All heathcare personnel – from employees to volunteers to trainees to management – need to be educated and trained about the institution’s HIPAA Policies and Procedures.
Recap: Wherever, or however you practice medicine – having a coherent set of internal and external policies and procedures regarding Patient privacy is key. And there’s no one-size fits-all solution. The solution for medical institutions big and small: keep updating overall privacy and security programs as new threats and technologies emerge.
Doctors and Patients are referred most commonly when we talk about HIPAA. However, everyone working at a healthcare institution are part of this “covered entity” (in HIPAA-speak). Therefore, everyone, not just Doctors, need to undergo HIPAA training to better understand these security and privacy policies and procedures – and how it impacts their work.
For example: the maintenance staff need to be aware of where physical PHI is being stored in the office, how they can be sure not to touch those areas of the office, and ensure the areas they were given access to, remain secure after they leave.
So having a secure office and medical setting is a team effort. How can you test how effective your “team” is?
One popular test is the “Office walk through” – because sometimes an outsider’s perspective can help you to better see what risks you have in your office:
Walk up to the sign-in counter. Can you see any open medical charts in view of patients? Are there any open calendars with personal Patient information? Now act as if you’re walking to the examination room. Are there any visible patient charts on the doors? Can conversations be overheard through open doors?
By taking the time to do this exercise – you are probably getting a clearer idea of:
a) how much Patient information is spread out across your institution
b) how important it is for all of your staff to be on the same page when it comes to how to keep this PHI secure.
A little can go a long way
One hot button issue that has made the need for staff-wide HIPPA training clear – is the rising number of HIPAA violations connected to a staff member’s use of social media. A Nucleus Research study found that approximately 77% percent of workers have a Facebook account and nearly two-thirds of those employees access their accounts during work hours. By educating your staff on the relationship between HIPAA and photos and in turn social media — a little can go a long way. Remind them that ANY information that can identify a patient can be PHI. And when broadcasted without Patient consent, it is a HIPAA violation.
For example, if your staff member is having a bad day and connects with someone via Twitter to complain about a patient, through text, images, or video, without their written consent, this is grounds for a HIPAA violation. Even a selfie, when taken in your office – if something like a screen displaying PHI or an image of a Patient being treated is accidentally included could put you in hot water for a breach of Patient data. Employees should assume that anything put online will be re-shared as broadly as possible.
Remember, you can never replace privacy.
So to sum up – everyone working at/for a Healthcare Institution needs to be trained when it comes to HIPAA. And even though social media is used as a form of expression in our personal lives – it does not have a place in a medical setting and a good rule of thumb is not to put anything from work on a social media platform.
Next week: HIPAA isn’t just for Doctors…or healthcare personnel. Educate yourself, your staff, and equally as important, your Patients. Patients are equally, if not more likely to share information in a way that might put you at risk for a HIPAA violation. Example? If they send you an email with a video of a recent twitch they started having in their eye
We’ll show you how to best deal with those situations.
#HIPAA #SecurityFirst #PatientPrivacy #HealthIT