Healthcare is the only industry in which the insider threat has been shown to be the greatest threat to critical data. Since the insider threat, extending from your workforce through management, is an evident risk, it is important to take a few steps to reduce the danger in your skilled nursing facility:
Train your workforce and management
Addressing the threat presented by your nursing home staff requires education, as provided through HIPAA compliance training. Training is a mandatory element of both the HIPAA Privacy Rule (see 45 CFR § 164.530(b)(1)) and HIPAA Security Rule (see 45 CFR § 164.308(a)(5)).
Your training should address what is protected under the law (i.e., what is considered protected health information), why protection is necessary, and how to properly protect records so that HIPAA breaches do not occur. That last element is particularly important. Your staff will probably not purposely share confidential data. However, they may accidentally share it incorrectly.
Your HIPAA compliance training must address how to work with patient information in such a manner that will maintain its availability, integrity, and confidentiality whenever it is received, sent, or stored; detect and defend against any integrity or security threats that are reasonably foreseen; and safeguard against any unlawful disclosure or use that is reasonably foreseen.
It also cannot hurt to establish how real the problem is – that an organization’s staff is, according to a March 2018 industry study, a more significant source of risk than the outside world. More than half of electronic PHI breaches (58%) are due to insiders, said the research, which was based on analysis of 1368 security incidents throughout 27 nations. The study authors found that healthcare was the only sector in which the insider was the greatest threat to critical data.
Direct your staff to notify you when they see HIPAA violations
A person who commits a healthcare violation within a nursing home facility may not be aware that they have done so, but PHI could still be compromised. It is critical to let your staff know that all errors or other security issues must be reported immediately. There should also be strict rules protecting people who report security concerns from retaliation.
Automate compliance as possible
By automating compliance, you can straightforwardly reduce the likelihood that human error will occur, noted HIPAA Journal. For instance, if you are storing everything on encrypted devices, then you could have a system in place that blocks anyone from being able to save to an unencrypted drive. Automatic logoff is another simple step.
Perform routine risk assessments
Conduct routine risk assessments. The HIPAA Security Rule mandates risk analyses by both covered entities (healthcare plans, providers, and data clearinghouses) and business associates (third parties handling patient data). Risk assessments confirm compliance with the parameters of HIPAA – specifically the technical, physical, and administrative safeguards. That third element, administrative safeguards, will address the issue of employee compliance. For help with this process, you can use the Security Risk Assessment Tool that was developed by the Office of the National Coordinator for Health IT (ONC) in conjunction with the HHS.
Protecting against human error
Since mistakes by employees are responsible for so many healthcare data breaches, it is critical to consider how to mitigate this risk. If your staff knows the fundamentals of HIPAA compliance and that reporting a violation is mandatory, and if you routinely assess risk and automate as possible, you will greatly reduce your risk of an incredibly costly and stressful breach.
Moazzam Adnan Raja is the Vice President of Marketing at Atlantic.Net. During Raja’s tenure, the Orlando-based, privately held hosting company has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally. In collaboration with a skilled and dedicated team, Raja has successfully led a full spectrum of marketing campaigns, as well as handling PR work with major news outlets and the formation of key strategic alliances.