Slide 1

Slide 2

SAFEGUARDING DHS CLIENT DATA PART 2

Slide 3

SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure in computer systems and other work areas; Limit accidental disclosures (such as client information being discussed in hallways); Include practices such as document shredding, locking doors, locking file storage areas, and use of password and codes for access. 2014 DHS IT Security & Privacy Training 2

Slide 4

SAFEGUARDING PHI: DISCUSSING PHI You never know who may be listening when you are discussing a client. The client or coworker could be the clients neighbor, best friend, snoopy coworker, etc Remember to talk quietly. When possible, discuss PHI privately, such as behind a closed door. Avoid having discussions in client waiting rooms, elevators, cafeterias, etc. 2014 DHS IT Security & Privacy Training 3

Slide 5

SAFEGUARDING: TALKING WITH FRIENDS ABOUT WORK Do not share with family, friends, or anyone else a clients name or any other information that may identify him/her, for example: It would not be a good idea to tell your friend that someone you know came into the office to apply for Food Stamp benefits and Medicaid benefits. Do not inform anyone that you know that someone who is receiving aid, or their family members, were seen at DHS. 2014 DHS IT Security & Privacy Training 4

Slide 6

SAFEGUARDING PHI: MEDIA What if your organization is contacted by the media? Should you release PHI to them? What if you are contacted by an individual who is offering to pay you money for PHI? Should you release it? 2014 DHS IT Security & Privacy Training 5

Slide 7

THE ANSWER TO BOTH IS NO!!! You may not release PHI under either of these circumstances. Both can be grounds for disciplinary action and criminal or civil monetary penalties. 2014 DHS IT Security & Privacy Training 6

Slide 8

SAFEGUARDING PHI CONTINUED What if you need to transport paper records which contain PHI to another department. Is it ok for you to do this? Yes, you can transport documents to another department, but here are some helpful tips: Carry them in a designated box, folder, or container. Ensure that there are no names visible. Remember: never leave PHI unattended. This means dont leave it in your car or out in an open area where it may be viewed or taken. 2014 DHS IT Security & Privacy Training 7

Slide 9

EXAMPLE SCENARIO You work with client records on a daily basis and receive a phone call from a client stating that she received another clients application for Medicaid. The application has the persons name, date of birth, home address, and SSN included in the form. Do you have to report this? 2014 DHS IT Security & Privacy Training 8

Slide 10

YES!! This should be reported immediately. A notice may have to be sent to the individual whose information has been compromised. 2014 DHS IT Security & Privacy Training 9

Slide 11

SAFEGUARDING: FAXING DHS CLIENT DATA Fax sensitive information only when mail delivery is not fast enough to meet client needs. Ensure information is sent to the correct fax number by confirming that the number is the correct number and calling ahead to make sure someone will be there to receive the information. For more information on faxing sensitive information refer to DHS Policy 4006. 2014 DHS IT Security & Privacy Training 10

Slide 12

EXAMPL E SCENARIO You pass by the fax machine in your area and notice that several pages containing medical diagnosis codes and the name of the client have been left next to the fax machine. The date on the fax indicates it is has been there for days. What should you do? 2014 DHS IT Security & Privacy Training 11

Slide 13

REPORT IT! Be sure to give the documents to your supervisor and make sure the incident is reported immediately to the Security and Privacy tab on DHS Share: https://dhs.arkansas.gov/reporting https://dhs.arkansas.gov/reporting This will begin an investigation to determine how and why this record was subject to improper handling. 2014 DHS IT Security & Privacy Training 12

Slide 14

SAFEGUARDING: EMAIL When sending an email, try not to include PHI or Sensitive Information such as Social Security Numbers unless you have to. Remember to avoid putting sensitive information in the subject line. For example, if you receive an email from another party and the date of birth, SSN and the name of the client is in the subject line, delete it from the subject line. Encrypt your email outside the arkansas.gov network by putting sensitive in the subject line. For more information, please refer to DHS Policy 4006 Emailing and Facsimile Use. 2014 DHS IT Security & Privacy Training 13

Slide 15

EXAMPLE You have been swamped at work all day and the work day is about to end. You decide that you will forward your work to your personal email address and just pick up where you left off at home. The information in the email contains client sensitive data which includes SSNs, dates of births, and names and addresses of the clients. Is this a privacy violation? 2014 DHS IT Security & Privacy Training 14

Slide 16

YES!!! DHS employees should never email or cc themselves client data to their personal email accounts. This must be reported immediately to the Security and Privacy reporting site: https://dhs.arkansas.gov/reporting https://dhs.arkansas.gov/reporting This is a violation of DHS Policy 4006 and is subject to disciplinary actions. 2014 DHS IT Security & Privacy Training 15

Slide 17

EVEN WITH SAFEGUARDING, INCIDENTS HAPPEN. SOME EXAMPLES Transposing an address and mis-mailing a client chart or application; Failure to validate the date of birth and address and sending out the wrong persons PHI; Theft of non-encrypted laptops; Employees or contractors snooping in a client file that is not part of their job. Employees or contractors throw away PHI in trash and the trash is taken to the dumpster without being shredded. 2014 DHS IT Security & Privacy Training 16