06 Jul Healthcare Providers Should Take Protecting Patient Information Seriously
Medical office and other healthcare providers that handle protected health information (PHI) are required to comply with various federal statutes, including HIPAA, fraud statutes, and prohibitions against self-referral.
The Office of Inspector General (OIG), which is part of the U.S. Department of Health and Human Services, has identified seven basic elements considered fundamental to any compliance plan. Below you will find each step in OIG’s “The Seven Fundamental Elements of an Effective Compliance Program.”
Implementing written policies, procedures, and standards of conduct. Having a written plan is a foundational step in any compliance effort. Outline what should happen in the event of a data breach, an intruder, a misplaced laptop, and other likely scenarios for your business. Other potential issues to deal with include physical building security, how to handle visitors and vendors. Policies and procedures should be reviewed periodically and shared with employees.
Designating a compliance officer and compliance committee. Every business that handles PHI should have a compliance officer. Everyone should know who the compliance officer is, and that person should take the responsibility seriously. Fines have been levied at companies without compliance officers.
That person (or, ideally a group of people) should be responsible for day-to-day security issues. For example, users should log off computers when they leave—even for a minute. If patient data is displayed on an unsecured computer where visitors, vendors, or unauthorized users can access it, that is considered a breach.
Conducting effective training and education. Privacy and security issues should be part of new employee training, but smart companies require annual training for all employees on data privacy and security. It might be the same basic information year over year, but the reinforcement is critical to underscore the importance of keeping data safe.
Developing effective lines of communication. How does your company communicate security policies? In even the smallest offices, email security reminders and tips frequently to keep top-of-mind awareness among employees. These emails should come from the compliance officer and include that person’s contact information.
Conducting internal monitoring and auditing. Enforcing security policies daily might make you lose sight of the need for longer-term monitoring and auditing. However, both are important. Don’t overlook the physical security of your computing devices, your network, your firewall, and other computing components. A security system is only as strong as its weakest link, be it an employee who leaves a door unlocked or one who clicks on an email to release malware into your computer system.
Enforcing standards through well-publicized disciplinary guidelines. A major security lapse or intentional misuse of PHI should be a firing offense. While no one wants to take such drastic action, information privacy and security is that important. Depending on the severity of the infraction, consider a verbal warning for a first offense, a written warning on second offense, and termination for another lapse.
Responding promptly to detected offenses and undertaking corrective action. While you hope never to put a data privacy and security plan into place, you must have one. The OIG looks for dynamic data security plans that get reviewed and tested, not those that sit on shelves. No company can anticipate every possible data security or privacy event, but proper and continual education goes a long way toward creating a security-first mindset among your employees and managers.