Your Employees Are the Key to Meeting HIPAA Guidelines
It is claimed that certain historical defensive structures, such as The Great Wall of China, are so well designed that they have never been physically breached and have only failed their mission when bribery was employed. This shows that even the best security designs are still vulnerable to human failings, whether due to error or character defect.
A poor physical infrastructure can be made to work if your people are vigilant and well trained. A great physical infrastructure can fail if your people are untrustworthy or careless. Ideally, you want both good physical infrastructure and good employees, but never forget that good employees are a key component of this system.
How secure is your medical practice
Download FREE Practice Security Management Guide
Five Things Your Employees Can Do
- Adhere to the “minimum necessary” rule. This HIPAA rule indicates that personnel whose jobs require them to work with protected health information (PHI) should only disclose as much as is necessary to do the job. In other words, if a case needs to be discussed with another healthcare provider or if information needs to be given to an insurance company or other party, only give the essential details and no more. Think hard on where to draw that line and do not cross it.
- Pay attention to what they are doing with an eye towards not accidentally making PHI visible to casual onlookers. This includes positioning a computer screen where passersby cannot easily see it, putting papers face down or in a folder, and otherwise not exposing PHI to casual observation by others who happen to be in the room.
- Leave work at work. Anytime employees talk about their job, they are at risk of inadvertently revealing protected health information. This also means not carrying papers home that might contain PHI, not even in a locked briefcase.
- Get savvy about digital information security best practices. For many employees, paper or hard copy breaches are easier to understand and thus easier to prevent. However, records are increasingly going digital and digital breaches tend to involve large numbers of records. Start with understanding how to create a good password.
- Be on guard against social engineering. People who seem “nice” or “friendly” are not anymore entitled to PHI than people who are less charismatic. Charisma is not a reason to give out PHI. An official, work-related reason either exists or it does not.
Hire Good People, Train Them Well, Then Trust Them
Although it is important to have good hiring practices that screen for trustworthiness, it is also important to train personnel properly and implement ongoing refresher courses. However, micromanagement will be counterproductive. It won’t prevent bad apples from finding a way to get away with something, but it will undermine the decision making process of good people and possibly breed resentment. Have confidence in your employees with your newly implemented security tactics, and they will help you and your ENT practice meet HIPAA standards.
Download Practice Security Management Guide