Privacy and Security Basics for CDSME Data Collection. Updated October 2016

Transcription

1 Privacy and Security Basics for CDSME Data Collection Updated October 2016

2 Overview Purpose of the Privacy Act Primary features of the Act Who needs privacy training? Master trainers and lay leaders Program coordinators and data collection/data entry personnel Types of information protected by the Act Disclosure Safeguarding, transporting and disposing of PII Roles and responsibilities Test questions 2

3 Privacy Act of 1974 Protects records that can be retrieved by personal identifiers such as a name, social security number, or other identifying number or symbol. Created in response to concerns about how the use of computerized databases might impact individuals' privacy rights. Requires government agencies to show individuals any records kept on them Requires agencies to follow "fair information practices" when gathering and handling personal data. Places restrictions on how agencies can share an individual's data with other people and agencies. Lets individuals sue the government for violating of these provisions 3

4 Who Needs To Be Trained? If your work involves the management of sensitive information, Personally Identifiable Information (PII), or protected health information, you need to ensure you are taking precautions to protect it from unauthorized access/disclosure, theft, loss, and improper disposal. 4

5 Who Needs To Be Trained? Anyone involved in the collection, handling and/or data entry of PII on individuals participating in CDSME, including: Managers Coordinators Other employees Master trainers (MTs) Lay leaders (LLs) Volunteers 5

6 What Type of Training is Needed? Training for program coordinators and program implementers The rights of individuals participating in CDSME The appropriate protection of PII shared by CDSME participants at the workshop level The appropriate storage and transfer of participant forms Training for individuals completing data entry and data transfer The appropriate protection of PII shared by CDSME participants at the workshop level The appropriate storage, transfer, and destruction of data forms Security requirements for electronic data transfer, storing, and degaussing (destruction) 6

7 Types of Information Covered by the Privacy Act Sensitive: If the loss of confidentiality, integrity, or availability could be expected to have a serious, severe, or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Protected Health Information: Individually identifiable health information that relates to a person s past/present/future physical/mental health, health care received, or payment. 7

8 Information Protected by the Privacy Act PERSONALLY IDENTIFIABLE INFORMATION (PII) "the term Personally Identifiable Information means any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual s identity, such as their name, social security number, date and place of birth, mother s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual. 8

9 Information Protected by the Privacy Act Personally Identifiable Information (PII) Home address Home telephone number Complete date of birth Personal medical information Social Security Number (including just the last four digits of SSN) Personal/private information (if the information can uniquely identify the individual) Photographs Education records Financial transactions Employment history 9

10 Disclosure No agency or person shall disclose: any record by any means of communication to any person or another agency without a written request or prior written consent of the individual to whom the record pertains Any means of communication includes oral (phone, inperson), written, and electronic ( s, faxes, texts, tweets, pins, etc.) 10

11 Safeguarding PII Must always be treated as FOR OFFICIAL USE ONLY and must be marked accordingly Applies not only to paper records but also includes , faxes, etc., which must contain the cautionary marking FOR OFFICIAL USE ONLY FOUO Should be stored in locked filing cabinets or other secure containers to prevent unauthorized access Electronic records must be password protected and be transferred via encrypted 11

12 Transporting PII Hand carrying Use a cover sheet to shield contents Using mail Use manila or white envelopes Mark the envelope to the attention of the authorized recipient Never indicate on the outer envelope that it contains PII Using Password protect personal data placed on shared drives, the Internet, or the Intranet Use encrypted Do not send PII to a personal, home, or unencrypted address Announce in the opening line of the text (NOT the subject line) that FOUO information is contained 12

13 Disposing of PII A disposal method is considered adequate if it renders the information unrecognizable or beyond reconstruction. Disposal methods may include: Burning Melting Chemically decomposing Pulping Pulverizing Shredding Mutilating Degaussing (erasing from magnetic field or disc) Deleting/emptying recycle bin 13

14 Your Role and Responsibility Take privacy protection seriously Respect the privacy of others Ensure messages, faxes, and s that contain personal information are properly marked and is encrypted Don t share PII with individuals who are not authorized Have appropriate transfer, storage, and disposal protocols in place for PII Do not PII to personal, home, or unencrypted accounts Read the Group Leader Script to advise all participants of their right to consent or refuse use of data about them 14

15 Your Role and Responsibility All individuals involved in providing CDSME programs must sign Non-Disclosure Agreements All individuals involved in data collection, data transfer, and/or data entry must sign Non-Disclosure Agreements Non-Disclosure Agreements should be maintained for three years after the end of the grant and stored by the grantee or the grantee s designee for data collection/data entry Non-Disclosure Agreements do not contain PII, so they can be faxed, ed, or mailed without encryption or privacy restrictions 15

16 Master Trainer and Lay Leader Role Use the CDSME Program Group Leader Script at a Class Zero pre-session or at the start of Session 1 and with any new participants who start at Session 2 The script explains why participant data is being collected and how it will be kept secure Emphasize that completing the survey is voluntary Individuals may skip any questions they do not want to answer Individuals may choose to not complete the Survey, but they can still participate in the program Store surveys in sealed envelope and mail to the program coordinator 16

17 Program Coordinator/Data Entry Roles Store completed CDSME forms in a secure, locked cabinet when not in use Enter data into secure, password protected database such as the CDSME database Destroy participant data forms after data entry 17

18 Test Questions Circle all correct answers 1. Information about an individual that is unique, or identifies or describes him or her (such as Social Security Number, medical history, date of birth, home address), is called: a. Interesting b. Record c. Data d. Personally Identifiable Information 18

19 Test Questions Circle all correct answers 2. Disposal methods may include all except: a. Burning b. Shredding c. Tearing in half and putting in the garbage can d. Melting 19

20 Test Questions Circle all correct answers 3. The CDSME Group Leader Script: a. Describes what participants will learn in the workshop b. Requests participants to share their birth date, address, and sex c. Explains how participant privacy is protected and why data is being collected d. Emphasizes that participants are required to complete all survey forms 20

21 Test Answer Code 1. d - Personally Identifiable Information 2. c - Tearing in half and putting in the garbage can 3. c - Explains how participant privacy is protected and why data is being collected 21

22 Privacy and Security Basics Live Well, Virginia! for CDSME Data Collection Privacy and Security Basics: Implementation in Virginia Sue Lachenmayr, MPH, CHES

23 Local Training Who needs training? Master Trainers Workshop Leaders Data Collection/Data Entry Personnel Any staff or volunteers with access to PII 23

24 Local Training Staff member/volunteer views this PowerPoint Local Coordinator (LC) reviews forms and data collection procedures with each leader By telephone or in person Staff member/volunteer signs Non- Disclosure Agreement 24

25 Non-Disclosure Agreement Signed by staff/volunteers after training. Acknowledgement that participant information should not be shared with others and should be safeguarded appropriately. 25

26 Training Documentation LC retains Non-Disclosure Agreement signed by each trainee: 3 years after grant ends (End date: July 31, 2021). LC maintains list of staff and volunteers trained in Privacy and Security Basics and procedures. 26

27 Workshop Forms to Be Completed (See also CDSME Workshop Paperwork Flow document) Program Information Cover Sheet Attendance Log Participant Information Survey Stop and Go Cover Sheet Everyone with Diabetes Counts Medical Release Form EDC BEFORE Survey EDC AFTER Survey Virginia CDSME Satisfaction Survey 27

28 Attendance Log Local coordinator provides list of registrants on Attendance Log, using first name and last initial only. If duplicate names (e.g. Barbara T.), use middle initial or differentiate names in another manner. Leaders update log at Sessions One and Two and keep attendance at each session. Attendance Log goes to LC after Session 6. LC adds Participant IDs (from Participant Information Forms) on Attendance Log. 28

29 Program Information Cover Sheet LC completes form before the workshop and provides to leaders with other materials. LC makes 2 extra copies of Page 1 to leaders to mail with completed forms after Sessions One and Two. After Session Six pages 1 and 2 go to LC with packet of completed forms. 29

30 Key Points: CDSME Group Leader Script Is read to the group at the Session 0 or 1 or any participants arriving at Session 2. Tells participants that completing the forms is optional and not required for participation in workshop Participants can decide not to complete any or all parts of survey. Workshop leaders should not push one way or the other. 30

31 Data Collection Procedures (See also CDSME Workshop Paperwork Flow document) At Session One, the Leaders: Start keeping attendance on Attendance Log Read CDSME Program Leader Script to group Distribute and collect: Stop and Go Cover Sheet Participant Information Survey Everyone with Diabetes Counts (EDC) Medical Release Form EDC BEFORE Survey 31

32 Data Collection Procedures After Session 1, Leaders Give or mail one copy of Page 1, Program Information Cover Sheet and completed participant forms to Local Coordinator (LC) at the end of the session. At Session 2, Leaders Repeat these procedures with new participants and mail the forms to the LC. 32

33 Data Collection Procedures At Session 6, Leaders distribute and collect: EDC AFTER Survey CDSME Satisfaction Survey EDC Medical Release Form (offer to any who had not completed previously) 33

34 Data Collection Procedures After Session 6, Leaders hand or mail the following completed forms to LC: Program Information Form Attendance Log EDC AFTER Survey Any additional EDC Medical Releases CDSME Satisfaction Survey 34

35 Data Collection Procedures Local Coordinator Collects forms from Leaders in person or via mail Keeps forms in locked cabinet Enters relevant data in NCOA database (Note: Remember to enter response to Question 1 on Virginia CDSME Satisfaction Survey) Mails complete packets to HQI Health Quality Innovators Attn: Venisha Lambert or Erica Morrison 9830 Mayland Dr., Suite J Richmond, VA Destroys forms after confirmation of NCOA data entry and receipt by HQI. 35

36 Privacy and Security Basics: Implementation in Virginia Questions? Contact April Holmes Coordinator of Prevention Programs Department for Aging and Rehabilitative Services (DARS)