Cutting Down on Human Error to Avoid HIPAA Breaches
Healthcare groups are required to store an increasing volume of data in digital format. While data security used to refer to locked filing cabinets and a small security presence, the increased dangers faced by today’s healthcare suppliers requires an increasingly technical array of security measures to be used to keep patient data secure.
Even when legislation is adhered to by the letter and all of the appropriate technical, physical and administrative security measures are put in place, a simple error by a member of staff can easily cause a data breach that can have major implications for the individual concerned, the healthcare supplier and its patients.
Rachel Seeger, Spokesperson for the Office for Civil Rights (OCR) said, “Human error increases risk when there are already vulnerabilities in place,” It is therefore essential that HIPAA-covered organizations conduct a full and thorough risk analysis to identify any security vulnerabilities and any issues raised must be effectively managed.
Deliberate hacks are increasing due to the high value of health data to thieves and cybercriminals have discovered that the healthcare sector is poorly protected. Banks and financial bodies have installed robust security systems to safguard the financial data of customers, yet many hospitals and clinics underestimate the threat posed by cyber criminals and fail to take even basic precautions.
While the threat of data theft is constant and more cases are submitted each year, in terms of the number of security breaches reported annually, human error causes far more breaches than cyber attacks.
Many mistakes are caused by people not being aware of current data privacy and security regulations, what their job should include and their obligations under HIPAA, HITECH and other legislation introduced to keep data secure. Training the staff about obligations under HIPAA legislation is obligatory, but along with training, employees should be provided with checklists which can easily be followed to ensure compliance and reduce the chance of mistakes and omissions occurring.
Privacy and data security policies are created by administrators, compliance officers and the management, and while they include all requirements of legislation it is essential that these policies are assessed in practice and feedback should be received from the staff responsible for safeguarding data. Procedures may need fine tuning to ensure that data is safeguarded and work processes remain efficient. Particular care must be used when technology is deployed; a full risk assessment must be conducted to ensure that data is not exposed.
A number of tactics can be used by healthcare providers to reduce the possibility of human mistakes causing data breaches. Implementing the following ‘best practices’ can greatly reduce the risk of Protected Health Information being exposed and causing HIPAA breaches:
Reward Self Reporting of Security Concerns
Establish an environment where the staff is comfortable reporting any possible HIPAA violations, mistakes or accidental disclosures of PHI. While staff must understand the seriousness of data security, it is also crucial that they appreciate why security or privacy issues must be quickly reported. It may not be possible to undo the error, but it is possible to take rapid action to mitigate any damage it leads to.
Encourage struct Staff to Highlight the Errors of Others
Errors can be unwittingly made that expose PHI, yet they may not be recognized by the individual concerned. It is therefore vital to communicate to the staff that the reporting of any security concern is mandatory, and to implement a policy of zero tolerance for any retaliation against persons who report issues, breaches or other security concerns.
Give Training to Eliminate Common Mistakes
Many HIPAA breaches arise from employees not being aware of their data security obligations or from making mistakes under pressure or by taking short cuts. Relay the importance of data security to the staff, provide specific training on common issue areas and ensure all employees are aware of the latest data security policies and procedures, as well as the repercussions for not adhering to them.
Correct Bad Habits Swiftly
Once bad habits begin to develop they can easily spread throughout the organization. It is vital that supervisors, line managers and compliance officers spot bad practices quickly and address them. Identify any persons, groups or departments that are careless and cut corners and provide selective retraining or other corrective actions.
Automate Compliance As Much as Possible
The simplest way to eliminate the possibility of human error is to automate as many compliance processes as you can. If the staff is only required to store data on encrypted devices, a security system should be adapted that makes it impossible for data to be transferred to an unsecured hard drive. Users can be automatically logged out of databases and computer systems after being inactive for a set and other automated procedures introduced to keep data safe.
Establish Fail Safes to Keep Data Private
While processes and company policies can be set to lessen the possibility of human error, when a mistake occurs it should not have catastrophic consequences. Alarms and system warnings should be set up to identify breaches quickly and non-technical fail safes should be put in place to stop untrained or unauthorized staff from accessing PHI.
Carry Out Internal Audits to Assess HIPAA Compliance
Once policies are set it is wise to conduct regular internal audits to review for non-compliance issues. If the OCR carries out an investigation it has the power to issue fines for each non-compliance issue discovered. It is far better to take progressive steps to address any non-compliance issues before they are uncovered by a unheralded OCR audit.
Go Ahead with Caution
There are likely to be a number of time where the staff is unsure whether it is allowable to release or disclose PHI. It should be related to all staff that the golden rule is, “if you are unsure whether an action violates data privacy and security regulations do not do it; seek advice.”