sign in sign up
<<
Home , As Your Friend

Information Privacy and Security Essentials for COVID‐19 Vaccine Clinic Volunteers

Thank you for volunteering to help support OHSU’s critical efforts to provide COVID‐19 vaccinations to Oregonians as quickly and safely as possible. As an OHSU volunteer in the OHSU COVID‐19 vaccine clinics, you are responsible for protecting the privacy and security of each individual’s information. The OHSU Information Privacy and Security Office created this training document to highlight key reminders and help you understand your responsibilities to protect OHSU Restricted Information.

Protecting Restricted Information

As OHSU volunteers, you have a duty to protect OHSU’s “Restricted Information.” Restricted Information includes confidential information such as a patient’s Protected Health Information (PHI) and any personally identifiable information (PII). Failing to protect PHI or PII could result in a breach that is reportable to state and federal regulators. In rare incidents involving harmful intent or intent to profit, a regulator may pursue penalties against an individual. Use the following important reminders to help ensure that you protect OHSU Restricted Information:  Do not take pictures. Do not take pictures while volunteering at the clinics, as you could inadvertently capture PHI or PII (including computer screens, paperwork, etc.). Restricted Information includes pictures that could lead someone to identify the person receiving the vaccine (e.g. facial photos, identifying tattoos, a license plate, etc.).  Do not post on social media (Facebook, Snapchat, Instagram, Twitter, etc.). Do not post any Restricted Information on social media sites or apps. You may see a friend, neighbor, family member or public figure getting vaccinated – do not post about it online.  Do not share information about vaccine recipients you see at the clinics with others who do not need to know. If you recognize someone getting vaccinated, such as your friend, neighbor, family member, or a public figure, do not share that information with other people unless they are also part of OHSU and need to know the information. Do not share Restricted Information with your partner, spouse or family members.  Properly dispose of paper documents. If you have Restricted Information in paper or printed form, check with a supervisor or lead to determine how to appropriately store or dispose of it. Never place it into the general trash (it must be securely destroyed).  Minimize potential disclosures: When onsite at the clinics, use a lowered voice to share Restricted Information and use the minimum identifiers required. Ensure that any computer screens containing Restricted Information are facing away from the public and any papers are secured and turned face down when not in use.

Protecting Electronic Health Record (EHR) Information

Your role at the COVID‐19 vaccine clinic may require you to access PHI in electronic health record (EHR) systems, such as Epic. You may only access the information and records within the EHR that you need for your current role in the COVID‐19 vaccine clinic. Do not look up records of any family members, friends, public figures, or even your children unless you are doing so as part of your role at the clinic.

Curiosity, even if it comes from a place of compassion — such as wanting to know how someone is doing after they receive the vaccine — is also never an appropriate reason to access their information.

Page 1 of 2

The Information Privacy and Security Office monitors Epic closely for inappropriate access activity. If you are unsure whether you may access a record as part of your role, speak with a clinic lead or supervisor first.

Ensure that you are only using Epic under your own OHSU login credentials and do not allow anyone to use Epic under your login. Never share your OHSU password. Ensure you are logging out or appropriately securing the computer when you step away, even if only for a minute.

Incident reporting and non‐retaliation policy

If you see something, it is your duty to say something — even if you aren’t sure whether it is really an information privacy and security incident. The Information Privacy and Security Office is here to support you and is your primary resource for questions about your information privacy and security responsibilities. Self‐reporting is also expected and encouraged.

Report every potential incident promptly, but no later than 24 hours of learning about it. The sooner you notify the Information Privacy and Security Office, the sooner we can take steps to limit the impact of an incident.

Report incidents to the Information Privacy and Security Office at 503‐494‐0219. You may also report online through the OHSU Integrity Hotline at www.ohsu.edu/hotline. To report anonymously, call 1‐ 877‐733‐8313 or visit www.ohsu.ed u/hotline.

Information privacy and security incidents include, but are not limited to: lost/misplaced paper PHI, inappropriate access to health records, inappropriate disclosures (including on social media or to others not involved in the clinic) and lost/stolen electronic devices containing Restricted Information.

Important: OHSU policy prohibits retaliation for reporting information privacy and security incidents. If you feel you have experienced retaliation for reporting an incident, contact our office at 503‐494‐0219 or at the hotlines listed above.

Page 2 of 2