any potential privacy or data security breach, including regularly monitoring user network activity.The HIPAA Security Rule establishes standards to protect electronic PHI (ePHI) and PHI from unauthorized access or disclosurewhether it is at the facility or off-site.
ePHI includes information that is used, received,transmitted or stored in an electronic medicalrecord, patient billing system, digital imagesand print outs.
It is the responsibility of all Dignity Health network users to safeguard and protect ePHI.
Attempts to bypass or override any privacy ordata security safeguards to access PHI is aviolation of Dignity Health’s policies.
Information is a valuable Dignity Health assetInformation is a valuable Dignity Health asset.
26
Network Usage Policy 110.1.037 (NUP) for EmployeesDignity Health Network access is a privilege that is granted to users to facilitate the performance of Dignity Health business.
User responsibilities are covered in the Network Usage Policy (NUP) that every network user must read and sign.
There are separate Network Usage Policies forContractors 110.1.052 or Providers 110.1.050.
Dignity Health regularly monitors user activity.
The contents and history of a user’s networkactivity are Dignity Health’s property.
Any content a user creates or receives viathe network is not private nor personal.This includes:
• Web browsing• Email and Instant messages• Application activity
27
Network Usage Policy 110.1.037 (NUP)As a user of the Dignity Health network, you are responsible for all activity under your user name, and for using appropriate safeguards to protect the privacy and security of all data.• Memorize your passwords and never share
with anyone. • Use the network for Dignity Health business.• Log out of all workstation computers when
leaving unattended or at end of work day.• Set your computer screen to “locked” when
you step away from your workstation toavoid unauthorized access.
• Comply with Dignity Health IT requirementsfor anti-virus protection, screen savers, encryption, and other computer settings used to safeguard the network.
28
Inappropriate Access & SnoopingThe law requires that covered entities restrict the access and disclosure of Protected Healthcare Information (PHI) and obtain authorization in writing.
PHI may not be accessed by any employee, contractor or physician without a legitimate business purpose, e.g. treatment, payment or healthcare operations.
In order to ensure compliance with regulations, Dignity Health requires employees to follow thesame authorization procedures as patients.
Being Snoopy Can GetYou In The Doghouse
SNOOPY415-438-5565
It is a violation of Dignity Health policy to useyour network credentials to access your ownPHI, PHI of a family member or other individual without the proper authorization procedures.
Inappropriate access of PHI will result indisciplinary action per HR policy 120.1.006.
Protecting PHI is everyone’s job. Protecting PHI is everyone’s job. PHI is not everyone’s business.PHI is not everyone’s business.
29
Shared Network DrivesPer 110.1.037 Network Usage Policy, all Dignity health Network users are responsible for protecting the privacy and confidentiality of data by following security protocols for shared network drives.• Retrieve scanned documents and
delete from the shared departmentnetwork immediately.
• Documents in shared departmentnetwork drives can be seen by anyindividual who has access to the drive.
• Access to network drive folders that contain PHI or sensitive informationshould be limited to authorized users.
• The IT Help Desk can set up restrictedaccess to folders on a shared drive forauthorized users.
30
110.1.038 - Portable Device & Media Security PolicyElectronic information is portable and ePHI can be compromised by lost or stolen laptops, cell phones, PDAs, CDs, flash drives, etc.
Only Dignity Health approved smart phones, tablets, and PDA models may be used to access the Dignity Health network.
Limit the storage of PHI or other sensitive information on portable computers and media to the minimum necessary to perform required duties.
When PHI or confidential information is stored on alaptop or other portable media, maintain a record, mirror copy or backup on the Dignity Health Network.
Use appropriate safeguards when using, transportingor storing laptops or removable media.
Encryption software for removable media is available on all Dignity Healthsupported computers.
31
Removable Media EncryptionPassword protection is NOT the same as encryption!Password protection is NOT the same as encryption!You are responsible to ensure all PHI or sensitive data on removable media like memory sticks, CDs or DVDs is properly encrypted and stored in safe location.Never save PHI or Sensitive Information to a hard drive or removable media that is not encrypted. For removable media encryption, use theMcAfee Endpoint Encryption for Files & Folderssoftware available on Dignity Health computers.When removable media is plugged into aDignity Health computer a pop-up message willask if you want to encrypt the medium.Follow screen prompts to activate encryptionor contact the IT Help Desk for assistance. Do NOT use the McAfee encryption software toencrypt devices like cell phones, cameras, music players or any memory cards. Encrypting these devices could render them unusable and/or unrecoverable.
32
110.1.053 Medical Device Data Security PolicyIt is the policy of Dignity Health to protect PHI that is stored on or transmitted by Medical Devices from unauthorized Uses and Disclosures.
Business or Technical owners shall complete a security assessment prior to procurement of a medical device, in order todocument the safeguards used to protect PHIstored on or transmitted by the Medical Device.
Prior to implementation, the Business Ownershall complete a Privacy Impact Assessment.
Limit the storage of PHI on medical devicesto the Minimum Necessary for treatment.
Maintain a backup of PHI stored on the device.
Immediately report any incident involving theloss, theft, or unauthorized use or access of a Portable Device or Portable Media.
33
Personal Cell Phone UseThe use of personal cell phones or other camera-equipped devices must comply with the Dignity Health Network Usage Policy 110.1.037. The scope of this Policy includes, but is not limited to: cell or smart phones, PDAs, pagers, and tablets (handheld devices).
All employees, physicians, and contractors areresponsible for following Dignity Health policiesand facility protocols to restrict the creating ofor use of unauthorized digital images with a cell phone or other camera-capable device.
Use of personal devices to store and maintainour PHI without using an approved encryptionmethod represents a risk to Dignity Health.
Each facility is responsible for any notification orreporting necessary due to unauthorized useof data, or caused by loss or theft of a device.
3434
Texting ePHI and Image TransmissionPHI must be securely transmitted and protected from unauthorized disclosure during transmission through EMRs, secure email, VPN, MobileMD, encrypted CDs, encrypted flash drives, and other methods. There is no closed and controlled texting technology implemented at Dignity Health thatwould allow the secure transmission of PHI.PHI sent via unsecured texting represents both aprivacy and data security incident that requiresinvestigation and mitigation, and may require notification and reporting to regulatory agencies. Images sent via text leave a copy of the imageon the server of the cellular carrier (i.e. AT & T, Verizon, etc.), the sender’s cell phone, and therecipient’s cell phone.Cell phone and data carriers are not businessassociates of Dignity Health and have no rightto receive patient or confidential data.
35
Lost or Stolen Portable MediaCall the IT Help Desk immediately to report the theft or loss of your Dignity Health laptop, Blackberry, iPhone, CD, flash drive or other portable media that you use to connect to the network and contains PHI or sensitive information.
For smart phones, the Help Desk opens a ticketand sends information to the IT Security Team. • The IT Security Team will send a “wipe”
command to clear the memory on the device(this only works for users that connect to ourEnterprise Server for phone users).
Note: Do not cancel your phone service provider before notifying the IT Help Deskbecause “wipe” command cannot be sent.
For laptops or portable media, the IT Help Deskwill contact the Computer Security Incident Response Team (CSIRT) to start an investigation.
36
110.1.046 Email Policy and Sending Secure EmailAny PHI or confidential information sent outside of the Dignity Health network requires encryption.• Insert a space after the subject, then type #secure# (lower case).• If a message is sent without the #secure#
tag it will not be encrypted and this maybe a reportable incident.
• You may use the “Send Secure” buttonif available in your Outlook version.
A confidentiality statement should be placed at the bottom of the email with the required language as stipulated in the Dignity Health email policy #110.1.046.
Report incidents regarding unsecured email to Report incidents regarding unsecured email to your local FPO immediatelyyour local FPO immediately.
37
SharePoint SitesSharePoint sites are a great tool for sharing information, but are not authorized for posting, sharing, or storing documents with PHI or sensitive information.
Technical controls cannot be enforced on a global level due to the varied uses of the sites.
SharePoint can be accessed externally.
If it is discovered that a document with PHI orsensitive information is posted in a SharePointsite, the site administrator should:• Delete the document.• Contact the individual user who posted the
document and/or their supervisor to alertthem that PHI or sensitive documents should not be posted.
• Site administrator should promptly notifythe Facility Privacy Official.
3838
Reporting Requirements
39
110.1.028 Investigation Response and Notification PolicyIt is the right and responsibility of every member of Dignity Health’s workforce to immediately report a privacy or data security Incident.
Reporting options:• Directly to your supervisor, who in turn
should report it to the FPO.• Directly to Facility Privacy Official (FPO) • Directly to the Facility I.T. Site Director• Email: [email protected]• Call Dignity Health Hotline (confidential)
1-800-938-0031
Dignity Health will not intimidate or take any retaliatory action against an employee whoreports a privacy or data security violation.
Conclusion of Privacy & Data Security Refresher • Always follow Dignity Health Privacy and Data Security policies
and procedures when handling patient or sensitive information.
• Comply with federal and state privacy and data security regulations.
• Report all known or suspected privacy or data security incidents.
If you have questions or concerns not covered in this trainingcontact your Facility Privacy Official for more information.
Proceed to Quiz
40
