An employee's honest mistake can expose a patient's protected health information, costing a provider - and its patients - millions of dollars.
That means providers must act now to decrease the chances that employees will inadvertently (or maliciously) disclose patients' confidential information. Providers should use this expert advice to guide their security programs and keep their patients' PHI out of unauthorized users' hands - or they could find themselves in violation of the Health Insurance Portability and Accountability Act.
Before employees can be trusted to protect patients' sensitive health information, a provider must make them aware of current security measures and how to use them, says Frank Ruelas, compliance officer at Gila River Health Care Corporation in Sacaton, AZ.
"You need to develop a sound employee education program that includes security reminders so that people are aware of their responsibility to protect the integrity of data," notes Chris Apgar, health care consultant and president of Portland, OR's Apgar & Associates.
What to do: A security awareness and education campaign can consist of daily or weekly e-mail reminders, security seminars or bulletin-board displays that focus on what employees can do to protect patients' privacy. "Your employees need to know and understand your sanctions policy," Apgar says. That way, they will be careful to avoid inappropriately releasing patient information or damaging patient files, he adds.
No matter how stringent a provider's security measures are, mistakes happen. But an error doesn't have to lead to a security or privacy violation. That's where a provider's auditing and monitoring procedures come in.
"You have to go through your system and applications to figure out which audit capabilities will give you the best information about what activity is occurring around your PHI," Apgar explains. That way, providers can see exactly how their employees are viewing or accessing patient information, he says.
Next step: Once a provider sets up its audit controls, it has to monitor the logged-in data. By monitoring the activity, a provider can not only pinpoint malicious activity, but can spot larger trends that might be indicative of a department's training needs or an employee's misinterpretation of his job function.
Try this: Develop a routine process for spot-checking each employee - and make sure these checks show enough activity to determine whether the staff member is performing his job correctly.