Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Office of Audit, Compliance and Ethics Information Technology Security Welcome to Privacy and Security training. This training is required as part of the UConn Health Compliance Program education. All members of the UConn Health workforce are obligated to ensure the privacy and security of confidential information with which they may come in contact. This training will assist you to be aware of important privacy and security principles as well as UConn Health policies and procedures. Refer to the policy links throughout the training for more detailed information. UConn Health has a responsibility to protect all types of confidential information related to: Patients Research participants Students Employees Social Security numbers, credit card numbers, and other financial data Systems IDs and passwords Institutional data and processes Unless you have a “need to know” specific confidential information to carry out your UConn Health responsibilities, please do not access, look at, use or share any confidential information. Please review the Confidentiality policy. I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know. Excerpt from the Hippocratic Oath HIPAA stands for: Health Insurance Portability and Accountability Act The Privacy Rule: established national standards for the protection of all forms of health information created by “covered entities”, including health care providers. set limits on the uses and disclosures of such information. gave patients rights over their health records. The Security Rule: established national standards for the security of electronic health information (ePHI) to protect individual ePHI created, received, used or maintained by covered entities. outlined administrative, technical and physical procedures to ensure the confidentiality, integrity and availability of ePHI. HITECH stands for: Health Information Technology for Economic and Clinical Health Act HITECH resulted in significant changes to HIPAA Privacy and Security. Widened the scope of privacy and security protections under HIPAA. Includes health care information technology incentives such as: creating a national health care infrastructure. adopting an electronic health record (EHR) system. Electronic data transmission is a double edged sword. Advances in technology lead to increased vulnerability of personal information. Confidential information is only as safe as our weakest link. In addition to HIPAA, there are specific federal and state laws that govern the confidentiality of mental health, substance abuse, and HIV information as well as information related to minors. The stricter law always applies. Consider additional regulations that may apply to a particular situation and seek guidance as needed. Individually Identifiable Health Information: Health, demographic and financial information relating to an individual’s past, present or future physical or mental health condition or payment for health care that identifies the individual or can reasonably be used to identify the individual. Protected Health Information: Individually Identifiable Health Information (including genetic information and family history) that is maintained or transmitted in any form (written text, photos, recordings, images, slides etc.) in any medium (verbal, paper, electronic and others). Electronic PHI (ePHI) may be stored on computers, storage devices, or in UConn Health patient information systems such as IDX, LCR, eHIMS, NextGen and Pulsecheck. De-identified Information: Health information that does not in any way identify an individual or there is no reasonable belief that the information can be used to identify the individual. De-identified information is not considered PHI and, therefore, is not protected under the HIPAA Privacy rule. Refer to policy: Creation, Use and Disclosure of De-identified PHI Access: To obtain, examine or retrieve data. Use: Sharing, employment, application, utilization, examination, or analysis of Individually Identifiable Health information within UConn Health. Disclosure: Release, transfer, providing access to, or divulging in any other manner information outside of UConn Health. Minimum Necessary: The least amount of PHI needed to accomplish the intended use or disclosure. Refer to policy: Privacy Definitions Obvious: Name Addresses including email/internet Zip Code Phone and fax numbers Social security number Medical record number License numbers Account numbers e.g. bank, retirement and credit card Fingerprints Full or partial photo that could identify an individual Less obvious: Vehicle identifiers e.g. license plates/serial numbers Dates including birth, death, admission and discharge URL and IP address Device identifiers and serial numbers Codes that are related to the individual or can be translated into identifiable information Any other unique number or characteristic With respect to their PHI, patients under our care are entitled to: information about their rights under HIPAA and how their PHI will be used or disclosed. protection of the privacy and security of their health information. access to their health information. request corrections of information in their records. restrict certain disclosures of their information. notification if the privacy or security of their information is compromised. Privacy should be seen as important as other aspects of patient care. Respect for patient privacy goes hand in hand with respect for that individual’s dignity and significantly contributes to overall patient satisfaction. Patient feedback, both solicited and spontaneous, underscores how important privacy is to the overall patient experience. Assure patients and demonstrate in your care that their privacy is important. Respond to patients’ privacy questions and concerns. Patient complaints related to the privacy or security of their PHI should be referred to the UConn Health Patient Relations Department or to the Privacy or Security offices. Patients may also elect to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights. Refer to policy: Patient Complaint Regarding Use and Disclosure of PHI The Notice of Privacy Practices explaining patients’ rights under HIPAA is provided to: all new UConn Health patients (except Correctional Managed Health Care) as part of the Consent to Treatment process. at the time of each inpatient admission. at each encounter in the Farmington Surgery Center, Procedure Center, Same Day Surgery, and Emergency Department. annually to outpatients. Ensure the patient’s permission to communicate and any requests to restrict disclosure of PHI to health insurers or to be excluded from appointment reminders are addressed. If another individual signs the consent on behalf of the patient, verify that person’s identity, his or her relationship to the patient (i.e. parent, guardian, authorized representative) and that the person has proper authorization to access the patient’s record. Only the individual whose email address is noted on the consent form will have access to the medical record via the patient portal. Patients or their authorized representatives have the right to view their own records upon written request using approved forms. Requests to view are first reviewed with the patient’s attending physician or appropriate UConn Health representative. A written response is provided to the patient for any request denial. Copies of all such documentation are maintained in the patient’s record. Refer to policy: Patient Right to View His/Her Medical/Dental/Research and/or Billing Record Most requests for patient records should be referred to the Health Information Management (HIM) Release of Information department. If information is needed immediately and the treating provider approves, clinical areas may provide to the patient copies of documents such as labs, diagnostic results and clinical notes related only to the care in that department. Information that may not be released: Psychotherapy notes (separate from the clinical record). Patient information from research labs that are exempt from Clinical Laboratory Improvement Amendment (CLIA) requirements. Information for use in pending litigation. Refer to policy: Patient Right to Request Copies of His/Her Medical/Dental/Research and/or Billing Record Patients can request amendments to the information in their medical record at any time during or after treatment. All amendment requests must be acted upon promptly but no later than 60 days after the request is made. For guidance and assistance with amendment request for: Medical/Dental records Research records Billing records contact contact contact Health Information Management (HIM) HIM or the study’s Principal Investigator Patient Services Refer to policy: Patient Right to Amend His/Her Medical/Dental/Research and/or Billing Record UConn Health must honor all patient requests: to receive communications of PHI from UConn Health by alternative means or at alternative locations. to restrict certain disclosures of PHI to health plans if specific criteria are met. Patients may also choose to be excluded from automated, verbal or written appointment reminders. Refer to policies: Patient Right to Request Confidential Communications Patient Right to Request Restrictions on Use And Disclosure of Protected Health Information “Disclosure Tracking Logs” must be completed when PHI is released outside of UConn Health for reasons unrelated to treatment, payment or operations and about which the patient is unaware (e.g. to regulatory agencies, for judicial proceedings, to medical examiners, for research purposes or to report abuse, neglect and domestic violence). Unauthorized disclosures that result in privacy incidents must also be documented on the tracking log. Refer to policy: Accounting of Disclosures of Protected Health Information to Patients Patient authorization to access, use or share their PHI is needed unless: the purpose is related to treatment, payment for treatment, or “healthcare operations” such as quality improvement, training, performance evaluations, audits; or is required by law. A valid authorization must include specific information to ensure the patient or representative understands what PHI is involved, who is requesting PHI, the purpose of the request and the right to revoke an authorization. Authorizations intended for more than one purpose can be combined only under certain circumstances. Regardless of the need for patient authorization, PHI accessed, used or shared for any purpose other than treatment, should be kept to the “minimum necessary” information required to accomplish the pertinent task. Refer to policies: Authorization for Release of Information Minimum Necessary Data Avoiding Verbal Violations The Privacy Rule is not intended to interfere with necessary patient care communications. However, exercise appropriate discretion. HIPAA recognizes that “incidental disclosures” may be unavoidable at times as long as safeguards are in place to minimize such disclosures. Be sensitive to your surroundings and who may be able to overhear you. Discuss PHI in a private area if possible. Lower your voice in open areas. Avoid discussions in public areas such as elevators, cafeterias or near waiting rooms. To communicate with family and friends, follow the policies that apply to your area of practice: Inpatient Outpatient Outpatient Psychiatry Dental The “Permission to Communicate” form allows only disclosures necessary to assist the patient with care needs. If others are present during a discussion with a patient, ask for the patient’s permission to share PHI with those present. Do not assume it’s OK to discuss specific patient information just because a family member or friend is with the patient or has “Permission to Communicate.” If obtaining permission is truly impossible, share only what you believe to be in the patient’s best interest. When calling a patient: use the phone number designated by the patient — remember, it may be an alternate number. confirm that you are speaking with the patient or someone that has permission to communicate about the patient. do not leave PHI on answering machines or with individuals not authorized by the patient. and leaving a message, provide your name, that you are calling from UConn Health, who the message is intended for, and ask that the individual return your call. with an appointment reminder, include only date, time and location on answering machines --no PHI or other details. Refer to policy: Telephone/Voicemail/Answering Machine Disclosure of PHI When a patient or other individual calls: Follow appropriate procedures to verify the caller’s identity. Ask open ended verification questions such as “Can you please verify your address?” rather than “Is your address still….?” If an individual’s identity and/or legal authority cannot be verified, do not disclose any PHI and report the request to your supervisor or a department manager. Forward all John Dempsey Hospital patient inquiry calls to the Information Desk or telephone operators. Forward media requests for patient information to the Office of Communications. Refer to policies: Directory Information: Disclosure of a Patient’s Information Verification of Individuals or Entities Requesting Disclosure of Protected Health Information Media Relations Paper Perils Do not leave documents unattended in offices or on unit desks/counters, printers, or fax machines. Avoid carrying documents with PHI or use secure options such as encrypted thumb drives. If you must carry papers, keep track of them, double check that you have all documents when you leave an area and shred them as soon as they are no longer needed. Do not remove from any building except by personnel authorized to transport records such as courier services. Do not transport paper records in personal vehicles, remove records from UConn Health or personally carry them from one building to another. If a record is needed urgently for patient care, obtain Health Information Management’s (HIM) permission to transport records personally between UConn Health locations in the same building. Follow the steps in the policy and recommended by OCR: Handling Paper Communications About Patients including PHI Be particularly careful to: Check and initial each page before mailing or handing documents with PHI. The greatest risk exists when pages are not checked. Use two forms of identification when preparing and when handing documents to a recipient. Incorporate JDH’s “Safety Absolute” principles: Verify before taking action with patient information. Be extra cautious with shared printers and guard against inadvertently picking up papers that can be mistakenly included with other documents. PHI faxed in error to a care provider or healthcare entity generally carry a low risk. Faxes misdirected to locations that are not bound by HIPAA privacy may be a much higher risk. Follow the Faxing of PHI policy which includes specific OCR recommendations. Confirm the accuracy of a fax number. Use UConn Health-approved cover sheets for all faxes—external and internal. Dial “9” and then the number when faxing outside of UConn Health. Collect papers when you leave a fax machine. Include the full name and spelling as well as location of each recipient when dictating a note or discharge summary that will be faxed to care providers. Store PHI only in secure cabinets or offices and lock them, especially when you leave the area. Dispose of PHI only in locked shredder bins. Documents with PHI must be rendered undecipherable. Never discard PHI in wastebaskets or recycling bins for convenience or because a shredder bin is full. Unsecure PHI or intact/partially shredded documents that end up in dumpsters or landfills are at risk for privacy breaches and identity theft. Refer to policy: Disposal of Documents/Materials Containing PHI and Receipt, Tracking and Disposal of Equipment and Electronic Media Containing Electronic Protected Health Information. Patient data in photographs, radiology images, pathology slides, physiological tracings, and audio/video recordings are all forms of PHI. Each form carries privacy risks and may require patient authorization to use or disclose. The same diligence and care must be exercised when accessing, using or disclosing non-textual PHI. Certain patient care areas are now equipped with video monitoring equipment designed for educational and other purposes. Carefully consider privacy and patient dignity when video monitoring is used. Refer to policy: Visual, Audio or Recording of Patient Data Obtained Through Any Medium Eluding Electronic Errors Electronic resources are university property and are to be used for UConn Health business purposes only. Access confidential electronic data only for valid business purposes. There is no expectation of privacy. All data stored on UConn Health systems is discoverable under certain circumstances. Credit card numbers may never be collected, transmitted, or stored on UConn Health’s computing devices and networks. If you are no longer employed by UConn Health, you may not remove any data from UConn Health without Privacy and Security Office approval. Please review policies: Information Technology Computer/Electronic Resource Use Policy UCHC Information Security: Acceptable Use Every system user must have and protect his or her unique login information. Do not share passwords with any other person or allow anyone to access electronic systems using your login information. Using electronic resources under another person’s log on credentials creates risk for you and the other individual and may result in sanctions. UConn Health Information Technology will never ask for your password in email. An email asking you to reply with your user credentials should be deleted without response. Always log off whenever you step away from a computer on which you have been working. You will be held responsible for electronic accesses or any activity conducted under your login. Refer to policy: UCHC Information Security: Systems Access Control Do not “surf” the census. Do not look up family, friends, other employees or anyone you supervise or who supervises you, students or anyone even if they ask you to do so. Do not schedule appointments as a favor to family and friends. Do not look at information out of curiosity including high profile individuals or patients associated with newsworthy events. Do not print clinical information. Do not check billing or other financial information. Do not share information with others that do not have a need to know. Unless you need to access, use or disclose PHI to carry out an assigned job responsibility, don’t do it. Before you click on, open, use or disclose any information ask yourself “Do I need this PHI to complete an assigned work-related task?” If the answer is “yes”, it is likely OK to access, use or share the PHI If the answer is “no” don’t do it. If you’re wondering whether or not it is appropriate to access PHI, stop and check with your supervisor or the Privacy Office. Confidential data may be stored on UConn or non-UConn Health MCDs only if: the device is encrypted by UConn Health Information Technology. data is protected from unauthorized access and disclosure. the minimum necessary information for a particular function is stored and only for as long as needed to perform that function. If a device is used to access any type of confidential UConn Health data, Information Technology must ensure that proper security controls are installed. As long as certain requirements are met, users may work with IT to access UConn Health’s electronic information via their personally owned MCDs. Personally-owned MCDs must be registered and secured at the BYOD website. Always safeguard devices from loss or theft. If you are no longer working at UConn Health, institutional data, UConn Health email and WiFi settings must be completely deleted from the MCD. Refer to policy: Mobile Computing Device (MCD) Security UConn Health email accounts are to be used only for business purposes. Emails sent outside of the UConn Health network that contain confidential information or PHI must be sent securely. Do not email confidential information or PHI to non-secure sites such as your home email address. Carefully check email recipients before hitting “Send” to be sure you are including the correct individual(s). Don’t hit “Reply to All” unless you really mean to reply to all. Use extra care when choosing names from the address book, regarding persons with similar names or when recipient names auto-populate in the “To” or “cc” lines. Communicate only with individuals that have a need to know and are properly authorized to receive confidential information, including PHI. When sending confidential information to a UConn Health group, choose the correct distribution list. Click the secure icon in the upper left hand corner of the email message screen or Type [secure] (brackets and the word) in the email subject line or body. [secure] Email spam is annoying at best and may pose extreme risk to users and to UConn Health. Phishing scams, a form of cybercrime, involve conning users by acting as legitimate organizations to obtain personal information such as passwords and login credentials. Ransomware is malicious software, usually loaded by clicking on links or attachments, that is designed to block access to a computer system until a ransom is paid. Healthcare has been specifically targeted by attackers and is especially vulnerable as ransomware can block access electronic patient records which jeopardizes patient care and the confidentiality of patient information. Never click on unsolicited links or email attachments without verifying the authenticity of the sender or message. Contact the IT Help Desk at 860-679-4400 or [email protected] if you have any doubts. Text messages sent without proper software are not secure. Do not text confidential information unless a UConn Health approved secure text application has been installed and activated. Secure texting applications ensure that encrypted messages are transmitted from a secure server and prevents cell phone networks from keeping a message copy. Information related to your UConn Health work should never be shared on social media sites. Patient information may be identifiable even when minimal information is posted. All UConn Health information, especially PHI, must be scrubbed from electronic devices by the Office of Logistics Management (OLM) before any electronic storage media/devices are removed from a department. When planning disposal, store computers/laptops or other devices in a locked, secure area. Do not leave equipment in hallways or other unlocked areas. Refer to policy: Disposal of Documents/Materials Containing PHI and Receipt, Tracking and Disposal of Equipment and Electronic Media Containing Electronic Protected Health Information. UConn Health’s new electronic medical record (EMR) is under development and scheduled to go live in April, 2018. The EMR will replace many existing electronic systems and consolidate patient information into a single record. If you have questions or ideas related to patient confidentiality and the new EMR, discuss with your manager or department UConn HealthONE representative. Other Privacy Pointers Whenever possible, eliminate or limit use of social security numbers as part of department processes and use other unique identifiers, if allowed. When social security numbers are required, handle with the utmost care and follow proper procedures to protect numbers from unauthorized access or disclosure. Hide or remove social security numbers from communications unless specifically needed by recipients. Under no circumstances should credit card account numbers be collected, stored or transmitted on UConn Health devices or networks. Credit card information may not be sent via email for any reason. PHI in any form may be used or disclosed for research purposes provided there is a valid participant authorization. Research authorizations must be written in plain language and clearly articulate how participants’ PHI will be used and with whom it will be shared. An authorization is not required under certain circumstances as approved by the Institutional Review Board (IRB). When using or disclosing information as a limited data set, an appropriate data use must be in place. A Limited Data Set must remove direct identifiers associated with PHI but may include other potentially identifying information. PHI that is accessed, used or disclosed without proper authorization or outside of the parameters outlined in the IRB protocol must be evaluated as potential breaches. Report privacy incidents immediately to the Privacy Office and to the IRB. Refer to policy: Use and Disclosure of Protected Health Information for Research Purposes If using PHI for education within UConn Health or with UConn Health students, residents and fellows: No patient authorization is needed but access only the PHI necessary to meet the educational goal. For meetings, lectures, conferences outside of UConn Health or with nonaffiliated practitioners: information must be de-identified or patients must give authorization. Refer to policy: Use of Protected Health Information in Education Business Associates (BAs) are entities that may create, receive, maintain, or transmit PHI on behalf of UConn Health including data transmission services or storage firms that have access to PHI even though they may not actually view the PHI. Appropriate Business Associate Agreements (BAAs) must be implemented to outline the respective responsibilities of UConn Health and the BA. BAs must comply with the HIPAA Privacy and Security Rules and are directly liable for their actions but UConn Health may also be held liable for the actions of it’s BAs. Refer to policy: Business Associate Contracts Marketing is communication that encourages individuals to use a particular product or service. Specific HIPAA Privacy rules apply to marketing situations. Written authorization is needed when disclosing PHI related to marketing except for: face to face communications. nominal promotional gifts provided by UConn Health. Patients must be informed as part of the authorization when marketing involves financial compensation from a third party. For instance: Patient permission is required for communications about new equipment if a manufacturer pays UConn Health to send the information. But, no authorization is required to announce the opening of a new building even if building funds are donated by a third party, since the payment is not in exchange for the announcement. Contact the Privacy Office for guidance. Refer to policy: HIPAA Marketing Compliance UConn Health fundraising efforts must be coordinated through the UConn Foundation. Only certain patient information may be shared with the Foundation. Patients may opt out of fundraising communications: The Notice of Privacy Practices includes the choice for opt out. Treatment cannot be conditioned based on an individual’s choice to opt out. UConn Health may send newsletters, brochures and other educational or event notices to patients even if they have opted out of fundraising communications. Refer to policy: HIPAA Fundraising Compliance Managing Privacy and Security Incidents Gather as many details as possible and immediately notify your supervisor and the appropriate office: Privacy Office: 860-679-4180 or [email protected] Information Technology: 860-679-3528 or [email protected] Institutional Review Board (IRB) for research incidents. REPORTLINE: 1-888-685-2637 (to remain completely anonymous). A “breach” is an impermissible use or disclosure of PHI that compromises the security or privacy of that information. The HIPAA rules require an evaluation of the following factors to determine the risk of compromise to any PHI: The types of PHI involved. The unauthorized person(s) who accessed or used the PHI or to whom the PHI was disclosed. Whether the PHI was acquired/viewed. Mitigation efforts to reduce the risk. Other pertinent factors. Be aware of the “red flags” that signal possible ID theft such as: notifications or warnings from a Consumer Reporting Agency. suspicious documents that appear to be forged or altered. inconsistent personal identifying information such as address and phone number. an individual’s inability to provide any other identity authentication such as answers to challenge questions. suspicious, unusual or unexpected changes in account activity. When admitting inpatients or checking in outpatients, take the time needed to verify identification. Trust your gut. If something doesn’t seem right, seek guidance. Contact the Compliance Office with questions or concerns related to any type of known or suspected identity theft. Refer to the University of Connecticut Identity Theft Prevention Program Synthetic identity theft often includes a combination of real and fake credentials that are used to create new, "synthetic“ identities. Identity thieves need only a minimal amount of information to “synthesize" an identification. Since only parts of an individual’s actual information is used in combination with other individuals’ or fictitious information, it may be seen as a “typo” or an innocent information error. Extra vigilance is needed to ensure subtle discrepancies are not overlooked. The Privacy and Security Offices proactively monitor access and use of confidential information. Individual electronic accesses to patient information systems are reviewed randomly and when improper activity is suspected. You may be notified and asked to justify your electronic accesses evaluated as part of a routine monitor. Privacy and Security “walk rounds” are conducted to educate, assist with questions and address specific concerns. Monitoring alone can’t eliminate risk. If you see, hear, experience, suspect or know of a problem, say something. Always wear your ID badge, particularly in patient care or other areas where confidential information is located. Progressive discipline, up to and including termination, will be pursued for individuals responsible for inappropriate access, use or disclosure of PHI or other types of privacy/security incidents. Wrongful and purposeful disclosure of protected health information carries fines and can result in incarceration. Refer to policy: Sanctions Policy for Privacy and Security Violations for Faculty and Staff Privacy Office IT Security Office HIPAA Privacy Policies HIPAA Security Policies Iris Mauriello, Privacy Officer 860-679-3501 [email protected] Denise Purington, Interim Chief Information Officer 860-679-6232 [email protected] Peg DeMeo, Associate Compliance Officer 860-679-1226 [email protected] Tara Rousseau, Executive Assistant 860-679-4255 [email protected] Ginny Pack, Associate Compliance Officer 860-679-1280 [email protected] Privacy Office email: [email protected] REPORTLINE:1-888-685-2637 and require a strong commitment and team effort!! Please review the following questions and answers Debbie, a UConn Health nurse caring for a patient on a medical unit, approaches the patient to obtain additional information regarding her past medical and mental health history. The patient’s family member, who the nurse knows has “permission to communicate”, is visiting. Since the family member has been given permission to communicate, it is OK for Debbie to discuss all PHI pertaining to the patient in the presence of her family member. True False The correct answer is false. Patients may provide “permission to communicate” with certain family members or others which allows care providers to share patient information only to the degree necessary and appropriate to assist the patient with their care needs. However, bedside or exam room conversations may exceed this threshold. When family members or companions are present, be sure to speak directly to the patient. It may be appropriate to ask the family member to excuse you and leave the room so you can speak with the patient and offer the option to agree or object before allowing the family member to be present for a discussion. If the patient freely approves of a family member’s presence during the discussion, then you have fulfilled the obligation of giving the patient the opportunity to agree or object to this disclosure of patient information. Refer to policy: Use and Disclosure Involving Family and Friends Following an outpatient clinic appointment, the medical assistant agrees to mail a copy of the visit note to the patient. He prints the note on a printer shared by several staff members. What is the most important step before mailing the document? a. Ensure the note is printed on UConn Health letterhead. b. Check and initial each page to ensure all pages are intended for this patient. c. Put a stamp on the envelope. The correct answer is “b.” To ensure all pages are being mailed to the intended recipient, each page must be carefully checked and initialed by the staff member preparing the document before placing it in the envelope. Refer to policy: Handling Paper Communications About Patients Containing PHI UConn Health fax cover sheets are required when faxing a document to another department within the institution. True False The correct answer is “True.” UConn Health policy Faxing of Protected Health Information requires that an approved cover sheet be used for all faxes, whether faxing within or outside of UConn Health. Dr. Dodd, a UConn Health physician, prints a surgical schedule that includes patient names, medical record numbers and handwritten notes about each procedure. He reviews the schedule while eating lunch and inadvertently leaves the pages on a cafeteria table. Which of the following is most likely to reduce the risk of compromise to the PHI? a. A visitor discovers the papers and takes them home. b. A UConn Health workforce member finds and gathers the papers and immediately reports the incident to the Privacy Office. c. A passerby finds the documents and crumples them before discarding them in the trash. The correct answer is “b.” Workforce members that see and retrieve unattended documents containing confidential information and report the finding to the Privacy Office significantly reduce the potential risk of compromise to that information. Emails containing confidential information that are sent outside of the UConn Health network must be sent securely to ensure they are encrypted. True False The correct answer is “True.” Emails can be sent securely by either clicking the “secure” icon or by including [secure] in the subject line or body of the email. Donald, a staff member caring for an Emergency Department patient, Derick, who has suffered a fractured leg following a ski accident recognizes that Derick is the brother of a college buddy. After work, Donald posts a message on his Facebook page to let other friends know about Derick’s injury. Is this OK? Yes No The correct answer is “No.” Patient information learned in the course of one’s job responsibilities should never be shared on social media. Daisy, an employee in Dermatology and one of Donald’s Facebook friends, see his post about Derick’s injury and ED visit. Curious to learn more, Daisy accesses Derick’s electronic medical record to see what she can find out. Is this OK? a. Yes, since Daisy has access to the UConn Health electronic patient information systems as part of her professional role, she may look at all PHI stored in any system. b. Yes, as long as Daisy views only the minimum necessary PHI to get the scoop. c. No, Daisy should not access PHI or any confidential information unless it is required for her specific job responsibilities. The correct answer is “c.” Only PHI or confidential information needed to carry out one’s specific work responsibilities should be accessed. Douglas, an Orthopedic resident, is planning an educational presentation on the topic of compound fractures. He has a spreadsheet with the names, medical record numbers and PHI of several orthopedic patients stored on an unencrypted laptop. He leaves the laptop in an unlocked office and returns to discover it missing. What could Douglas have done to better protect the PHI? a. Ensure the laptop is properly encrypted and lock the office before leaving. b. Put his name and phone number on the laptop for safe return. c. Limit the amount of PHI stored to no more than five patients. The correct answer is “a.” To protect confidential information stored on any mobile device, including laptops, devices should be encrypted through Information Technology’s “Bring Your Own Device” (BYOD) program and always placed in a secure/locked area when unattended. A local newspaper includes an article about a well-known state official who was involved in a serious accident and treated at John Dempsey Hospital (JDH). Since it was publicized that the individual was treated at JDH, it is OK for any UConn Health employee to access and review the patient’s medical record, regardless of whether the employee has a work-related reason to do so. True False The correct answer is “False”. Employees should never access or use a patient record unless the access/use is required in order to complete a specific work-related task. If you know or suspect that a Privacy or Security incident has occurred, you must report it to your supervisor and to the Privacy or Security Office: a. Immediately. b. Within 48 hours. c. Within seven days. d. Whenever it is convenient. The correct answer is “a.” In order to mitigate the potential risk to the PHI, Privacy or Security incidents must be reported to your supervisor and the appropriate office immediately upon discovery. Thank you for completing Privacy and Security training. Training Questions? Contact Ginny Pack at 860-679-1280 or [email protected] Please complete the training attestation. Return the signed attestation to your UConn Health supervisor or manager.