Simply creating policies and procedures (P&P) to safeguard ePHI, and using a comprehensive risk assessment won’t prevent data breaches. Instituting technical safeguards behaves only up to point. The Security Rule requires you to enforce compliance through your workforce. How will they understand precisely what is compliance with HIPAA, HITECH, along with the affiliated rules, and what constitutes a violation unless they have been trained?
Make It an Ongoing Affair
You are required with the Security Rule, as being a covered entity, to train your staff before providing any authorization gain access to ePHI. They must be trained around the requirements of HIPAA, HITECH, and the affiliated rules, plus your policies and procedures regarding how to guarantee the confidentiality, integrity, and availability (CIA) of all PHI and ePHI. They should see the limits to get into, and disclosure of any PHI. You might need to execute working out in phases to avoid mass confusion, and resultant confusion in their minds. They’ll be less anxious whenever they realize that they could get doubts clarified on the next round.
Try this: Set aside a particular time during the work day sometime mid-week for personnel who may have doubts to find clarifications from a designated individual – your security officer or anyone else that is in charge of training. Check to see that new employees receive appropriate HIPAA training upon being hired. Ensure that every existing employees receive appropriate HIPAA compliance training a minimum of annually.
Keep Updating Information for Your Team
Whenever HIPAA or related health information regulations/rules change, ensure that every personnel receive updated training. List all security awareness and training programs, and evaluate their content in terms of the typical. This will enable you to definitely identify any gaps in working out program. The incident response team and employees handling a data breach must be supplied with the necessary training to work of their roles, and also to be able to undertake their responsibilities during an incident, or when an incident is suspected.
Have You Defined Any Punitive Actions for Personnel Who Violate Prescribed P&P?
It is essential that you simply define punitive actions to become taken against personnel who violate prescribed policies and procedures. Once they are fully aware that violations of P&P may even cost them their jobs, associates will be disinclined to have pleasure in any willful transgressions. They must understand that unauthorized viewing of type of proper care of a member of family or close friend also constitutes a violation of HIPAA.
About the Author: Amit Sarkar (Lead Auditor, MBB Quality)
Amit Sarkar is often a global HIPAA compliance expert exceeding 2 decades of experience in U.S. healthcare and various domains, and contains globally recognized certifications in quality and compliance.
He has handled end-to-end compliance programs linked to HIPAA, Information Security, and Regulatory and Statutory compliance of multimillion dollar organizations, which try a presence across the globe. He is typically the leader and the driving force behind HIPAA Institute, a business unit which has a vision of creating a major area of the US healthcare industry 100% HIPAA compliant with the year 2020.