[ Wednesday, May 18, 2005 ]
More common sense Security ideas:
Recent events in Cleveland and Silicon Valley show that innocent or not-so-innocent mistakes, accidents, and vindictive acts can result in big HIPAA problems for you, not to mention big PR problems. A covered entity's weakest link is likely a low-level employee with access to PHI. How do you keep them from breaching HIPAA for you?
Education is the key. Education at employment, regular education events during the year, and easy day-by-day reminders all are important. If you've had posters and signs up imploring your staff to maintain privacy and security for more than a few months, change them. Put reminders on your log-in screens so every day is a new reminder. Focus on one aspect of privacy or security for each month: password protection one month, file maintenance issues the next, computer virus protection the next.
Punish wrongdoers. You don't have to be draconian, but sometimes it helps outline the importance of HIPAA to the rest of the staff when one member can serve as an "object lesson" to the rest. And remember, it is as important that your staff think you are reviewing what they are doing as that you are actually doing so. Here's a gross example: ever see anyone sitting in their car picking their nose? They wouldn't pick if they were sitting in a restaurant or on a park bench, but the feeling of seclusion when you are in a car allows people to do things they wouldn't do if they knew they were observable. Make sure your employees think you are checking up on them.
Which leads me to the issue of audits. The best way to find where your problems are is to look for them. While you don't want your staff to think you are Big Brother watching them, you do want them to know they are being watched. And if the watching is to look out for general problems and not to blame individuals, you can get compliance without harming employee morale. Also, audits will certainly give you clues of any bad employees you might actually have.
Finally, keep an eye on disgruntled employees, and keep an eye on employees who you think might have access to individual social security numbers and who you think might use or sell that information. Disgruntled employees can cause you the biggest HIPAA headaches, since they can disclose or damage PHI or your ability to operate, but you're much more likely to have problems (at least that's what I'm hearing about NOT in the news) when a low-paid desk staffer copies down a few social security numbers and mothers' maiden names and applies for a few credit cards. Remember the words of the famous bank robber: they'll steal the social security numbers rather than the rest of the PHI because "that's where the money is."
Jeff [11:16 AM]
Blogger: HIPAA Blog - Edit your Template