“Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.”

A Danger and an Opportunity

Hidden in these few words is one of the greatest dangers – and opportunities – for both Covered Entities and Business Associates. The danger and the opportunity both derive from the fact that many data breaches and thefts of PHI are perpetrated by insiders.

• Insiders at Tenet were recently charged with theft and HIPAA violations.
• A Johns Hopkins employee who worked in the hospital’s patient registration area was recently charged with fraud after stealing patient files.
• Kaiser Permanente’s Bellflower Hospital was recently fined $250,000 because employees were snooping into an octuplet mom’s (“Octomom”) medical records.

The danger to CEs is that some trusted insider will be tempted to steal, sell, or hold Protected Health Information (PHI) hostage for personal gain. The opportunity is the chance to avoid HIPAA violations and bad publicity by making sure the people inside your entity are trustworthy and responsible.

“Workforce Clearance” Really Means “Background Checks”

In truth, many of these incidents might have been prevented if the entities involved had followed HIPAA’s “Workforce Clearance” requirement more strictly. The essence of Workforce Clearance is really background screening of employees, often referred to as “background checks.”

While many entities do perform some background screening for new hires, many entities do only a cursory check, and often with the lowest bidder. Unfortunately, this is a recipe for disaster.

People with Problems are More Prone to Crime

The simple fact is, people with criminal backgrounds and those with huge amounts of debt are more often involved in PHI thefts and breaches than those without such problems. And well-done background checks frequently identify high-risk individuals.

Background Screening – Rule of Thumb

A general rule of thumb is that the positions that carry the greatest responsibility should have the most intensive background checks. Positions such as IT Director, Senior Admin, Security Director, Medical Records Director and Manager should all have thorough background screening performed for applicants before they are hired. Some HIPAA entities are also re-screening workers in key positions periodically, to discover potential people problems in advance.

Background screenings for critical positions should include:

• Confirmation of previous employment history.
• Multi-state, or nationwide criminal background checks.
• Credit history reports.
• Driving history and violation reports.

Don’t Cut Costs on Workforce Clearance

While many CEs and BAs try to rein in costs by cutting back on background screening, the smartest entities are stepping up their use of background checks. They are moving to comply with HIPAA’s addressable “Workforce Clearance” requirement. They are also being smart, by reducing the risk from another “reasonably anticipated” threat to the PHI they are entrusted with.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

“Reasonably Anticipated” Threats

HIPAA requires CEs and BAs to protect PHI against all “reasonably anticipated” threats. The problem is, many CEs and BAs don’t know how serious the “digital device” threat is to their PHI. On the other hand, HIPAA entities can’t claim that these threats couldn’t be “reasonably anticipated”, because this  issue is being covered in the general, technical and medical media increasingly often.

So what’s a concerned CE or BA to do?

What Can Be Done?

The first step is to research the potential for abuse in your organization. You should be able to answer the following questions:

1. How and where are digital devices and recordings being used in your facility now?
2. How will you deal with employees and physicians’ use of digital devices for recording images, video, and audio?
3. How will you deal with patients and visitors using these devices?
4. What are the legitimate recording uses, if any, for such devices in your facility?

Based on the answers to these questions, you should create clear policies and guidance for the workforce, patients and visitors. Policies should be circulated to everyone and employee “sign-offs” should be obtained to establish workforce “agreement” to abide by the policies. Consider having patients sign a form laying out the rules and restrictions on recording with digital devices. And consider posting signs in patient and visitor areas that say “No Photography Allowed”, “Recordings Prohibited”, or something similar.

A Variety of Approaches

CEs and BAs today are taking a variety of approaches to digital devices and the recordings they can produce, including:

• Banning all cameras, camera-phones, and audio recording devices from the premises. (Very hard to enforce.)
• Banning digital devices from patient-care areas. (Easier to enforce, but still problematic.)
• Establishing clear policies and restrictions on usage, but not banning the physical presence of relevant digital devices. (More realistic, but still difficult to enforce, as many devices are small and can be used surreptitiously.)
• Ignoring the problem or deferring the issue till “later.” (The riskiest approach of all.)

No “Magic Bullet”

There is no “magic bullet” solution for the privacy and security challenges posed by digital recording devices. Nevertheless, CEs and BAs must attempt to address these challenges somehow, even if only to demonstrate to a judge or jury — after a breach — that they were not guilty of “willful neglect”. Remember, HIPAA violations that involve “willful neglect” carry new investigative and penalty requirements under the recent ARRA expansion to HIPAA. Be careful!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Whether it’s from stolen laptops, rogue wi-fi hotspots, employee snooping, or determined hackers, data breaches and losses are skyrocketing. The problem is so acute, that even organizations that track data breaches are amazed at the scope of the data breach problem.

Medical Records Have Financial Value to Criminals

Why is this happening in such a big way? The answer is money. Medical records, and other comprehensive personal records like mortgage applications, have financial value to criminals. Criminals buy and sell people’s personal records on underground websites and channels because those records are used to create false identities and commit fraud.

The attractiveness of medical records to criminals is one of the main reasons why the HIPAA regulations require such strong protections for PHI. Covered Entities think their records are just paper. But to criminals, medical records are gold.

Foreign crime syndicates see the potential payoff from I.D. theft. And even common street gangs are, in some cases, turning away from drugs and prostitution and moving into I.D. theft.

HIPAA Requirements are Only a Starting Point

Remember, HIPAA’s Privacy and Security Rule requirements are only a minimum “floor” of protection that every entity should have in place no matter what. It also takes effective training, awareness of how criminals work, and due diligence to prevent data breaches. And you can be sure of one thing: prevention is easier and much, much cheaper than dealing with a data breach. Be careful!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.