The Health and Human Services’ Office of Civil Rights (OCR) has handed out over $5 million in HIPAA fines in the past 2 weeks. OCR has also stated that more HIPAA enforcement is coming. So now is a very good time to think about how you can avoid regulatory penalties and even more importantly, how you can avoid the expense and embarrassment of patient data breaches.
Many health organizations do not have the in-house expertise to really ensure that data security and HIPAA compliance is a priority. A lot of these organizations do not have an information officer or a compliance officer or even a full-time employee that has the responsibility of patient data security. So what can these organizations do to ensure that they protect patient data? They can mobilize their employees and recruit them to help ensure the security of patient data.
I know what you are thinking, “yeah right that will never work”. The way most organizations are setup I would agree with your negativity. Employees look at security as something that is a pain in the butt or even worse something that is potentially a threat to them. Think about it, many organizations restrict Internet access, they monitor email communications, and even record phone conversations. Many employees feel they are in jail and it is hard to blame them.
Now don’t get me wrong, I am not saying that restricting Internet access is bad or monitoring email communications is wrong. In many cases there is real abuse of the Internet. Opening up the Internet can introduce many problems including viruses, social network information leak and hampering productivity. Retaining email communications, especially communications with patients is a really need. So although the organization understands why the restrictions and monitoring is in place, many times employees don’t understand. This leads to a real negative view of security and security measures.
So what is an organization to do? One method is taking a completely different approach. The first step would be to train all your employees. Education is a powerful force. Take the time and effort to make sure every employee understands the importance of protecting patient data. Make sure they understand the HIPAA rules and regulations. Once they understand why there is need for security and why procedures are in place then recruit them to help protect patient data. Ask their input on the best methods of implementing the procedures. Ask them how they think they can stop patients from viewing data on an unattended screen. Make them aware of the dangers of portable devices. Ask them for feedback on where they see potential dangers with using portable devices. Take their feedback and incorporate it into the daily workflow. Have your employees help implement procedures that put security as a priority but does not hinder their ability to perform their jobs.
Employees are an organization’s greatest assets. Channel their ability and recruit them to help protect patient data and comply with HIPAA regulations. The first step is to educate them and make them understand the need for security and the HIPAA requirements. Then incorporate their feedback into the daily workflow. You may be very surprised with the results.