HIPAA Basic Training
for Privacy & Information Security
Vanderbilt University Medical Center
VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA
Vanderbilt Credo
“We treat others as we wish to be treated”
Vanderbilt Credo Behavior
What is HIPAA?
Health Insurance Portability and Accountability Act of 1996
z
Limits how we use and share patient
information
z
Gives patients more control over their
information
z
Protects the integrity, availability and
confidentiality of patient information
What is Protected under HIPAA?
z
Individually identifiable health information
collected from an individual that is created or
received by a health care provider, employer,
or plan.
z
In any form: written, verbal, electronic
z
Information pertaining to HIV, alcohol and
drug treatment, psychotherapy notes, etc.
have even more stringent protections.
Patient Rights
Patients have the right to:
• Receive a Notice of Privacy Practices that
describes how we use and share their information
• Review and obtain copies of their medical and
financial records
• Request corrections if they believe information is
incorrect
HIPAA regulations provide individuals with
Sharing Patient Information
You must obtain patient authorization except for in these circumstances:
z Treatment (referring physicians, family members involved in patient’s care, etc.)
Whenever possible, the patient should be given the opportunity to control which family members receive information.
z Payment (insurance companies, other third parties)
z Administrative functions (QI, financial analysis, educational or training activities)
z Other specific exceptions (required by law, Department of Public Health)
Giving Patients Control
Over their Information
z
Only share patient information with other
faculty and staff who need the information to
do their job.
z
Avoid accessing a patient’s record unless
you need to do so for your job or you have
written permission from the patient. You are
not allowed to access the record of your
co-worker, spouse, or family member
unless there is a signed authorization
form in the patient’s record.
Key Information Security Practices
z
Passwords & Electronic
Signatures
z
Logging Off
Passwords and Electronic Signatures
Some Do’s and Don’ts related to passwords and electronicsignatures. Note: Electronic signatures should be protected in the same manner as passwords.
z DO choose ones that you can remember
z DO remember that the longer they are, the better
z DO use numbers, uppercase and lowercase letters, and special symbols to create them, where allowed
z DO NOT share them with anyone
z DO NOT write them down where others can see or store them where others can access them (unless encrypted)
Logging Off
When using a computer if you need to walk away you should always:
– Log Off OR
– Lock the computer screen
This is important so that others do not
document in the electronic medical record under your user-id or gain access to
information they may not be authorized to view.
z Email sent over the Internet is unencrypted and not secure.
z Find alternative ways to communicate confidential information (e.g., encryption, MyHealthAtVanderbilt, password protected files, VPN)
z Limit the amount of patient information.
Helpful Reminders
4. Make sure you enter the correct fax number.
Always use a cover sheet. 4. Faxing clinical
information
3. Use initials, abbreviations, codes, etc.
3. Whiteboards with patient info.
2. Turn monitors away or use filter screens, log off or
lock systems, keep
documents in folders. Keep printers in secure areas.
2. Documents or computer monitors in view. Printers accessible by public.
1. Lower voice, ask visitors to leave the room
1. Conversations at nurses stations, front desks, semi-private rooms, hallways, etc.
Approaches to Reduce the Risk Privacy Risks
Helpful Reminders
5. Use an alternative method for communicating patient information whenever
possible. Avoid emailing patient information outside of VUMC.
5. Emailing patients, or patient information
6. Limit the information on the message
6. Leaving messages for patients
7. Shred documents and
dispose of electronic media appropriately
7. Disposal of document or electronic media
containing patient
information in regular trash.
Approaches to Reduce the Risk Privacy Risks
Sanctions for Privacy and
Information Security Violations
z VUMC considers it a serious incident anytime that a privacy or security violation occurs.
z HIPAA requires that we monitor information system activity which assists in identifying violations and that we document all incidents.
z Disciplinary/corrective action ranges from training/counseling to termination.
z Unfortunately every year someone at VUMC is terminated due to committing this type of
What should be reported?
Examples:
•Looking at someone else’s confidential data.
•Leaving paperwork with patient information lying around unattended.
•Sharing your password or electronic signature with someone else or using someone else’s password or electronic signature.
Contact one of the following to Report
Privacy & Information Security Incidents
z Privacy Office (936-3594) or email Privacy.Office@vanderbilt.edu
z Help Desk (343-4357)
z Compliance Reporting Line (343-0135)
z Your manager
z Always forward Patient privacy complaints to Patient Affairs (322-6154) or the Privacy Office.
The Bottom Line
z Consider the patient’s perspective and give them control over how their information is used.
z Avoid situations in which the patient would object to how their information was used or shared
z Implement appropriate security measures to maintain the integrity of patient data, ensure its availability,
and keep it confidential.
z Be familiar with Vanderbilt’s privacy & information security policies
Next Steps
zz
You must complete the
You must complete the
TEST
TEST
associated
associated
with this lesson in order to be marked
with this lesson in order to be marked
complete for the HIPAA training.
complete for the HIPAA training.
z
z