personal accountability for data stewardship
DESCRIPTION
Personal Accountability for Data Stewardship. 1 st Year Medical Students – October 18, 2012 2 nd Year Medical Students – October 9, 2012 Noella RawlingsRichard Meeks Director of ComplianceAssistant Compliance Officer School of MedicineUW Medicine. - PowerPoint PPT PresentationTRANSCRIPT
Personal Accountability for Data Stewardship
1st Year Medical Students – October 18, 2012
2nd Year Medical Students – October 9, 2012
Noella Rawlings Richard Meeks
Director of Compliance Assistant Compliance Officer
School of Medicine UW Medicine
1
Personal and Professional Accountability
• Personal Accountability = Being answerable for the outcome of your actions or inactions
• Professional Accountability = Demonstrated excellence, integrity, respect, compassion, accountability, and a commitment to altruism in all our work interactions and responsibilities. (UW Medicine Professionalism Policy)http://uwmedicine.washington.edu/Global/policies/Pages/Professional-Conduct.aspx
• As the representatives of UW Medicine, we are personally, professionally, ethically, and legally responsible for our actions
Patients place their trust in us 2
Your Accountability for Data Stewardship
• Safeguard data (electronic or paper) that you use or access, including but not limited to:• Confidential – protection of data required by law
• Protected health information (PHI)- protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Individual Student Records – protected by Family Educational Rights and Privacy Act (FERPA)
• Individual financial information (e.g., credit card, bank)
• Other personal information such as Social Security Number
• Proprietary--intellectual property or trade secrets, research data
3
Your Accountability for Data Stewardship
• Safeguard data (electronic or paper) that you use or access, including but not limited to:• Restricted --data that is not regulated, but
for business purposes is considered protected either by contract or best practice, including research data
4
Tools to Assist You in Safeguarding Data
• Encryption
https://security.uwmedicine.org/training/dept_materials/default.asp
• Complex passwords http://security.uwmedicine.org/guidance/role_based/end_user/default.asp
• Locking offices and files• Education and training materials
https://security.uwmedicine.org/Training/Sec_Aware/default.asp
• Privacy, Confidentiality and Information Security Agreement (PCISA)
• Following policies restricting removal of data from worksites
5
PRIVACY, CONFIDENTIALITY AND INFORMATION SECURITY
AGREEMENT
• http://www.uwmedicine.org/Global/Compliance/Document/UW-Medicine-privacy-Confidentiality-Agreement.pdf
• Agree to safeguard confidential and restricted information
• What does this mean and why is it important?
6
Encryption• Where to get information and help with
encryption:http://security.uwmedicine.org/guidance/technical/laptop_mobiledevice_encryption/default.asp
http://security.uwmedicine.org/Home/Communications/Laptop_Encryption_Awareness_Email_033111/default.asp
IT Services Help Desk: [email protected]
DOM IT Help Desk: mailto:[email protected]
7
Safeguarding Patient Information
•Comply with UW and UW Medicine policies:Privacy: http://depts.washington.edu/comply/privacy.shtml
Information Security: http://security.uwmedicine.org/guidance/policy/default.asp
•Privacy Policy PP-30
http://depts.washington.edu/comply/docs/PP_30.pdf
8
PERSONAL CONSEQUENCES OF A BREACH
• Loss of patient and public trust• Your name is reported to:
• Your Program Director, Department Chair, Executive Director and/or Unit Head
• Dean of the School of Medicine and/or Vice Dean, Academic Affairs
• UW Medicine Chief Health System Officer• UW Health Sciences Risk Management• UW Chief Information Security Officer• Federal and state regulatory agencies
• The time you’ll spend cooperating with investigations, being retrained, and other remedial activities
• Imposition of sanctions, disciplinary actions, and potential civil/criminal penalties
• Your personal and professional reputation
9
INSTITUTIONAL CONSEQUENCES OF A BREACH
• Potential loss of public trust in UW Medicine• Significant time and resources to investigate,
conduct forensics, analyze findings, and determine appropriate course of action
• Involvement of legal counsel, risk management, executive directors, unit heads
• Federal law requirements regarding notification• Call center for each case requiring patient
notification• Office of Civil Rights Investigation • Possible imposition of civil/criminal penalties,
fines and sanction
10
Breach Notification Rules
• Definition of Breach: “acquisition, access, use or disclosure of PHI … that compromises the security or privacy of the PHI.”
• Notification requirements apply only to “unsecured” PHI. PHI is deemed unsecured unless rendered “unusable, unreadable, or indecipherable” to unauthorized individuals by technologies or methodologies identified by HHS (currently limited to encryption or destruction).
• Notification of affected individuals required if the breach poses a “significant risk of financial, reputational or other harm to the individual.”
11
Breach Notification Rules
• All breaches must be reported annually to the Office of Civil Rights.
• If a breach involves 500 or more individuals, it must be reported to media which reach location(s) in which the individuals reside.
• If a breach involves more than 10 individuals for whom an address is not available, the covered entity must place notice of the breach on its website for 90 days. 12
UW Medicine Case Study #1
• Resident’s log book left in backpack, locked in trunk of car, and was stolen
• PHI: patient name, EMR number, dates of service, date of birth, clinic, and procedures
• 487 patients notified• Self-reported to OCR; intense OCR follow-up
investigation (2 years); required hundred of hours of staff time; and resulted in substantive policy changes
• Lessons Learned• Written PHI may not be taken off site without
authorization from supervisor, chair or program director• Written PHI taken off site should not leave physical
possession at any time
13
UW Medicine Case Study #2
• Unencrypted hard drive stolen from unlocked office
• PHI and QI data• 3948 patients involved; 324 patients
notified due to risk of harm; notification to OCR; posted on UW Medicine website; likely OCR investigation forthcoming
• Lessons Learned• Do not remove PHI from secured location• Password protect AND encrypt• Ensure physical security of devices at all
times
14
UW Medicine Case Study #3
• Medical student working on an IRB-approved study
• PHI of 1200 patients (study data) stored on laptop and laptop stolen from home
• Laptop and files containing PHI were password protected, but not encrypted
• Research data considered unsecured since not encrypted
• Possible notification of patients• Lessons Learned
• Password protect and encrypt
15
National Case Studies
NATIONAL EVENTS
• Alaska DHHS Settles HIPAA Security Case for $1,700,000 – June 26, 2012
• HHS settles HIPAA case with BlueCross BlueShield of Tennessee (BCBST) for $1.5 million --March 13, 2012
• Resolution Agreement with General Hospital Corp. & Massachusetts General Physicians Organization, Inc.--February 14, 2011
See http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html
16
Basic DO’s and DON’Ts
•Avoid taking confidential data off-site or downloading to portable or mobile devices•If taking confidential data with you, you MUST obtain supervisor or department head approval•Confidential or restricted data stored on mobile devices must be encrypted and your device password protected•Lock up confidential data (locking file drawer, safe, or other locked device)•Never leave confidential data in your car
17
Medical Record Access
• You can access your own medical record on-line
• You cannot access your family or friends medical record on-line
• If you are treating a family or friend, you must document in the medical record
• Compliance actively monitors access to patient recordso Random Auditso Patients of Media Interesto Patients with Privacy Alerts
18
Smartphone Configuration
• If you use your smartphone to conduct UW business, such as accessing your UW e-mail, must have:o Pass code or PINo Automatic lock w/pass code or PINo Tamper Wipe – Phone wiped after 10 pass code or PIN
attemptso Back-up – Not to the cloudo Encryption
• http://ciso.washington.edu/resources/risk-advisories/smartphone-configuration/
• http://security.uwmedicine.org/guidance/policy/electronic_data
19
Other Resources
Office of the Chief Information Security Officer
• http://ciso.washington.edu/resources/online-training/
• http://ciso.washington.edu/resources/smart-computing/
• http://ciso.washington.edu/
20
Questions ?
21