Health Information Compliance Alert

Security Compliance:

Audit Your Employees' Activities in 3 Easy Steps

Follow these guidelines to evaluate your staffers' suspicious behavior

If you think your greatest risk of a privacy or security breach is on the outside of your organization, you could be leaving your patients' PHI vulnerable to your employees' criminal intentions.

As demonstrated by recent incidents in Chicago and San Jose, medical staff members' noncompliant, criminal behavior can make headline news.

You cannot wait for a major breach to uncover your personnel's malicious activity. Rather, use this simple step-by-step guidance to develop an audit control process that will spot illegal behavior before it ruins your compliance effort.

STEP 1:  DEFINE STANDARD OPERATIONS

Before you can evaluate your employees' behaviors, you must define what's normal by figuring out exactly how you operate, says Matt Johnson, a HIPAA security consultant for AltaPacific Technology Group in Fresno, CA.

For example, you must know how information flows into, through and out of your office; when and to whom you will send e-mail attachments; and what behavior will be normal for each type of PHI-accessing employee - clinical, technical and administrative.

STEP 2:  DETERMINE ABNORMAL BEHAVIORS

After you've thoroughly defined your standard operations, you can pin down the types of behavior that you'll consider anomalous.

Example: You may decide that no clinical employees will e-mail attachments or that technical staff should not access patients' billing information without permission.

Next: Set up your audit controls to recognize those anomalies and notify you when they occur. "Most practice management applications have the built-in ability to log and record this information," Johnson says. But you must ensure you turn on each of these controls, he stresses.

If your system does not allow you  to record your workforce members' actions, you can either consult with your vendor to find out what options it offers for an upgrade to a more capable system, or work with your technical administrator to develop an in-house recording system.

STEP 3:  CONSIDER RANDOM VERSUS SPECIFIC AUDITS

A policy that warns your personnel that you will audit their activities on a random basis could be the perfect deterrent to malicious behavior, experts note.

However, that practice doesn't allow your employees to develop trust in and loyalty to your organization, stresses Greg Young, information security officer for Mammoth Hospital in Mammoth Lake, CA.

"We prefer to act on suspicions because it allows us to be more specific with our audits," Young explains. Those suspicions can arise from your audit control notification system or from noncompliant behavior that comes to your attention on a day-to-day basis.

Problem: It can be difficult to watch all your employees all the time. Solution: Encourage your staff members to report any behavior or actions they find questionable.

Good idea: Establish an anonymous telephone hotline or e-mail account that your staffers can use to contact you without fear of coworkers' disapproval. This could also alleviate their worry that management will rope them into an investigation, Young recommends.

Many of your employees' activities are better suited to random audits, notes William Hubbartt, health care consultant in St. Charles, IL and author of "The HIPAA Security Rule - A Guide for Employers and Health Care Providers."

Example: Your technical staff is tasked with destroying all media that is no longer being used, such as floppy disks, on a bi-monthly basis. Rather than waiting for a problem with the destruction process to show up - think records surfacing in a dumpster - you may decide to randomly audit the process every three or six months.

THE BOTTOM LINE

No matter how you set up your audit process, you must explain to your staff members what you expect from them - and what sanctions you'll apply if they violate your policies and procedures, Johnson stresses. Discuss the audit process and its consequences in your training sessions and in any employee handbook.

By stressing your organizations' commitment to intense scrutiny of suspicious activity, you'll likely reduce the possibility that employees will violate your policies and procedures, Young points out.