`````````````````````````````
You must enable JavaScript to us e this site. Click here for instructions on enabling JavaScript.
Forgot MyChart Username?

Beaumont Information

  • Beaumont information includes all information in any form, which is related to the business of Beaumont and is created, acquired, or managed during the normal course of business by, or on behalf of Beaumont.
  • Beaumont information used to support Beaumont business must be properly protected to ensure its confidentiality, integrity and availability. Beaumont information stored on any medium including paper, film and electronic media must be managed and protected according to Beaumont policies

Protected Health Information (PHI)

  • Protected health information (PHI) is defined by Privacy Regulations of Health Insurance Portability & Accountability Act (HIPAA) as individually identifiable health information including:
    • Demographic information that identifies or can be reasonably believed to identify a patient and relates to the past, present, or future physical or mental health condition of a patient
    • The provision of health care to a patient
    • The past, present, or future payment for the provision of health care
    • Social security number is treated as PHI
  • PHI is considered confidential information

When can PHI be Disclosed?

  • Only direct care providers (clinicians) may discuss initial diagnostic results with the patient and/or patient’s next of kin
  • Licensed or registered health care professionals (i.e., physician, nurses) can share PHI with other individuals, if in the professional’s judgment, it can be reasonably inferred, based on discussions with the patient, that the patient does not object or unless otherwise directed by the patient or the physician
  • For treatment, payment or health care operations such as quality assurance, medical record review or education efforts
  • All other reasons require the patient’s WRITTEN authorization, unless under an exception
  • 5 exceptions to authorization requirement:
    • Medical emergencies
    • Reporting information on communicable diseases to the Health Department
    • Reporting child / spousal / elder abuse
    • Organ donation activities
    • Disclosures required or allowed by law

What Team members need to know

  • Employees must not access patient charts for any reason other than as a function of their job. It is not permissible to look up a co-worker’s address or phone number or check in on a friend or family member. Violation of this policy can result in termination (loss of job).
  • Every employee and physician is responsible for all access activity using their individual account. Everyone is required to log out of OneChart when leaving their workstation or are out of sight of their portable device
  • Employees, physicians and physicians’ office employees are regularly monitored for compliance with HIPAA confidentiality standards
  • Potential breaches could include suspected privacy violations or loss of patient information
  • *Report any potential breaches of patient information immediately to: Compliance Line, Privacy Officer or the Corporate Compliance Office.

Protecting Patient Financial Data

  • What is Cardholder Data?
    • Primary account number (PAN): 16-digit number on cards
    • Cardholder’s name
    • Expiration date
  • Sensitive Authentication Data:
    • CVV: 3- or 4-digit number on cards
    • Used for validation of online and phone payments
    • Magnetic Strip Data
    • Personal Identification number (PIN)

Security of Patient Financial Data

  • Do not use cardholder data without the individual’s consent
  • Terminal displays and receipts can only reveal the first six and last four digits of the 16-digit card number
  • Do not store (paper or electronic) the CVV code or PIN
  • Physically secure all paper (locked storage areas) and electronic media containing cardholder data
  • Cardholder data must be disposed of securely. Disposal methods must ensure the data cannot be easily recovered.
  • Do not send cardholder data through interoffice mail
  • The full16 digit card number cannot be scanned or sent by e-mail, instant messaging and chat technologies

Examples of Data breaches

  • St Vincent Breast Center mails 63K letters to the wrong people
  • Data breach at Community Health Systems exposes data for 4.5M patients
  • Private medical records found at public dumpster in Manchester Twp

Penalties for Breaches

  • Breaches of the HIPAA Privacy and Security Rules have serious ramifications for all involved. In addition sanctions imposed by Beaumont, such breaches may result in civil and criminal penalties.
  • Statutory and regulatory penalties for breaches may include:
    • Civil Penalties: $50,000 per incident up to $1.5 million per incident for violations that are not corrected, per calendar year
    • Criminal Penalties: $50,000 to $250,000 in fines and up to 10 years in prison

Patient Rights

  • HIPAA sets forth the following individual rights for patients
    • To receive a copy of Beaumont’s Notice of Privacy Practices
    • To request restrictions and confidential communications of their PHI;
    • To inspect and/or receive an electronic copy of their healthcare records.
    • To request corrections of their healthcare records.
    • To obtain an accounting of disclosures (i.e., a list showing when and with who their information has been shared)
    • To file a complaint with a healthcare provider and/or the U.S. Government if the patient believes his or her rights have been denied or the PHI is not be protected
    • To receive notice of a breach of their unsecured PHI.

Recordings: Audio, Video, Photo or Other

  • Recordings (photos, video, digital images, audio, etc.) of any patient, workforce member, Beaumont equipment, or Beaumont facility must have the appropriate consent or authorization from the subject or designated Beaumont manager
  • Recordings cannot interfere with the care of any patient.
  • Authorized recordings of a specific patient may not include the images of other patients or communications with or about other patients
  • Any member of Beaumont Health System workforce who observes and believes any recording by a member of the workforce, patient, or visitor to be inappropriate is authorized to stop and question the event or report it to management as soon as possible
  • The confidentiality and privacy of patients, their families and Beaumont's workforce must be protected

Reviewing Family Members’ Medical Records

  • If current inpatient, first discuss with physician of record
  • Medical information (verbal, written, printed or electronic) may be reviewed only with written permission of the patient
  • Complete Beaumont’s Authorization for Release of Patient Medical Information form (obtained from Medical Information Services Department)
  • Authorization is valid for 30 days unless otherwise specified
  • View own medical records after completing Authorization for Release form. Authorization is good for as long as you are employed

Access to Electronic Health Records in Physicians’ Offices

  • Physicians that have a connection to the Hospital electronic health record system in their private offices are fully responsible for conduct of office staff while accessing the system
  • Physicians are responsible for instructing their staff as to necessity of maintaining the confidentiality of patient information accessed through the electronic system

Safeguarding Confidential Information

  • Do not post or discuss private patient information in public areas, such as lobby, elevators, cafeteria
  • Do not leave patient charts unattended where patients / visitors can access
  • Do not remove charts, forms or report sheets with PHI or patient financial information from hospital property
  • ALL types of patient confidential information must be disposed of by shredding or by using the Beaumont confidential recycling process (see Policy #111 Destruction of Records)
  • All Beaumont confidential information (including PHI), must be held in confidence and utilized only for purposes permitted, consistent with applicable law
  • Do not store confidential information on desktop computer hard drives unless required and the hard drive is encrypted. Beaumont confidential information should be stored on Beaumont servers whenever possible.
  • Do not store confidential information on public web storage sites such as Dropbox, Google Drive, Skydrive, Putlocker, iCloud, etc.
  • Do not store confidential information on personal devices (laptops, iPads, thumb drives, smartphones, etc.)
  • All PHI stored or used off the Beaumont network, must be encrypted

Understanding Encryption

  • Encryption tools change words & information into numbers or characters that are not understandable and can’t easily be reversed
    • Example: encrypt “Beaumont” Result (AES-256): U2FsdGVkX18BpBIxSzOjBDusADZJ4ZVZ3Ks7Rw+P4JQ=
  • Encryption tools are typically applied by the IT department or are built into devices or software.
  • Please contact IT if you are unclear how to secure information.

How do I know if it is encrypted?

  • Use only Beaumont-approved devices. If you are unsure – ask: Information.Security@Beaumont.edu
  • USB Encryption
    • USB drives should be used to transport data, not to store data. If your department manager approves the use of a USB drive for business purposes, the only device allowed at Beaumont is a Beaumont-issued Ironkey USB drive. Please contact Information Security to request one. All other exceptions need explicit approval from the Information Security team.
  • Laptop Computer Encryption
    • All new Beaumont laptops have full disk encryption installed by IT. If you do not need to store PHI on a portable device or laptop then do not. If you need to, then store only the minimal information for the minimum amount of time.
  • iPad Encryption
    • Do not store PHI on an iPhone or iPad. If accessing PHI from one of these devices, make sure a PIN is set to unlock the device, which invokes encryption.

Emailing Confidential Information Securely

  • All email sent from a Beaumont email address to a Beaumont email address are secure
  • If you need to send confidential data outside Beaumont, there are 2 secure options:
    • Use Outlook for standard email messages and attachments (using the instructions at the link below)
    • Use SecureFile for email with large file attachments
  • Instructions for both can be found on Inside Beaumont Online
    • http://employee.beaumont.edu/portal/pls/portal/ip30dev.page_pkg.page?xid=it_ftp

Top 10 Information Security Tip

  1. Do not share Passwords with ANYONE, not even the help desk
    • They provide accountability
    • You could be blamed for someone else’s actions
    • No one knows your password except you (stored encrypted)
    • No one should EVER ask you for your password
    • Protect mobile devices and passwords even more
  2. Lock your PC screen EVERY time you leave your PC
    • On a PC with a badge reader and single sign-on, press
    • On a standard PC, press and choose “Lock this Computer”
    • Shortcut: + L
    • If it’s a shared PC and others need to login, then logoff when you step away
  3. Only access information required to perform your job
    • IT tracks every patient record viewed in Epic (FairWarning Tool)
    • IT has visibility to every web site you visit
    • Where there is unauthorized or inappropriate access, disciplinary action may be taken
  4. Do NOT email work information to your home email address
    • Most public email accounts are not encrypted
    • It’s common for hackers to compromise public email accounts
    • Emails sent in clear text are relatively easy to intercept
    • If you need to take work home without a laptop, use an Iron Key device or email it to your Beaumont email and use Outlook Web Access from home
  5. Secure confidential data sent outside of Beaumont
    • Secure Email via Outlook
    • SecureFile
  6. Faxing
    • Still considered secure per government regulations
    • If faxing PHI, ensure recipient is aware it’s coming
    • If faxing confidential information, confirm receipt by the intended recipient
  7. Do not click on hyperlinks in email messages
    • Malicious software is most commonly spread using email links
    • It’s easy to re-direct a link to another site without the user knowing it
    • The most secure practice is to copy and paste the URL into your browser or ask Information Security whether it is safe
  8. Do not install software on Beaumont devices
    • The PC is not yours – it belongs to Beaumont
    • Beaumont IT is accountable for keeping the environment functioning. Nonstandard software makes it very difficult to protect the environment and troubleshoot PC issues
    • You could easily violate software licenses, even if it’s freeware or shareware (most freeware/shareware do not let you use them in companies)
  9. Store patient information on Beaumont systems
    • Not on personal smartphones or tablets
    • Not on personal PCs (do not synchronize Outlook to a personal PC)
    • Not on web storage sites like Dropbox, Google Drive or Skydrive
    • If you lose a smartphone or tablet that is synchronizing Beaumont email, notify the IT help desk immediately! We can erase the data.
  10. Contact the Information Security team at information.security@beaumont.edu for:
    • Security Questions or Concerns
    • Projects involving new vendor software, hardware, or Biomedical equipment (to evaluate the security of the device)
    • Projects involving sharing Beaumont data with external parties (to evaluate the 3rd party’s safeguarding practices and contract provisions)
    • Report lost or stolen devices, or unauthorized access to information immediately: IT Service Desk: 248-597-2727

Reminder

  • Physicians and employees may not access patient charts for any reason other than as a function of their job. It is not permissible to look up an individual’s address or phone number or check in on a friend or family member. Violation can result in removal from the Medical Staff or termination of employment.
  • Employees, physicians and physicians’ office employees are regularly monitored for compliance with HIPAA confidentiality standards.

Questions about these policies may be directed to the:

  • Privacy Officer: (248) 551-5006
  • Information Security: information.security@beaumont.edu
  • Corporate Compliance Office: (248) 551-0224
  • Please review the Corporate Compliance website for ongoing communications.

Copyright © 2016 Beaumont Health System. All Rights Reserved. Privacy Policy | Site Map