Creating a Security-Minded Culture in Your Medical Practice
A HIPAA Data Breach Infographic Worth a Thousand Words
Click on the HIPAA data breach infographic to view a larger image.
Despite the emphasis and priority of patient information security, medical organization staff situations change, leaving gaps for potential information breaches for those that are not trained. Professional data recovery companies are also aware that new employees in the critical IT departments may not be informed and educated on the specifics of their systems or disaster recovery procedures.
The 2003 HIPAA Privacy Rule was updated in 2005 to include the HIPAA Security Rule. The standards were established to protect the availability and integrity of the previously protected health information that was stored electronically. In 2006, the HIPAA Enforcement Rule was then modified to establish a set of guidelines to for those covered entities for patient notification and HHS when/if a breach did occur. This created up to $1.5 million for HIPAA violation penalties.
When it comes to the topic of HIPAA violations, ignorance is not an acceptable excuse. The four ‘tiers’ of violations that have been established include:
- Did not know of breach
- Had reasonable cause to know
- Willful neglect, corrected
- Willful neglect, not corrected
The Omnibus Rule modifies the HIPAA Privacy, Security, Breach Notification and Enforcement Rules through the expansion of patient rights and enforcement.
The sheer numbers involved in breaches are a statement unto themselves. The priority of training staff within a medical environment is paramount. However, the requirement of consistent retraining as new employees arrive and previously experienced staff leaves is not always set in place; and this leaves a medical organization vulnerable to security problems.
Although security is part of the top conversations in medical organizations, the focus seems to be more on the data storage and the security in transmitting to vendor partners. Proven Data Recovery has witnessed first-hand in situations where the attention is given to the security and encryption of the patient information and yet the IT staff is not sufficiently trained on the specifics of the system. In many cases, training may have occurred as a one-time option without additional or scheduled training for new employees.
Medical organizations of all types need to establish regular security training procedures. Vanderbilt University Medical Center has sent an example of the requirements through both new staff and annual training classes for all employees. The College of Pharmacy & Health Sciences joins many educational facilities in instituting staff and student educational requirements for HIPAA and security issues.
Even though the importance of patient information security is raised to a high level, the rigors of daily business often overtake the details in simply trying to get patients through the system. In an attempt to ensure that all patients are cared for, medical organizations may place new staff in positions for data input, thereby allowing human error to occur. Inputting data in an incorrect field can then catapult as it is transmitted throughout the system and potentially even shared with partner vendors that are not privy to that level of patient information. This then causes a security breach that may not be caught for an unknown amount of time.
All medical community verticals need to include extended security training as part of their new hire procedures, add a quarterly or annual training process for existing staff and ensure that those employees within the IT structure are educated at the highest level regarding all aspects of the system. On the IT side, additional auditing procedures need to be set in place to examine any data that is shared via API with vendor partners and in the transmission process. Many of the medical organizations do not have a disaster recovery procedure in place, and are then put in the position of contacting professional data recovery companies until after a disaster occurs. Additional and consistent training of employees will reinforce the current priority placed on the safety and security of the patient data and assist in catching ‘loopholes’ as well as addressing system problems in an expedient manner.