HIPAA Blog

[ Wednesday, August 10, 2005 ]

 

From an email I got yesterday from Hospital Compliance Wire:

"If you think your greatest risk of a privacy or security breach is on the outside of your organization, you could be leaving your patients' PHI vulnerable to your employees' criminal intentions.

As demonstrated by recent incidents in Chicago and San Jose, medical staff members' noncompliant, criminal behavior can make headline news.

You cannot wait for a major breach to uncover your personnel's malicious activity. Rather, use this simple step-by-step guidance to develop an audit control process that will spot illegal behavior before it ruins your compliance effort.

Step 1: Define Standard Operations
Before you can evaluate your employees' behaviors, you must define what's normal by figuring out exactly how you operate, says Matt Johnson, a HIPAA security consultant for AltaPacific Technology Group in Fresno, CA.

For example, you must know how information flows into, through and out of your office; when and to whom you will send e-mail attachments; and what behavior will be normal for each type of PHI-accessing employee -- clinical, technical and administrative.

Step 2: Determine Abnormal Behaviors
After you've thoroughly defined your standard operations, you can pin down the types of behavior that you'll consider anomalous.

Example: You may decide that no clinical employees will e-mail attachments or that technical staff should not access patients' billing information without permission.

Next: Set up your audit controls to recognize those anomalies and notify you when they occur. "Most practice management applications have the built-in ability to log and record this information," Johnson says. But you must ensure you turn on each of these controls, he stresses.

If your system does not allow you to record your workforce members' actions, you can either consult with your vendor to find out what options it offers for an upgrade to a more capable system, or work with your technical administrator to develop an in-house recording system.

Step 3: Consider Random Versus Specific Audits
A policy that warns your personnel that you will audit their activities on a random basis could be the perfect deterrent to malicious behavior, experts note.

However, that practice doesn't allow your employees to develop trust in and loyalty to your organization, stresses Greg Young, information security officer for Mammoth Hospital in Mammoth Lake, CA.

"We prefer to act on suspicions because it allows us to be more specific with our audits," Young explains. Those suspicions can arise from your audit control notification system or from noncompliant behavior that comes to your attention on a day-to-day basis.

Problem: It can be difficult to watch all your employees all the time. Solution: Encourage your staff members to report any behavior or actions they find questionable.

Good idea: Establish an anonymous telephone hotline or e-mail account that your staffers can use to contact you without fear of coworkers' disapproval. This could also alleviate their worry that management will rope them into an investigation, Young recommends.

Many of your employees' activities are better suited to random audits, notes William Hubbartt, health care consultant in St. Charles, IL and author of "The HIPAA Security Rule -- A Guide for Employers and Health Care Providers."

Example: Your technical staff is tasked with destroying all media that is no longer being used, such as floppy disks, on a bi-monthly basis. Rather than waiting for a problem with the destruction process to show up -- think records surfacing in a dumpster -- you may decide to randomly audit the process every three or six months.

The Bottom Line: No matter how you set up your audit process, you must explain to your staff members what you expect from them -- and what sanctions you'll apply if they violate your policies and procedures, Johnson stresses. Discuss the audit process and its consequences in your training sessions and in any employee handbook.

By stressing your organizations' commitment to intense scrutiny of suspicious activity, you'll likely reduce the possibility that employees will violate your policies and procedures, Young points out."

Generally good advice from these folks.

Jeff [11:50 AM]

Comments:
Good stuff, Jeff--
I have been talking about how most risk comes from the inside 'til I am blue in the face. As I wrote a while back at my blog (shameless, I know)---
"Far more likely to cause you grief is the viper cherished in your bosom. No one knows for sure, but I would guess that the retail model applies here--- 90% internal theft. After all, who else holds the keys to your kingdom? Training, monitoring, set usage policies, and careful terminal check-out procedures can help, but you never know. If you have 20 employees and they all seem perfectly content, either you are the shining example all other bosses should aspire to, or at least 5% of your workforce is adept at hiding their dissatisfaction. I know which one seems most likely to me."
Of course, the big money is spent on external threat, 'cause that's where the glamor is, but you are 100 times more likely to suffer data theft from the pizza delivery guy picking up an unsecured disk from someone's desk because it looks like it might be a pirated copy of Doom III.
 
Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template