April 8, 2005

New rules set to safeguard patient info

Featured Image

Mark Anderson, M.D., Ph.D., Roger Colbran, Ph.D., and Rong Zhang, M.D./Ph.D.
photo by Dana Johnson

New rules set to safeguard patient info

New federal regulations regarding electronic patient information go into effect April 20. The regulations concern everything from recovery of electronic patient information in a disaster to training for health care workers regarding secure use of such information.

The new regulations are a component of HIPAA (Health Information Portability and Accountability Act). The HIPAA privacy rule, in effect since April 2003, focuses on the protection of patient information in any form — written, verbal or electronic.

The new security regulation specifically concerns the availability, confidentiality and integrity of electronic patient information, said Kimberly E. Len, privacy and security manager with the HIPAA team at Vanderbilt University Medical Center.

As one element of compliance with the new security regulations, VUMC is providing training for all faculty and staff regarding the rudiments of secure handling of electronic patient information. The training includes such basic reminders as never to share system passwords and never to leave workstations unattended without logging out.

The online training takes 10 to 15 minutes to complete, Len said. To take the training, go to www.webinservice.com/Vanderbilt. Staff must complete the training to receive an annual job evaluation score and an annual salary adjustment.

Another piece of HIPAA-related news that affects VUMC is that, effective in late April, the Medical Center will have a new sanctions policy for violations of patient privacy by staff and faculty. Besides adding clarity and providing many more examples of violations, the new policy makes revealing a systems password a level 3 violation instead of a lesser level 2 violation. A level 3 violation puts an employee into final performance improvement counseling and automatic six-month job probation.

In a recent five-month period, about half the complaints reported to the VUMC Privacy Office turned up actual privacy violations, Len said; about 10 percent of the violations resulted in level 3 or level 4 disciplinary actions and in some cases have led to immediate dismissal of employees.

As another element of compliance with the new HIPAA security regulations, the VUMC HIPAA Team, headed by Health Information Systems Projects Manager Grace M. Upleger, is completing a risk assessment of patient information systems. Approximately 600 departments have responded and so far about 575 departmental systems and databases have been identified. Any departments that still need to complete this risk assessment can do so online at https://trutto.mc.vanderbilt.edu/hipaa/.

Last August, Mark M. Johnson was appointed as Vanderbilt's chief information security officer, responsible for information security for both the University and the Medical Center. (Privacy Official Gaye Smith leads VUMC compliance with respect to patient privacy.)

The VUMC HIPAA Team will observe National Health Information Privacy and Security Week with lunch-and-learn sessions at noon on Thursday, April 14, in 206 Preston Research Building, and at noon on Friday, April 15, in 202 Light Hall. Presentations will include discussions of forthcoming VUMC policies related to the new security regulations. Free pizza will be provided and give-aways and a prize drawing for a Creative Labs Zen Micro 5 Gigabyte MP3 player. There will also be a booth set up in the Courtyard Cafeteria April 13, from 11 a.m. to 2 p.m., where faculty and staff can pick up give-aways and test their information security knowledge.

To report incidents related to patient privacy or information security, call the Privacy Office, 936-3594, or the Help Desk, 343-4357, or talk to your manager. For more information, go to www.mc.vanderbilt.edu/HIPAA, or send questions in an e-mail to hipaa.team@vanderbilt.edu.