[ Wednesday, June 01, 2005 ]
Some quick points:- When you dispose of old computers, or any equipment that might contain a memory with information that could possibly be PHI (fax machines with built-in memory; medical equipment with memory storage), make sure you clear out that memory and "shred" the information electronically. There are software programs to do this on computers, and the equipment vendors ought to be able to tell you how to get rid of the information in memory. And make sure you don't just delete it; usually, that doesn't actually take the information away, it just makes it possible to over-write it. Sometimes, you just have to remove the hard drive and smash it. The state of Montana is discovering this problem the hard way; they got rid of old state computers, but didn't delete the social security numbers and other information on them.
- Everyone's abuzz about encryption of email transmissions, but I'm much more worried about encryption of data at rest. Especially if it's on a laptop computer (although recent events in San Jose show that even data on desktop computers might be at risk). And especially if you're in California. According to this story, an employee of a state data services contractor had a laptop stolen from his car trunk; the laptop contained information about Medi-Cal recipients, including social security numbers.
- How often do you re-train or test your employees' knowledge of your privacy and security policies and procedures, and how to you check to make sure they keep up their focus on privacy and security and keep on the lookout for problems? HIPAA Wire has three good suggestions: (i) Weekly or daily walkthroughs by the Privacy and/or Security officer. If you find problems, corral the appropriate staff and discuss the problem and the solution(s) then and there. Be constructive, but firm if it's a stupid mistake or repeat violation. (ii) Planned evaluations of staff; that way they don't think you're spying on them, and it also keeps them focused regularly in case you forget to check up on things yourself. (iii) Pop quizes. Occasionally, even if you do planned evaluations, you need to check up on things. Feel free to mix and match, too.
Jeff [11:52 AM]
Comments:
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template
And good points they are, too. To number 3 I might add a suggestion: KISS. By making certain that your policies have a common sense feel to them, and your procedures are practical rather than obstructive, you will make helping your staff remember to follow them much easier. Look to procedure simplification--- generally speaking, if a security measure requires more than one or two extra steps, the end user will either forget to use it, or find a way to circumvent it. And in either case, the user will resent it.
Post a Comment
