We’re All Human
While encrypting data and ensuring you have backups both go a long way towards achieving HIPAA compliance, they are not the end-all of security. A dishonest person within an organization – or more commonly a negligent one – could still cause a HIPAA violation resulting in a huge financial liability. The Department of Health and Human Services (HHS) reports the majority of breaches are the result of a theft or a negligent act by an employee. (Read the full report here.)
Verizon’s 2014 Data Breach Investigations Report attributed 46% of breaches in the healthcare industry to loss or theft of an information asset. It was the single, highest cause of breaches. The second highest reported cause was insider misuse, which accounted for 15% of all breaches in healthcare. Finally, the Verizon report said that the most common location of a theft or loss was the workplace.
Verizon and the HHS are not the only ones that have identified this trend. Darren Dworkin, Chief Information Officer for Cedars-Sinai Health System in Los Angeles, attributed 83.2% of their breaches in 2013 to theft. (See report here.)
Comprehensive HIPAA compliance means protecting nonpublic personal information not only from outside theft, but also theft and misuse within your organization. This is a key factor that often gets overlooked, and can cause loss of customer faith and significant financial losses when a breach occurs.
What Does This Mean for Your Organization?
Organizations subject to HIPAA need to ensure they have trustworthy people working for them who are properly trained on security protocols. We’ve put together 3 steps to guide you in making the best decisions to reduce the probability of human error.
Step 1: Hire an Internal Compliance/Security Manager
A good first step is finding and hiring a compliance/security manager to maintain your HIPAA compliance program. This person will be responsible for ensuring that your policies and procedures are up to date and satisfy the requirements of the regulation. Furthermore, they will be responsible for training and evaluating your other employees for compliance. It is crucial you have a dependable and committed employee in this position. Without a competent manager overseeing the program, your compliance plan will never work as intended.
Your staff should also subscribe to industry newsletters and frequently check with the HHS for the latest information regarding HIPAA. Attending one of the several HIPAA security and compliance conferences hosted each year is another great way to stay on top of the latest regulatory changes as well as network with other compliance managers.
Additionally, all potential employees should be properly vetted via background checks and a comprehensive interview process. Once hired, employees should receive thorough and ongoing training on all aspects of your organization’s compliance program, especially if they will be handling PHI (protected health information) in any way.
Step 2: Implement Regular HIPAA Training & Awareness
HIPAA refresher training should be conducted organization-wide once per year at a minimum, and updated as needed by compliance staff. As technologies and the regulatory environment change, additional training and awareness efforts may be necessary to keep your people up to date and on track.
Just as a bad employee can create potential hazards, a well-trained and trustworthy employee can be your biggest security asset. Vigilant and dedicated team members are your first and best line of defense. They can proactively protect your organization from breaches and other compromising situations.
Although it is a less frequently discussed requirement of HIPAA, security and awareness training is vital. Many people tend to gloss over this requirement due to its seemingly simple nature when compared to things like encryption and audits. However, finding good people and properly training them is one of the most important steps an organization can take towards creating a secure environment. At the end of the day your security solution is only as good as the people you have maintaining it.
Step 3: Check In Often
Maintaining compliance is an ongoing effort. Having an open channel of communication between your compliance manager and key personnel from each department is crucial to the success of any compliance program. The compliance manager needs to be aware of any potential changes to internal policies and procedures as well as any new contracts with vendors or clients.
Compliance personnel should work closely with human resources to ensure employees are properly trained on all HIPAA standards. Additionally, the compliance manager should meet regularly with the CEO to discuss compliance objectives and how they fit in with both short and long range planning. Cooperation and frequent communication at all levels of an organization are necessary to maintain secure and compliant business operations.
Getting Your Organization Started
The human element of HIPAA compliance is a vital part of an overall effort made by your organization to secure PHI. When your employees work in tandem with your HIPAA compliance manager and organization security plan, you can have confidence in the protection you are providing clients.