Privacy & Information Security Tackling Trends & Threats December 12, 2014 Norma A. Chitvanni RHIT, CHPS nchitvan@bidmc.harvard.edu Agenda Omnibus Rule Pay Out of Pocket 2013 Mobile clinical equipment Email security Training & Education Keep Information Private (KIP) Phishing Business Associates OCR Audits Information Security and Privacy committee You Know Me Video 1
Omnibus-Pay out of Pocket Restriction for pay out of pocket for services Challenging process May be for partial services Different from self pay Ensure no release to insurance company Payment, at time of service or later Request each time Mobile Clinical Equipment Stolen ultrasound machine Patients notified Locator device Patient information stored on the machine Reported breach to OCR Formed a task force Policy development Education 2
Secure Transmission of Email Send Secure-encryption of emails Use # Secure before subject Proof Point system Monitoring of emails Feedback to staff Friendly encryption message-PFAC Transport Layer Security Connection Secure File Transfer for large files Training & Education Information Security & Privacy Annual Mandatory education Includes test and attestation New Employee Orientation, IS&P training Learning Management System (LMS) Monitoring of completion of training Corrective Action modules Keep Information Private (KIP) Annual Awareness Campaign 3
KIP Awareness Campaign Posters Tent Cards for cafeteria tables Labels on food containers Handouts Plasma screen displays Focus on Phishing Logo 4
5
Phishing Focus on Phishing Used props during the campaign to boost awareness Handouts-Phishing –FAQ’s Bowl of Swedish Fish & Gold Fish Raffle/ drawing for box of Swedish Fish Fishing rods-Melissa and Doug Campaign video Business Associate Agreements New Omnibus Requirements Effective date March 26, 2013 Compliance date September 23, 2013 Existing BAAs could continue to operate for a one year period from the compliance date (September 22, 2014) Perform BAA audits/ reviews 6
OCR Audit 169 Items 78 Security 81 Privacy 10 Breach Performed mock audit on the Privacy and Breach items. Readiness Binder and electronic folder Annual review / check the OCR website Information Security & Privacy Committee (IS&P) Consists of 32 members Meets Monthly Addresses IS&P issues Approves Policies Discuss Breaches Creates Policies Identifies issues, creates task force Reports back to IS&P Reports to Management Compliance Audit & Risk Com. Reports to Board Compliance Audit and Risk Com. 7
“You Know Me” Video Patient Family Advisory Committee Sent to all workforce Included in our New Employee Orientation Introduced our Information Security and Privacy Intranet site Award winning-MaHIMA-Team Excellence Award 2013 New England Society for Healthcare communications-Silver Lamplighter Award Video 8
Recommend
More recommend