CONFIDENTIALITY / PRIVACY

Federal Laws

Privacy Act of 1974PII (Personally Identifiable Information)….Protection of social security numbers……….

Federal Laws HIPAA – Health Insurance Portability and

Accountability ActA federal law that mandates standards that must be followed when healthcare information is used, disclosed, or transmitted for treatment, payment or health care operations purposes. The rules affect all persons who have access to Protected Health Information (PHI)

STATE LEVEL

Governor’s Privacy Team Executive Order 6-06 New Policies and Procedures

Privacy Principles/Policies

Accountability Notice Minimum Necessary/Limited Use Consent Individual Rights Security Safeguards

Definitions

Personally Identifiable Information (PII) – PII includes all protected and non-protected information that identifies, or can be used to identify, locate, or contact an individual. (social security numbers are considered PII)

Definitions Sensitive PII:  Those elements of PII that

must receive heightened protection due to legal or policy requirements. Examples of Sensitive PII include, but are not limited to:

 i)  Social Security numbers  ii)  Credit card numbers iii)  Health and Medical data  iv)  Driver license numbers   v)  Individual financial account numbers

Definitions Protected Health Information (PHI) - is

individually identifiable health information (IIHI) held by any physician, health care provider, or payer that is transmitted or maintained in any medium (including oral transmission). The information covered includes any record or information relating to the past, present, or future health, condition, care, or payment of a individual, and extends to PHI that may be contained in paper records, electronic databases, or records and any other individual-specific data in a physician’s office

Definitions

Use – is the sharing, analysis, application, utilization, examination or employment of such information within any entity that maintains such information.

Definitions

Disclosure – is the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.

Definitions

Incidental Disclosure - In the course of routine communication, confidential information or PII may sometimes be inadvertently disclosed to someone who is not authorized to receive that information.

Make Every Effort to Avoid Incidental Disclosure - Visual

Computer screens Sign in sheets Bulletin boards Calendars with names in plain view

Make every effort to avoid incidental disclosure – Oral

Situations where unauthorized individuals may overhear information. speaking on the telephone; collecting information from individuals; communicating information to the individual or to the individual's family or representative; communicating individual information to other staff involved in the individual's case; and dictating.

PDAs and Laptops Users of Laptops and PDAs are responsible

for assuring that the PHI/PII on the Laptops/PDAs is kept secure and private.

Any loss or theft of a Laptop/PDA is to be reported immediately to the Privacy Officer, Brenda Bates and the Security Officer, Tiffany Redman.

Both the Laptop and the file containing PHI/PII are to be password protected.

Privacy for our customers

Individuals whom we serve Employees Referral Sources Other

Individuals whom we serve

PII – address; telephone SPII – SSNs; Credit card numbers;

bank account numbers; health and medical information

Employees

HR information SPII on application and on employee

performance evaluations Ex: Employee has an illness or is in

the hospital. Do not share health information or address with other staff without that individual’s permission

Privacy Checklist

Bulletin Boards Bulletin boards may not contain any

documents with PHI/PII of clients, unless the client has authorized the display.

Privacy Checklist Cleaning Personnel

Cleaning personnel do not need PHI/PII to accomplish their work. Whenever reasonably possible, PHI/PII will be placed in locked containers, cabinets, or rooms before cleaning personnel enter an area.

When it is not reasonably possible to lock up PHI/PII, it must be removed from sight before cleaning personnel enter an area,

Privacy Checklist Computer Screens

Computer screens at each workstation must be positioned so that only authorized users at that workstation can read the display. When screens cannot be relocated, filters, hoods, or other devices may be employed.

Computer displays will be configured to go blank, or to display a screen saver when left unattended for more than a brief period of time. Wherever practicable, reverting from the screen saver to the display of data will require a password.

Computer screens left unattended for longer periods of time will log off the user.

Privacy Checklist

Conversations Conversations concerning members’

case records or other PHI/PII must be conducted in a way that reduces the likelihood of being overheard by others.

Wherever reasonably possible, noise inhibitors may be used to reduce the opportunity for conversations to be overheard.

Privacy Checklist

Copying case records and other PHI/PII When PHI/PII is copied, only the information that is necessary to accomplish the purpose for which the copy is being made, may be copied. This may require that part of a page be masked or that information be redacted.

Privacy Checklist

Desks and Countertops Case records and other medical record

documents that contain PHI/PII must be placed face down on counters, desks, and other public places where third parties can see them.

Privacy Checklist Desks and Countertops (cont.)

Case records and other documents containing PHI/PII will not be left on desks and countertops after business hours or for extended periods of time unsupervised. Supervisors will take reasonable steps to provide all work areas where PHI/PII is used in paper form with lockable storage bins, lockable desk drawers, or other means to secure PHI/PII during periods when the area is left unattended.

Privacy Checklist Desks or Countertops (cont.): In areas where locked storage after

hours cannot reasonably be accomplished, PHI/PII must be kept out of sight. A staff member must be present whenever someone who is not authorized to have access to that data is in the area.

Privacy Checklist

Disposal of paper with PHI/PIIPaper documents containing PHI/PII must be shredded when no longer needed. If retained for a commercial shredder, they must be kept in a locked bin.

Privacy Checklist Information carried from one building to

anotherWhen a member of the workforce is transporting PHI/PII from one building to another via vehicle, it may not be left unattended unless it is in a locked vehicle with case record or PHI/PII with identifying information out of site. Locking the vehicle alone is not sufficient.

Privacy Checklist

Printers and Fax MachinesPrinters and fax machines must be located in secure areas, where only authorized members of the workforce can have access to documents being printed and faxed.

Privacy Checklist Record Storage

Areas where case records and medical records and other documents that contain PHI/PII are stored must be secure. Wherever reasonably possible, the PHI/PII will be stored in locked cabinets or a records room.

Where locked cabinets are not available, the storage area must be locked when no member of the workforce is present to observe who enters and leaves, and no unauthorized personnel may be left alone in such areas without supervision.

Privacy Checklist Transcription

Dictation tapes must be numbered, and workforce members must account for each tape they receive and return by number.

Dictation tapes must be completely erased before being reused.

Tapes and transcribed hard copy will be subject to the same policies that apply to the safeguarding of paper documents and electronic files that contain PHI/PII, such as case records and copies of medical records.

Privacy Checklist Workforce Vigilance

All members of the workforce have a responsibility to watch for unauthorized use or disclosure of PHI/PII, to act to prevent the action, and to report suspected breaches of privacy

This responsibility will be included in staff training.

This responsibility will become a part of all work staff job descriptions.

Privacy Checklist

VisitorsA member of the DRS Field & Program Services workforce must accompany all visitors to any area where PHI/PII is stored or in use

YOUR RESPONSIBILITY

Take every reasonable caution to protect confidential information.

Privacy and Security Officers

OE&A Privacy Officer Brenda Bates: (304) 766-4805

OE&A Security Officer Tiffany Redman (304) 558-2440