hipaa privacy training confidentiality...2018/07/26 · hipaa covered records phi includes pii...
TRANSCRIPT
Confidentiality TrainingCity of Philadelphia Health and Human Services
Personally Identifiable Information Training for the HHS Data
Exchange Project
What is Health and Human Services (HHS)?
Office of the Deputy Managing Director for
Health and Human Services
Department of Behavioral Health and Intellectual disAbilityServices (DBHIDS)
Philadelphia Department of Public
Health (PDPH)
Department of Human Services (DHS)
Office of Community Empowerment and Opportunity (CEO)
Office of Homeless Services (OHS)
IntroModule
1Module
2Module
3Module
4
Agencies that can give and receive data.
What you will learn:
• Philosophy for sharing personally identifiable information (PII).
• Different types of PII.
• Approved methods for sharing PII.
• Practice procedures to safeguard PII.
• Consequences and penalties of misusing PII.
IntroModule
1Module
2Module
3Module
4
Overview of Training
Module 1
Types of PII and Legal
Requirements
Module 2
Eligible PII and Submitting Project
Descriptions
Module 3
Administrative and Security
Requirements
Module 4
Conclusion
IntroModule
1Module
2Module
3Module
4
Module 1: Types of Personally Identifiable Information (PII) and their Legal Requirements
Types of PII:
1. Child Welfare Records
2. Homelessness Data
3. Public Health Registries and Vital Statistics
4. Pathology and Medical Examiner Case Files
5. Medical and Laboratory Patient Records
6. Health Plan Claims Data
7. Behavioral Health Treatment Records
8. Criminal and Juvenile Justice Information
Module 1: Types of personally identifiable information (PII) and their Legal Requirements
IntroModule
1Module
2Module
3Module
4
Child Welfare Records: Child Protective Services Law (CPSL)
Purpose of Child Protective Services Law:
• Encourage reporting of child abuse.
• Establish procedures to investigate child abuse.
• Establish procedures to protect children.
• Provision of services for children well-being.
• Preserve, stabilize, and protect family life.
Module 1: Types of personally identifiable information (PII) and their Legal Requirements
IntroModule
1Module
2Module
3Module
4
Child Welfare Records: Child Protective Services Law (CPSL)
Exceptions where HHS can share data:
• Multidisciplinary team members assigned to case.
• Providing voluntary or court-ordered services.
• Treating physician suspecting child abuse victim.
• City Mayor reviewing agency competence.
• Mandated reporter (limited types of information).
Module 1: Types of personally identifiable information (PII) and their Legal Requirements
IntroModule
1Module
2Module
3Module
4
Child Welfare Records: Child Protective Services Law (CPSL)
Data Sharing for Department of Health Services:
• DHS can share with other agencies.
• Those agencies must serve DHS families.
• Those services must stabilize families.
Module 1: Types of personally identifiable information (PII) and their Legal Requirements
IntroModule
1Module
2Module
3Module
4
Questions for Module 1
Jane is an OHS case worker who would like to request access to DHS information
about her client. She may have access to this information if:
A) She is a multidisciplinary team member who thinks that having the data would help
her better understand her clients.
B) She is a duly authorized person providing voluntary services and is curious about
the client’s past.
C) She is a duly authorized person providing voluntary services and the data would be
used for the purpose of stabilizing the family or preventing further abuse.
Module 1: Types of personally identifiable information (PII) and their Legal Requirements
IntroModule
1Module
2Module
3Module
4
Questions for Module 1
Jane is an OHS case worker who would like to request access to DHS information
about her client. She may have access to this information if:
A) She is a multidisciplinary team member who thinks that having the data would help
her better understand her clients.
B) She is a duly authorized person providing voluntary services and is curious about
the client’s past.
C) She is a duly authorized person providing voluntary services and the data
would be used for the purpose of stabilizing the family or preventing further
abuse.
Module 1: Types of personally identifiable information (PII) and their Legal Requirements
IntroModule
1Module
2Module
3Module
4
Homeless Management Information System (HMIS)
CHO may disclose homeless service data:
1. To provide or coordinate services.
2. To pay or reimburse for services.
3. For administrative functions.
4. To create de-identifiable PII.
Module 1: Types of personally identifiable information (PII) and their Legal Requirements
IntroModule
1Module
2Module
3Module
4
Homeless Management Information System (HMIS)
OHS may disclose PII:
1. When required by law.
2. To prevent harm.
3. If victim of abuse, neglect or domestic violence.
4. For academic research.
5. For law enforcement purpose to law enforcement official.
Module 1: Types of personally identifiable information (PII) and their Legal Requirements
IntroModule
1Module
2Module
3Module
4
Questions for Module 1
Tom is a case worker at OHS who wants to connect his client with behavioral health services at
the shelter where the client is staying. He would want to send his name, address, and case
notes about observed behavior. What is his next step?
A) Check if a project description for this work exists, and if not, complete a project description.
B) Ask Law to draft an MOU because this type of activity is not covered under the current
agreement.
C) Do nothing. This type of data is not allowed to be shared.
Module 1: Types of personally identifiable information (PII) and their Legal Requirements
IntroModule
1Module
2Module
3Module
4
Questions for Module 1
Tom is a case worker at OHS who wants to connect his client with behavioral health services at
the shelter where the client is staying. He would want to send his name, address, and case
notes about observed behavior. What is his next step?
A) Check if a project description for this work exists, and if not, complete a project
description.
B) Ask Law to draft an MOU because this type of activity is not covered under the current
agreement.
C) Do nothing. This type of data is not allowed to be shared.
Module 1: Types of personally identifiable information (PII) and their Legal Requirements
IntroModule
1Module
2Module
3Module
4
Module 2: Public Health Registries and Vital Statistics
When to use of Vital Statistics data:
• Reporting on improvement of birth outcomes.
• Needs assessment and program evaluation.
• Identifying high-risk or special-needs populations.
• Measuring intervention outcomes and securing funding.
• Developing an integrated data system.
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Immunization Data
Permitted uses of immunization data:
1. Assisting providers/social service agencies.
2. Preventing duplicate immunizations.
3. Providing documentation of patient immunization.
4. Helping schools determine student immunization status.
5. Providing third-party payments for immunizations (e.g. MCO).
6. Planning and evaluation public health functions.
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
HIPAA Covered Records
PHI includes PII coming from HIPAA-covered units:
• Ambulatory Health Services
• Public Health Laboratory
• STD Control Program
• Philadelphia Nursing Home
• Office of Behavioral Health and Intellectual disAbility Services
City HIPAA Privacy and Security Basics training
• https://dbhids.org/hipaa-privacy-and-security-basics-storyline-output/
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Types of Personally Identifiable Information Eligible for the Data Exchange Project
Minimum Necessary Standards. Ask yourself:
• Do I need to know this information to do my job?
• Would de-identified data be sufficient?
• Why is this person requesting information?
• How much information do they need?
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Questions for Module 2
When a provider requests PII from an HHS agency staff member or office, HHS
agencies must verify that they are requesting only the minimum necessary amount of
information? True or False?
True
False
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Questions for Module 2
When a provider requests PII from an HHS agency staff member or office, HHS
agencies must verify that they are requesting only the minimum necessary amount of
information? True or False?
True
False
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
What Personally Identifiable Information Am I Allowed to Share?
Agencies can share PII for two purposes:
1. Treatment and service planning.
2. Assist disclosing agency with policy, planning, and operations.
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
What Personally Identifiable Information Am I Allowed to Share?
Identifiable data to not share for treatment and service planning:
• Data from DBHIDS Outreach workers.
Identifiable data to not share for policy, planning, and operations:
• DHS data on households investigated but not receiving services.
• Mental health treatment data.
• HIV-related data.
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
What Personally Identifiable Information Am I Allowed to Share?
This data may never be shared:
• DHS reporter data.
• Drug and alcohol treatment information.
• Medical records.
• Clinical laboratory records.
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Questions for Module 2
Which of the following activities is prohibited?
A) Sharing identifiable CEO tax data for treatment and service planning.
B) Sharing identifiable HIV-related data for treatment and service planning.
C) Sharing de-identified information on active DHS clients for policy, planning, and operations.
D) Sharing identifiable mental health treatment information for policy, planning, and operations.
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Questions for Module 2
Which of the following activities is prohibited?
A) Sharing identifiable CEO tax data for treatment and service planning.
B) Sharing identifiable HIV-related data for treatment and service planning.
C) Sharing de-identified information on active DHS clients for policy, planning, and operations.
D) Sharing identifiable mental health treatment information for policy, planning, and
operations.
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
How Do I Request and Receive Approval From a Sister Agency to Use Their Personally Identifiable Information?
Complete project description
form to access PII:
• Summarize agency’s intended
use
• Define staff levels.
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
How Do I Request and Receive Approval From a Sister Agency to Use Their Personally Identifiable Information?
Executive director of sister agency approves form.
• Review happens within 5 days of submission.
• Contact James Moore for approval if longer.
• James Moore, Director of Data Management Office: [email protected]
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Next Steps
• Contact Data Management Office to retrieve data -- Mark van Doren,
• Record retention policy for each agency:
o DHS – 10 years
o PDPH – Medical Examiner Office’s, retained for
20 years.
o OHS – 7 years
o CEO – 7 years
o DBHIDS - 6 years
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Project Description Form
The project description form:
I. General Information
II. Data Requested and Purpose for Data
Sharing
III. Titles with Access to Data
IV. Cohort, Time Period, and Data Elements
V. Data Security
VI. Signature Certifying Approval
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Project Description Form: Section I - General Information
Outline the basic parameters of your request.
Indicate if project is new or recurring.
• If new, delete data after project ends.
• If recurring, can maintain data afterwards.
• But must recertify project description biannually.
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Project Description Form: Section I: General Information
• Next: name, title, and contact information.
• Project purpose: who, what, where, when, and why.
• Last: start and end dates for your projects.
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Project Description Form: Section I: General Information
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Project Description Form: Sections II & III: Data Requested & Purpose for Sharing and Titles with Access to Data
Section II
• Use Section I to guide data selection.
• Must have legally permissible “purpose for requesting the data.”
• Must justify each data set requested.
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Project Description Form: Sections II & III: Data Requested & Purpose for Sharing and Titles with Access to Data
Who to contact regarding dataset questions:
CEO – Carolyn Brown, [email protected]
DHS – Liza Rodriguez, [email protected]
OHS – Michele Mangan, [email protected]
PDPH – Raynard Washington, [email protected]
DBHIDS – Daniel Paolini, [email protected]
Who to contact regarding form questions:
DMO – James Moore, [email protected]
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Project Description Form: Sections II & III: Data Requested & Purpose for Sharing and Titles with Access to Data
Designate staff levels that will review data:
• First see if form titles parallel agency hierarchy.
• Otherwise, consider titles as staff tiers.
• If category is missing, contact DMO. Mark Van Doren, [email protected]
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Project Description Form: Sections II & III: Data Requested & Purpose for Sharing and Titles with Access to Data
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Project Description Form: Section IV: Cohort, Time Period, & Data Elements
Section IV describes population of interest.
Then select variables to further scope data:
• Client identifiers
• System identifiers
• Demographics
• Client characteristics
• Service detail
• Client contacts, events, and encounters
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Project Description Form: Section IV: Cohort, Time Period, & Data Elements
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Project Description Form: Sections V and VI: Data Security, Signature Certifying Data Security Compliance, and Signature
Approving Project
Project description form includes two certifications:
• In Section V
o Relevant staff completed this training.
o Relevant staff can properly manage data.
• In Section VI
o Department commissioner will execute the form.
o They agree to comply with data security protocol.
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Project Description Form: Sections V and VI: Data Security, Signature Certifying Data Security Compliance, and Signature
Approving Project
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Data Attribute List
Finally, identify the variables you need:
• Define variable via data attribute list.
• For support, contact DMO:
o Mark Van Doren, [email protected]
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Data Attribute List
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Questions for Module 2
When completing a project description form, staff are required to do all of the following except:
A) Designate start and end dates for their project.
B) List the Law Department attorney that has reviewed and approved the completed project
description form.
C) Select specific source data like “street outreach” and “lead exposure.”
D) Have their department’s commissioner sign the project description.
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Questions for Module 2
When completing a project description form, staff are required to do all of the following except:
A) Designate start and end dates for their project.
B) List the Law Department attorney that has reviewed and approved the completed
project description form.
C) Select specific source data like “street outreach” and “lead exposure.”
D) Have their department’s commissioner sign the project description.
Module 2: PII eligible for the Data Exchange Project and How to Submit Project Description
IntroModule
1Module
2Module
3Module
4
Module 3: Administrative and Security Requirements for Protecting PII
Administrative Requirements:
• Adopt security policies and practices.
• Designate privacy and security liaisons.
• Verify employees completed training requirements.
• Report privacy and security incidents.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Incident Reporting
Report misuse or theft to supervisor within 24 hour.
“Incident” is any acquisition, access, use, or disclosure of PII not permitted by:
A. The HIPAA Rules or other privacy laws.
B. An applicable MOU with a sister agency.
C. City privacy policies and procedures.
D. Unit-specific privacy policies, procedures, or protocols.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Global HHS Security Safeguards
HHS Security consists of:
• Administrative, physical and technical controls.
These allow agencies to ensure:
• Confidentiality
• Integrity
• Availability
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
What can you do to ensure PII is safeguarded?
Data Storage Practices:
• Never store confidential data on external devices.
• Never store confidential data on personal devices.
• Avoid storing on City laptops unless necessary.
• If stored on laptop, ensure laptop is encrypted.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
What can you do to ensure PII is safeguarded?
Username and Password Practices:
• Follow City-approved password and login policies.
• Use strong passwords.
• Change passwords more frequently than required.
• Never write passwords down.
• Never share usernames or passwords with others.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
What can you do to ensure PII is safeguarded?
Workstation and Email Practices:
• Ensure PII files are locked at your workstation.
• Do not install non-HHS agency-approved software.
• Do not open emails from unknown senders.
• Do not attach confidential data to unencrypted emails.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
What can you do to ensure PII is safeguarded?
General Practices:
• Know your agency’s security policies.
• This includes incident reporting.
• Know your Information Privacy Officers.
• Ensure identifiable data is accessed for approved purposes.
• Store files on secure servers.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Questions for Module 3Calvin in working at his desk when he receives an email from his supervisor. His supervisor explains
that she needs to borrow his user name and password briefly to verify an individual’s billing
information and she has forgotten her password. Calvin writes down this information and provides it
to his supervisor. He tells her to shred the paper with this information when finished because he uses
the same password for all his logins, and wouldn’t want this information intercepted.
Has Calvin done anything wrong in this example?
A) No, Calvin is authorized to provide this information to supervisors, just not to other coworkers.
B) Yes, Calvin is not authorized to share his user name and password with anyone.
C) Yes, Calvin should under no circumstances write down user name and password information.
D) Yes, Calvin should use a unique password and should change this password frequently.
E) Answers #2, #3, and #4 are all correct.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Questions for Module 3Calvin in working at his desk when he receives an email from his supervisor. His supervisor explains
that she needs to borrow his user name and password briefly to verify an individual’s billing
information and she has forgotten her password. Calvin writes down this information and provides it
to his supervisor. He tells her to shred the paper with this information when finished because he uses
the same password for all his logins, and wouldn’t want this information intercepted.
Has Calvin done anything wrong in this example?
A) No, Calvin is authorized to provide this information to supervisors, just not to other coworkers.
B) Yes, Calvin is not authorized to share his user name and password with anyone.
C) Yes, Calvin should under no circumstances write down user name and password information.
D) Yes, Calvin should use a unique password and should change this password frequently.
E) Answers #2, #3, and #4 are all correct.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Additional Safe Practices - Paper Document Disposal
To dispose documents containing PII:
• Shred papers immediately.
• Store securely until you can shred papers.
• Most agencies provide secure shred bins.
• If unsure whether shredder is secure, contact your supervisor.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Printing confidential information:
• Do not print hard copies unless necessary.
• If necessary, use a secure pin to print.
• Pick up documents immediately after printing.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Additional Safe Practices - Printers
Workstation: Desktops
• If you are in a public area:
o Do not store data on your desktop.
• Only store files being “processed.”
• Return files to secure location at end of day.
• Delete remaining copies in non-secure locations.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Additional Safe Practices - Workstations
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Additional Safe Practices - Workstations
Workstation : Shoulder Surfing
• Turn monitor away from traffic and sight lines.
• Do not take screenshots.
• Do not photograph your monitor.
• Do not transcribe information unless necessary.
Secure Email
• Use encryption when sending PII over email.
• Report emails sent without encryption.
o Must report incident within 24 hours.
• Do not auto-forward emails to avoid breaches.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Additional Safe Practices - Secure Emails
Additional Safe Practices- Secure Emails
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
How do you send secured
emails?
• Add the keywords to
subject line
• [Secure Delivery] or
[Secure]
• Must be in square
brackets
Additional Safe Practices - Encrypted Emails
How do you receive encrypted email?
• If your email system is compatible:
o “Secure Delivery” email is same as normal email.
• Only difference:
o Keywords [Secure Delivery] in subject line.
• User can view the message immediately.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Additional Safe Practices - Encrypted Emails
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Additional Safe Practices - Encrypted Emails
Module 3: Administrative and Security Requirements
• Instructions to send secure
emails available:
o www.phila.gov/hhs/
IntroModule
1Module
2Module
3Module
4
Secure File Transfer Protocol (sFTP) Introduction
Secure File Transfer Protocol (sFTP)
• Data from CARES is transferred securely.
• Method is Secure File Transfer Protocol.
• Transfers data from CARES server to recipient computer.
• Ensures confidential data is kept confidential.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Secure File Transfer Protocol (sFTP) Introduction
Secure File Transfer
• sFTP uses SSH to transfer files.
• Requires login before data can be transferred.
• sFTP solutions allow for remote operations:
o Directory listings, file uploading, file downloading, etc.
• Files automatically delete after 7 days.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Secure File Transfer Protocol (sFTP) Steps
Complete the sFTP Request Form
• Submit a new request form:
o For every new folder accessed.
• Under justification description write that:
o You want to upload, download files and create new
folders.
• Include directory address to requested folder.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Secure File Transfer Protocol (sFTP) Steps
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
• Submit a ticket
to get access.
• Send request
form as
attachment.
Secure File Transfer Protocol (sFTP) Steps
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
• Wait for OIT to create
your account.
• OIT will send your
username and
password.
Secure File Transfer Protocol (sFTP) Steps
https://secure-ftp.phila.gov/EFTClient/Account/Login.htm
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
• Log in to sFTP
Server.
• Use username and
password sent by
OIT.
Secure File Transfer Protocol (sFTP) Steps
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
• What the main
screen looks like.
• Arrows point to
following buttons:
o File upload
o Folder upload
o New folder
Secure File Transfer Protocol (sFTP) Steps
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
• Click “File Upload” button.
• Browse directory.
• Click file you want to upload.
• Click “Open” button.
• This uploads file to “File Upload”
folder.
Secure File Transfer Protocol (sFTP) Steps
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
To upload folder:
• Click “Folder
upload” button
on main screen.
• Select folder
you want to
upload.
• Click “OK.”
Secure File Transfer Protocol (sFTP) Steps
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
To download a file:
• Click the folder
icon.
• Click file(s) you
want to
download.
• Click download
button.
Module 3 continued: Accessing Requested HIPAA Covered Data Over P3
• P3 allows you to view PII from another agency.
• It’s how you will view requested HIPAA covered data.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Overview of How to Access Requested HIPAA Covered Data Over P3
1. Confirm that you have a city domain.
2. Contact P3 Administrator (DMO).
3. Connect to P3 Server.
4. Request a New Certificate.
5. Open the project data set(s).
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
1. Confirm that You have a City Domain
• Must have a city domain account.
• If do not have a CITY domain account:
o Request one from Data Management Office:
▪ James Moore, [email protected] OR
▪ Mark Van Doren, [email protected]
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
2. Contact P3 Administrator (DMO)
• After project user(s) request a New Certificate:
o Send email to the P3 Administrator, [email protected].
o Include project name in the email.
• P3 admin will create project folder.
• Specified users will receive access to the folder.
• Folder location will be emailed to users.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
3. Connect to P3 Server
Remote Desktop Connection.
Step 1. Open Remote Desktop
Connection.
• Select Start Button.
• Scroll right and find Windows
Accessories.
• Click on Remote Desktop Connection.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Step 2. Connect to server.
• Type: “MDO10VPFILP301”
Module 3: Administrative and Security Requirements
3. Connect to P3 Server
IntroModule
1Module
2Module
3Module
4
Step 3. Enter credentials.
• In User Name, type your city account:
o CITY\Firstname.Lastname
• In Password, type city account
password.
• Select Ok.
• Then select OK again.
3. Connect to P3 Server via Remote Desktop Connection
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
4. Request a New P3 Certificate
A certificate confirms that you are you.
• The certificate allows files decryption.
• You only need to request a certificate once.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
4. Request a New P3 Certificate
Step 1
Click MMC icon on the desktop.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Step 2. After the Console opens:
• Go to the menu File.
• Add or Remove Snap Ins.
• Choose Certificates and press Add >.
• Press Ok.
• Then select Finish, and click OK.
4. Request a New P3 Certificate
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Step 3:
• Expand certificates.
• Right click on personal.
• Then All tasks then Request
New Certificates.
4. Request a New P3 Certificate
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Step 4:
• Click Next twice
• Click box that says: P3 Basic EFS.
• Then click Enroll.
• Click Finish.
4. Request a New P3 Certificate
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
• Project folder will be created for each project.
• Located on the (E:) drive.
• Contains all applicable project result sets.
• Can open data in Excel or Textpad 8.
• When done:
o Exit the app and disconnect from P3 server.
5. Opening the Project Data Set(s) Associated with a Project
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Documentation, Guides and Video ShowingHow to Use Remote Desktop:
If you need help using Remote Desktop:
• Refer to the HHS Confidentially Training handbook.
• Provides links to useful resources.
• Broken down by Windows 10, 8.1, 8, and 7.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Faxing Identifiable Information
• Only fax if other mediums:
o Fail needs of immediate client care.
• Include confidentiality notice on cover page.
• Double check/confirm fax number.
• Store fax machines in secure areas.
• Designate someone to distribute incoming faxes.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Verbal Communication
Calls from clients or providers:
• Confirm the identity of the individual speaking.
• Determine whether discussing PII is appropriate.
Leaving messages on answering machine:
• Do not speak about PII on messages.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Verbal Communication
Phone Conversations / Meetings:
• Avoid others overhearing confidential information.
• Avoid discussing information in public areas.
• Do not repeatedly use clients’ names.
• When discussing PII in meetings, close the door.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Verbal Communication
Gossip:
• Gossip can lead to potential lawsuits.
• Never discuss confidential information for non-business reasons.
• Only discuss with employees that “need to know.”
Social Media:
• Never post PII to social media.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Module 3 Question
Confidentiality Which activity poses the greatest confidentiality risk to HHS agencies?
A) Leaving client files unattended on your desktop;
B) Discussing a client's information outside of your job responsibilities;
C) Speaking loudly on the phone so that others overhear your conversation.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Module 3 Question
Confidentiality Which activity poses the greatest confidentiality risk to HHS agencies?
A) Leaving client files unattended on your desktop;
B) Discussing a client's information outside of your job responsibilities;
C) Speaking loudly on the phone so that others overhear your conversation.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Module 3 Question
Secure Emails How can HHS agency employees ensure that their emails are delivered securely?
A) Employees need to type [Secure] in the subject line.
B) Employees do not need to do anything differently. All emails are automatically sent securely.
C) Verify with the receiving organization that their email system supports encryption.
D) Call the intended email recipient to verify that the email arrived.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Module 3 Question
Secure Emails How can HHS agency employees ensure that their emails are delivered securely?
A) Employees need to type [Secure] in the subject line.
B) Employees do not need to do anything differently. All emails are automatically sent securely.
C) Verify with the receiving organization that their email system supports encryption.
D) Call the intended email recipient to verify that the email arrived.
Module 3: Administrative and Security Requirements
IntroModule
1Module
2Module
3Module
4
Module 4: Conclusion
• Regulations can be both simple and complex
• As a general guide, remember to use:
o Common Sense.
o Courtesy and Respect.
Module 4: Conclusion
IntroModule
1Module
2Module
3Module
4
Module 4: Conclusion
Use common sense when viewing and sharing data.
• Think before speaking or before disclosing written information.
• Be mindful of your environment.
• If you think data is confidential, treat it as confidential.
• For questions, contact your Privacy Officer or Liaison.
Module 4: Conclusion
IntroModule
1Module
2Module
3Module
4
Module 4: Conclusion
Courtesy and respect are important.
• Handle data as if it was about you.
• Treat all clients with respect.
• Respect every client's right to confidentiality.
Module 4: Conclusion
IntroModule
1Module
2Module
3Module
4
Module 4 Questions
You are responsible for data-entering critical incidents into the information system for
the Office of Homeless Services (OHS). You receive a report that your friend's son has
entered a homeless shelter. You and your friend, Robert, share many common friends
and you are sure that they do not know about this development. You are sure that
Robert could use some support during this difficult time. Should you:
A) Contact your mutual friends to let them know about the change in their housing
status.
B) Call Robert and ask him to sign an authorization permitting you to disclose the
information to friends.
C) Do not contact your friends. Contact Robert outside of your work but do not
disclose any of the information that you learned.
Module 4: Conclusion
IntroModule
1Module
2Module
3Module
4
Module 4 Questions
You are responsible for data-entering critical incidents into the information system for
the Office of Homeless Services (OHS). You receive a report that your friend's son has
entered a homeless shelter. You and your friend, Robert, share many common friends
and you are sure that they do not know about this development. You are sure that
Robert could use some support during this difficult time. Should you:
A) Contact your mutual friends to let them know about the change in their housing
status.
B) Call Robert and ask him to sign an authorization permitting you to disclose the
information to friends.
C) Do not contact your friends. Contact Robert outside of your work but do not
disclose any of the information that you learned.
Module 4: Conclusion
IntroModule
1Module
2Module
3Module
4
Module 4 Questions
True or false: if you regularly disclose information about certain diseases to a
government agency that tracks how many people in the city are infected with a
certain disease, an individual has a right to know when you make those disclosures
and who you make them to if they have the disease in question.
True
False
Module 4: Conclusion
IntroModule
1Module
2Module
3Module
4
Module 4 Questions
True or false: if you regularly disclose information about certain diseases to a
government agency that tracks how many people in the city are infected with a
certain disease, an individual has a right to know when you make those disclosures
and who you make them to if they have the disease in question.
True
False
Module 4: Conclusion
IntroModule
1Module
2Module
3Module
4
Thank you for taking the City of Philadelphia’s Health
and Human Services Confidentiality Training!