June 2019

Prepared by: Sara Brown, Chief Privacy OfficerDepartment: Privacy Program

Protecting the Privacy and Security of Patient Information

Commitment and Purpose

• Children's is committed to providing high-quality care and service. This includes protecting the privacy and security of Children's patient, research and other business information.

Commitment:

• In this course you will learn how to protect private and confidential information you have access to.

Purpose:

Learning Objectives

Upon completion of this module, participants will be better able to:

1. Recognize and identify protected health information (PHI)2. Explain why patient, research and other business information must be

protected3. Appropriately access, use and share patient, research and other

business information4. Look for guidance and report a concern about the privacy and security

of PHI, and protected research and business information

Hello, My name is Felicia. I will be your narrator throughout this

course.

Let’s get started!

Meet Felicia, your course narrator…

What information is protected?

Protected information includes: Protected Health

Information (PHI), Research Information and Business

Information.

PHI Research Information

Business Information

Protected Health Information (PHI)

PHI is Individually identifiable information, readily available in our electronic medical record and other clinical systems (e.g., lab, radiology), that relates to the physical or mental health of an individual, an individual's healthcare services or the payment for those services. There are 18 identifiers that are considered PHI under the federal Health Insurance Portability and Accountability Act (HIPAA).

• Names• Geographical Identifiers (smaller

than state)• Dates (e.g., DOB)• Telephone numbers• Fax numbers• Email addresses• Social Security Numbers• Medical Record Numbers• Health plan beneficiary numbers,• Account numbers,• Certificate/license numbers,

• Device identifiers and serial numbers,• Vehicle identifiers and serial numbers

(including license plate numbers),• Web Uniform Resource Locators

(URLS),• Internet Protocol (IP) address numbers,• Biometric identifiers, including

finger/voice prints,• Full face photographic images and any

comparable images, and• Any other unique identifying number,

characteristic, or code.

Research Information

Protected Research Information is information created or obtained during the stages of planning, preparing, conducting and determining the results of a research activity, such as:

• PHI created or collected while conducting a research study involving patients or non-patients

• Much of the information retained in some research databases and repositories

Protected Business Information is any information related to your organization’s business functions, including:

Business Information

• Financial records • Strategic plan drafts • Employee records • Risk management files

Why is this information protected?

It’s the Right Thing to Do

To comply with Privacy and

Information Security Policies

To deliver the Highest Quality

of Care

It’s the Law

To Deliver the Highest Quality of

Care

• Providing high-quality care requires a patient's and sometimes a family's medical history. Patients will share this information only if they trust that it will be treated confidentially.

• Research participants have similar privacy expectations. • Trust that the personally identifiable information provided to your organization

will be protected.

To Deliver the Highest Quality of Care

To Deliver the Highest Quality of

Care

• Providing high-quality care requires a patient's and sometimes a family's medical history. Patients will share this information only if they trust that it will be treated confidentially.

• Research participants have similar privacy expectations. • Workforce members trust that the personally identifiable information provided to

Children's will be protected.

It’s the Right Thing to Do

• Think about how you would want your own or your family's information to be treated.

It’s the Right Thing to Do

To Deliver the Highest Quality of

Care

• Providing high-quality care requires a patient's and sometimes a family's medical history. Patients will share this information only if they trust that it will be treated confidentially.

• Research participants have similar privacy expectations. • Workforce members trust that the personally identifiable information provided to

Children's will be protected.

It’s the Right Thing to Do

• Think about how you would want your own or your family's information to be treated.

To Comply with Children’s Privacy

and Security Policies

• Privacy and Security Policies specify requirements for us to actively protect patient, research and business information.

To Comply with Children’s Privacy and Information Security Policies

To Deliver the Highest Quality of

Care

• Providing high-quality care requires a patient's and sometimes a family's medical history. Patients will share this information only if they trust that it will be treated confidentially.

• Research participants have similar privacy expectations. • Workforce members trust that the personally identifiable information provided to

Children's will be protected.

It’s the Right Thing to Do

• Think about how you would want your own or your family's information to be treated.

To Comply with Children’s Privacy

and Security Policies

• Children's Privacy and Security Policies specify requirements for us to actively protect patient, research and business information.

It’s the Law

• HIPAA and more recent federal regulations protect patient information from misuse and inappropriate sharing. These regulations carry serious penalties (monetary, civil and criminal charges) for breaches of patient privacy.

• Washington state laws protect both patient and other personally identifiable information that your organization maintains (e.g., names associated with credit card and Social Security numbers).

• International laws such as General Data Protection Regulation (GDPR) provide individuals located in the European Union more control over their personal data, extending beyond medical information.

It’s the Law

Requests for PHI are made by a variety of groups and individuals. We share PHI keeping the best interest of our patients in mind.

Sharing PHI

See the sharing matrix on the next page for more details.

When May Patient Information Be Shared

Signed Authorization IS NOT Required to Share Information:

• For urgent patient care needs • With a patient's legal representative, who is usually but not always the

parent. There are special protections for sharing (consult with your manager or the Privacy Program for additional guidance): o Mental health and chemical dependency information for patients 13

years and older o Sexually transmitted infection (STI), reproductive and sexual health

information for patients 14 years and older • With family members and friends if the legal representative has said it

is okay to talk with them. Share written copies of PHI only with legal representatives.

• For certain public health, law enforcement and other activities that are required or permitted by law

Signed Authorization IS Required to Share

Information:

• With a provider not currently treating the patient • Schools (excluding immunizations) • With other outside requesters (check with HIM or the Privacy Program)

For information, including how to address mental health, STI, chemical dependency and reproductive rights issues, consult your organizations use and disclosure policies.

All providers who come into contact with protected

information have a responsibility to keep it secure. Let’s talk more

about this important responsibility.

Your Responsibility With PHI – Keep It Secure

Do I need this information to do my job today?

Only Access What You Need to do Your Job

ACCESS TO ALL SYSTEMS CONTAINING PHI IS MONITORED

• If YES, then access the information.• If UNSURE, consult with a manager or the Privacy Program.• If NO, then do not access the information.

When accessing patient information in any format ask yourself:

Proper Access and Use of Information

When accessing patient, research and confidential business information remember to:

• Access only what you need to do your job.

• Never access the PHI of family members. Contact HIM for options on acceptable pathways for obtaining the information you need.

• Never access information about any other workforce members/co-workers, friends, patients in the news or patients you are not currently caring for, no matter how curious or concerned you may be. No snooping!

Protecting and Securing Confidential Information

There are certain actions you must take to protect and secure information in your day to day work. The next few slides will reveal some best practices.

Protecting and Securing Confidential Information

ConfidentialInformation in Public Areas

Talking With or About Patients

Faxing Patient Information

Physical Security

Safeguards

1

• Take all PHI or other confidential information with you when leaving exam or meeting rooms.

• Position computer screens so that families and visitors cannot see them, or use an add-on privacy screen.

• If you find confidential information in a public area, send it to the Privacy Program office for appropriate follow up.

Protecting and Securing Confidential Information

ConfidentialInformation in Public Areas

Talking With or About Patients

Faxing Patient Information

Physical Security

Safeguards

2

• Conduct conversations with or about patients as privately as possible.

• Honor patient or family requests to move conversations to a more private location.

• Avoid hallway, elevator or cafeteria conversations about or with patients.

• Make phone calls and dictate clinical reports where you will not be overheard.

Protecting and Securing Confidential Information

ConfidentialInformation in Public Areas

Talking With or About Patients

Faxing Patient Information

Physical Security

Safeguards

3

• Fax only information relevant to the immediate request.

• Always use a cover sheet that meets your organization’s standards.

• Verify that fax numbers are entered correctly. • Avoid paper pile-ups at the fax machine by

removing paper promptly.

Protecting and Securing Confidential Information

ConfidentialInformation in Public Areas

Talking With or About Patients

Faxing Patient Information

Physical Security

Safeguards

4• Keep all materials containing PHI or other confidential information in a secure location.

• Never view or display confidential information in a public venue (e.g., bus, light rail, coffee shop, etc.)

• Lock file drawers and offices when no one will be present.

• Make every effort not to travel with paper PHI, but if necessary, keep materials containing confidential information out of sight and with you at all times. Store it securely at your destination.

• Never leave confidential information in your car, even in a locked trunk.

Protecting and Securing Electronic Information

Protecting and securing electronic information

requires special attention. The next few slides discuss

best practices.

Protecting and Securing Electronic Information

Passwords

Logging off the Network

Email and Phishing

Mobile Devices & Removable Data

Storage

1• Use different passwords for employment

accounts and personal or home accounts.• Don’t share your passwords or leave them

where others might find them.• Use strong passwords that contain:

o Mixes of letters and numberso Upper and lowercase letterso Symbols

• Avoid using words that are personally relevant or in the dictionary.

Protecting and Securing Electronic Information

Passwords

Logging off the Network

Email and Phishing

Mobile Devices & Removable Data

Storage

2

• On single-user workstations:o Log off or lock your workstation when you leave

it unattended or unsecured by pressing the Windows key + L.

• On Virtual Desktop (VDI) devices:o Always use the “Disconnect” function (the red

power button icon located next to the Windows Start Menu) to quickly disconnect when leaving the workstation unattended.

o Using Disconnect allows you to reconnect in seconds from another device while maintaining your connections to your applications.

Protecting and Securing Electronic Information

Passwords

Logging off the Network

Email and Phishing

Mobile Devices & Removable Data

Storage

3

• Use email encryption when sending protected information via email.

• Always verify you are sending the email to the right person and correct email address.

• DO NOT send PHI to your personal email addresses.

For more information visit your organizations electronic communication policy.

Protecting and Securing Electronic Information

Passwords

Logging off the Network

Email and Phishing

Mobile Devices & Removable Data

Storage

3

Phishing is an attempt to trick someone into providing sensitive or confidential information. Be cautious and do not open unrecognized or suspicious emails or links as these may be phishing attempts.

Things to watch out for!

If you encounter a possible phishing email report it to Information Technology immediately.

• Unexpected emails• Spelling mistakes• Lack of personal information used• Asking for an action

o Open attachmento Go to websiteo Provide sensitive information

• Beware! Phishing emails are becoming increasingly convincing.

Protecting and Securing Electronic Information (Cont’d)

Passwords

Logging off the Network

Email and Phishing

Mobile Devices & Removable Data

Storage4

• Securely store devices when not in use. When traveling, secure devices; keep them out of sight and carry them with you. Store them securely at your destination.

• Never leave a mobile or removable device in a car, even locked in the trunk. If storing protected information, make sure your device meets encryption standards.

• Consult appropriate policies related to accessing protected information with personally owned devices.

• When you no longer need stored information, securely delete or dispose of it*.

*Refer to your organizations secure disposal policies for more information.

Summary

Now that this module has been completed, participants should be better able to:

1. Identify protected health information (PHI).2. Explain why patient, research and other business information must be

protected.3. Appropriately access, use and share patient, research and other

business information.

Scenario Practice

Are you ready to put this information into

practice?

I hope so, because I am going to need your

help now.

Scenario #1 – Password Security

Jane has just returned to work after an extended vacation. While trying to log in she realizes she has forgotten her password; she doesn’t have time to call the IT Service desk so she asks another staff member to borrow their username and password and begins to work.

Later in the day Jane realizes one of her favorite patients, Parker, is no longer on the floor. Jane opens the medical record to see what happened. After work Jane shares information about Parker with her husband.

Where did Jane go wrong?

Scenario #1 – Where did Jane go wrong?

Jane not only violated information security policies but she also made multiple patient privacy violations.

Let’s review them separately!

Patient Privacy Violation Where Jane went wrong

Computer User Responsibilities

By using her co-worker’s password Jane, as well as her co-worker, jeopardizing both of their jobs.

Use and Disclosure of Protected Health

Information

By accessing Parker’s medical record when he was no longer under her care and by disclosing protected health information to someone outside of the organization. Jane put herself and her organization at risk for potential HIPAA fines and penalties.

Corrective actions may include:

Scenario #1 – Violation Consequences

Jane’s actions put her, as well as her co-worker, at risk for corrective action.

• Required information security and privacy training and a final written warning.

• In the event Jane received earlier corrective action, these violations could lead to Termination of Employment.

Check with your organization for more information on their corrective action policy.

Scenario #2 – Inadvertent Disclosure

Juan receives a call from a family member who recently saw Dr. Rhino. The family states they received paperwork for another patient and asks what to do with it. Juan asks for their contact information and any patient identifying information on the paperwork. He asks them to return the documents during their next visit, scheduled later in the week. Juan then completes an eFeedback and arranges for the documents to be sent to the Privacy Program when they are returned.

Where did Juan go wrong?

Scenario #2 – Where did Juan go wrong?

He didn’t. In fact, Juan handled this inadvertent disclosure perfectly. Juan requested that the patient information be returned as quickly as possible and through reporting provided the information needed for the Privacy Program to perform a thorough investigation.

Final Scenario…

Okay. Let’s take a look at one last scenario before we finish up!

Scenario #3 – Inappropriate Access

Frank has been feuding with Patrick and recently began receiving prank phone calls from a number he doesn’t recognize. Frank knows Patrick brought his son in for treatment recently and decides to look at the medical record to see if the phone number matches the number the calls are coming from. Frank realizes the phone number matches and he prints out the demographic page from the patient record as proof for the police to investigate the harassing calls.

Where did Frank go wrong?

Scenario #3 – Where did Frank go wrong?

Frank used poor judgement by accessing the medical record for personal reasons.

Patient Privacy Violation Where Frank went wrong

Use and Disclosure of Protected Health

Information

By accessing the medical record for personal reasons Frank put himself and Children’s at risk for potential HIPAA fines and penalties.

Corrective actions may include:

Scenario #3 – Violation Consequences

Frank’s actions put him at risk for corrective action.

Disciplinary action up to and including termination of employment.

Check with your organization for more information on their corrective action policy.

Contact Information

For questions or to report privacy concerns please contact the Privacy Program at your organization.

Congratulations! You have completed the module..

Credit: Felicia avatar created using bitmoji application , www.bitmoji.com (July, 2018)