An organization can have all the necessary healthcare
privacy and security measures in place, but without comprehensive
employee training, the facility could still fall victim to a data
breach or violate HIPAA regulations.
That is just one of several issues the healthcare industry is facing in
2015. The human factor is critical for any healthcare organization,
and a lack of knowledge about HIPAA could be harmful.
Accessing healthcare information is also a critical
aspect of securing that data because organizations must ensure that the users
who are accessing the information are authorized to do so. Covered entities have to define what
information needs to be accessed by what users. They also want to define what
processes need to be in place to ensure that the appropriate level of access is
granted to the users.
Essentially, healthcare organizations need to take a look
at what information they actually have, how that information is stored, and for
what purposes it needs to be used for. Once those three elements are in place,
facilities can then define what their provisioning processes should be based
upon users’ need and the duty they need to perform.
You have to keep in mind that all the users that have
access to that data have a role or responsibility, and are using that
information for a specific purpose. So
it’s up to those users to make sure that they follow the necessary processes,
procedures and policies in place for the disclosure of that
information.
Additionally, that access has to be in accordance with
all regulatory requirements, such as the HIPAA Privacy Rule and Security Rule. Finding that
balance is a challenge that healthcare organizations of all sizes are working
to overcome.
It’s a lot easier for practices, covered entities, and
hospitals to grant access to all employees and feel like they will only use the
information that they’re supposed to,” he said. “However, that’s not always the
case.
This is where comprehensive training and education will
come into play. Employees need to be aware of what the Privacy and Security
Rules are about and then what their obligations as staff members are. From
there, covered entities need to teach employees how to tie those obligations
back to existing practices within their particular organization.
Another key tool to strengthening the human factor in
healthcare privacy and security is conducting regular audits and reviews of
what employees are actually able to access. For example, an individual who
works in the billing office doesn’t necessarily need to have access to clinical
information, such as a patient’s medical record. Comparatively, a nurse will
need access to clinical information, but will likely not need to see a
patient’s demographic information or their financial data.
You have to understand what information you have in your
system and how grantable your system can be in order to determine what level of
access is appropriate for your employees, recalling the “minimum necessary” required
in HIPAA. “Granting all access to everybody would not be in compliance, and
would not be standard with the security requirements.”
No comments:
Post a Comment