“Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.”

A Danger and an Opportunity

Hidden in these few words is one of the greatest dangers – and opportunities – for both Covered Entities and Business Associates. The danger and the opportunity both derive from the fact that many data breaches and thefts of PHI are perpetrated by insiders.

• Insiders at Tenet were recently charged with theft and HIPAA violations.
• A Johns Hopkins employee who worked in the hospital’s patient registration area was recently charged with fraud after stealing patient files.
• Kaiser Permanente’s Bellflower Hospital was recently fined $250,000 because employees were snooping into an octuplet mom’s (“Octomom”) medical records.

The danger to CEs is that some trusted insider will be tempted to steal, sell, or hold Protected Health Information (PHI) hostage for personal gain. The opportunity is the chance to avoid HIPAA violations and bad publicity by making sure the people inside your entity are trustworthy and responsible.

“Workforce Clearance” Really Means “Background Checks”

In truth, many of these incidents might have been prevented if the entities involved had followed HIPAA’s “Workforce Clearance” requirement more strictly. The essence of Workforce Clearance is really background screening of employees, often referred to as “background checks.”

While many entities do perform some background screening for new hires, many entities do only a cursory check, and often with the lowest bidder. Unfortunately, this is a recipe for disaster.

People with Problems are More Prone to Crime

The simple fact is, people with criminal backgrounds and those with huge amounts of debt are more often involved in PHI thefts and breaches than those without such problems. And well-done background checks frequently identify high-risk individuals.

Background Screening – Rule of Thumb

A general rule of thumb is that the positions that carry the greatest responsibility should have the most intensive background checks. Positions such as IT Director, Senior Admin, Security Director, Medical Records Director and Manager should all have thorough background screening performed for applicants before they are hired. Some HIPAA entities are also re-screening workers in key positions periodically, to discover potential people problems in advance.

Background screenings for critical positions should include:

• Confirmation of previous employment history.
• Multi-state, or nationwide criminal background checks.
• Credit history reports.
• Driving history and violation reports.

Don’t Cut Costs on Workforce Clearance

While many CEs and BAs try to rein in costs by cutting back on background screening, the smartest entities are stepping up their use of background checks. They are moving to comply with HIPAA’s addressable “Workforce Clearance” requirement. They are also being smart, by reducing the risk from another “reasonably anticipated” threat to the PHI they are entrusted with.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

• HHS conducted it’s first-ever, on-site inspection for HIPAA compliance in March 2007 at Piedmont Hospital in Atlanta, Georgia.
• In 2007 HHS granted new and expanded subpoena authority to the Office for Civil Rights to use in HIPAA violation investigations.
• As of 2009, over 400 cases have now been referred to the US Department of Justice over possible criminal violations of HIPAA.
• The 2009 HITECH Act, part of the ARRA, expanded HIPAA investigations and enforcement, to include, for the first time, mandatory investigations and penalties for cases involving “willful neglect”.
• HHS re-delegated HIPAA Security enforcement in August 2009, moving it from the CMS to the OCR. The OCR now handles investigations and enforcement for both the Privacy and Security Rules.
• Announced August 2009, HHS is hiring more investigators to accommodate the growing number of complaints and it’s new, combined Privacy and Security enforcement duties.

Combine these with the ever-growing number of breaches, and the ARRA changes to HIPAA enforcement, and you have an blossoming enforcement situation every Covered Entity (CE) and Business Associate (BA) should be concerned about.

CEa and BAa simply must get their HIPAA “ducks in a row” as we approach 2010. The major provisions of the ARRA and the HITECH Act kick in on February 18th 2010, and HIPAA enforcement will continue to heat up. Be ready and be careful!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

“Reasonably Anticipated” Threats

HIPAA requires CEs and BAs to protect PHI against all “reasonably anticipated” threats. The problem is, many CEs and BAs don’t know how serious the “digital device” threat is to their PHI. On the other hand, HIPAA entities can’t claim that these threats couldn’t be “reasonably anticipated”, because this  issue is being covered in the general, technical and medical media increasingly often.

So what’s a concerned CE or BA to do?

What Can Be Done?

The first step is to research the potential for abuse in your organization. You should be able to answer the following questions:

1. How and where are digital devices and recordings being used in your facility now?
2. How will you deal with employees and physicians’ use of digital devices for recording images, video, and audio?
3. How will you deal with patients and visitors using these devices?
4. What are the legitimate recording uses, if any, for such devices in your facility?

Based on the answers to these questions, you should create clear policies and guidance for the workforce, patients and visitors. Policies should be circulated to everyone and employee “sign-offs” should be obtained to establish workforce “agreement” to abide by the policies. Consider having patients sign a form laying out the rules and restrictions on recording with digital devices. And consider posting signs in patient and visitor areas that say “No Photography Allowed”, “Recordings Prohibited”, or something similar.

A Variety of Approaches

CEs and BAs today are taking a variety of approaches to digital devices and the recordings they can produce, including:

• Banning all cameras, camera-phones, and audio recording devices from the premises. (Very hard to enforce.)
• Banning digital devices from patient-care areas. (Easier to enforce, but still problematic.)
• Establishing clear policies and restrictions on usage, but not banning the physical presence of relevant digital devices. (More realistic, but still difficult to enforce, as many devices are small and can be used surreptitiously.)
• Ignoring the problem or deferring the issue till “later.” (The riskiest approach of all.)

No “Magic Bullet”

There is no “magic bullet” solution for the privacy and security challenges posed by digital recording devices. Nevertheless, CEs and BAs must attempt to address these challenges somehow, even if only to demonstrate to a judge or jury — after a breach — that they were not guilty of “willful neglect”. Remember, HIPAA violations that involve “willful neglect” carry new investigative and penalty requirements under the recent ARRA expansion to HIPAA. Be careful!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.