SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from
accidental or intentional unauthorized use/disclosure in computer
systems and other work areas; Limit accidental disclosures (such as
client information being discussed in hallways); Include practices
such as document shredding, locking doors, locking file storage
areas, and use of password and codes for access. 2014 DHS IT
Security & Privacy Training 2
Slide 4
SAFEGUARDING PHI: DISCUSSING PHI You never know who may be
listening when you are discussing a client. The client or coworker
could be the clients neighbor, best friend, snoopy coworker, etc
Remember to talk quietly. When possible, discuss PHI privately,
such as behind a closed door. Avoid having discussions in client
waiting rooms, elevators, cafeterias, etc. 2014 DHS IT Security
& Privacy Training 3
Slide 5
SAFEGUARDING: TALKING WITH FRIENDS ABOUT WORK Do not share with
family, friends, or anyone else a clients name or any other
information that may identify him/her, for example: It would not be
a good idea to tell your friend that someone you know came into the
office to apply for Food Stamp benefits and Medicaid benefits. Do
not inform anyone that you know that someone who is receiving aid,
or their family members, were seen at DHS. 2014 DHS IT Security
& Privacy Training 4
Slide 6
SAFEGUARDING PHI: MEDIA What if your organization is contacted
by the media? Should you release PHI to them? What if you are
contacted by an individual who is offering to pay you money for
PHI? Should you release it? 2014 DHS IT Security & Privacy
Training 5
Slide 7
THE ANSWER TO BOTH IS NO!!! You may not release PHI under
either of these circumstances. Both can be grounds for disciplinary
action and criminal or civil monetary penalties. 2014 DHS IT
Security & Privacy Training 6
Slide 8
SAFEGUARDING PHI CONTINUED What if you need to transport paper
records which contain PHI to another department. Is it ok for you
to do this? Yes, you can transport documents to another department,
but here are some helpful tips: Carry them in a designated box,
folder, or container. Ensure that there are no names visible.
Remember: never leave PHI unattended. This means dont leave it in
your car or out in an open area where it may be viewed or taken.
2014 DHS IT Security & Privacy Training 7
Slide 9
EXAMPLE SCENARIO You work with client records on a daily basis
and receive a phone call from a client stating that she received
another clients application for Medicaid. The application has the
persons name, date of birth, home address, and SSN included in the
form. Do you have to report this? 2014 DHS IT Security &
Privacy Training 8
Slide 10
YES!! This should be reported immediately. A notice may have to
be sent to the individual whose information has been compromised.
2014 DHS IT Security & Privacy Training 9
Slide 11
SAFEGUARDING: FAXING DHS CLIENT DATA Fax sensitive information
only when mail delivery is not fast enough to meet client needs.
Ensure information is sent to the correct fax number by confirming
that the number is the correct number and calling ahead to make
sure someone will be there to receive the information. For more
information on faxing sensitive information refer to DHS Policy
4006. 2014 DHS IT Security & Privacy Training 10
Slide 12
EXAMPL E SCENARIO You pass by the fax machine in your area and
notice that several pages containing medical diagnosis codes and
the name of the client have been left next to the fax machine. The
date on the fax indicates it is has been there for days. What
should you do? 2014 DHS IT Security & Privacy Training 11
Slide 13
REPORT IT! Be sure to give the documents to your supervisor and
make sure the incident is reported immediately to the Security and
Privacy tab on DHS Share: https://dhs.arkansas.gov/reporting
https://dhs.arkansas.gov/reporting This will begin an investigation
to determine how and why this record was subject to improper
handling. 2014 DHS IT Security & Privacy Training 12
Slide 14
SAFEGUARDING: EMAIL When sending an email, try not to include
PHI or Sensitive Information such as Social Security Numbers unless
you have to. Remember to avoid putting sensitive information in the
subject line. For example, if you receive an email from another
party and the date of birth, SSN and the name of the client is in
the subject line, delete it from the subject line. Encrypt your
email outside the arkansas.gov network by putting sensitive in the
subject line. For more information, please refer to DHS Policy 4006
Emailing and Facsimile Use. 2014 DHS IT Security & Privacy
Training 13
Slide 15
EXAMPLE You have been swamped at work all day and the work day
is about to end. You decide that you will forward your work to your
personal email address and just pick up where you left off at home.
The information in the email contains client sensitive data which
includes SSNs, dates of births, and names and addresses of the
clients. Is this a privacy violation? 2014 DHS IT Security &
Privacy Training 14
Slide 16
YES!!! DHS employees should never email or cc themselves client
data to their personal email accounts. This must be reported
immediately to the Security and Privacy reporting site:
https://dhs.arkansas.gov/reporting
https://dhs.arkansas.gov/reporting This is a violation of DHS
Policy 4006 and is subject to disciplinary actions. 2014 DHS IT
Security & Privacy Training 15
Slide 17
EVEN WITH SAFEGUARDING, INCIDENTS HAPPEN. SOME EXAMPLES
Transposing an address and mis-mailing a client chart or
application; Failure to validate the date of birth and address and
sending out the wrong persons PHI; Theft of non-encrypted laptops;
Employees or contractors snooping in a client file that is not part
of their job. Employees or contractors throw away PHI in trash and
the trash is taken to the dumpster without being shredded. 2014 DHS
IT Security & Privacy Training 16