2. Threat From Within
• Sometimes good employees don’t follow policies and
procedures
• Inadvertent misuse of data by employees topped the
list of breaches in 2013
• 42 % of employees have received training
• 57 % said they didn’t know their organizations
security policies
• Organizations MUST have policies and procedures
and train staff about them
• Staff then need to be tested about what they have
absorbed in the training
3. Technology
• Technology has exploded with reference to
storing, communicating, and referencing
medical information
It enhances patient care......BUT
What are the Ethical-Legal Implications???
Staff Need To Be Made Aware of Their Role
4. What Information Do You Need?
• Physicians, technologists, and other
healthcare professional use technology for
disease management and treatment options
• Access is broadened to permit links from
associations
• Information about medical information can be
retrieved, copied and retransmitted by anyone
with access and a password
5. HIPAA Privacy Rule: It will guide
you
• The Health Insurance Portability and
Accountability Act of 1996 was created to
safeguard electronic healthcare transactions
• The Privacy Rule was enacted in 2003
Privacy Rule Security Rule
• Protects patients privacy
and provides patients
access tot their medical
records
• Formal policies and
procedures to regulate
conduct of personnel
protecting data
6. Understanding the Purpose of
HIPAA???
• Balance protecting the privacy of patients’
health information and making sure the
information to health care workers to provide
care and payment for care
• A Covered Entity (CE): Is facility AND STAFF
• Only the MINIMUM amount of PHI needed to
accomplish for the intended use, disclosure or
request should be used
7. IT’S THE CONSTITUTION
Congress Mandates:
“The Privacy Of An Individual Is Directly Affected
By The Collection, Maintenance, Use AND
Dissemination of PERSONAL INFORMATION!”
The Right to Privacy is
an Individuals Constitutional Right!
8. Ethical and Legal Considerations
for Your Staff
• Ethics sets the behavioral standards by moral
values
• Law is an objective rule of conduct or action
The HealthCare Professional MUST:
Respect Autonomy (respect others decision making)
Beneficence (help others reach their interests)
No maleficence (do no harm)
Justice (all people deserve the same treatment)
9. Planning
• A manager needs to set goals, outline, costs,
desired results, impact on other systems,
vendor selection, and setting priorities
Know your systems
Know what needs to be added
to your system
What changes need to be made
to the current program?
10. What Training Should Be Put In
Place?
• Create a culture of compliance
• Ensure there is policy awareness
• Discuss incident response and risk analysis
• The training sessions should include the difference
between “ignorance” and “willful neglect”
• There will be online education of HIPAA Security and
Privacy Rules with a questionnaire of staff
knowledge at the end on an annual basis
• Staff will sign an attestation of their
commitment to patient privacy
11. Steps To Train
1. Training will be part of orientation of new hires
2. Annual training will be required for all staff
3. Develop a program that perpetuates itself and becomes part of
the organizational culture
4. Training is education of the knowledge, how-to’s, and ongoing
awareness
5. PHI should be covered in verbal, written, and electronic forms
6. Communication process for questions after training
7. Repertoire accessible for up to date policies and procedures
8. Have a process for evaluating the training programs effectiveness,
reliability, and validity
9. Have a verification process for security awareness training before
receiving access to PHI
12. How will the training be deemed
effective?
• Give periodic quizzes to follow up training
• Distribute a privacy and security awareness survey
• Send follow-up questionnaires to those who attended the
training 4 to 6 months following the training
• Monitor the number of compliance infractions
• Measure privacy and security knowledge as part of the
yearly performance evaluation
• Place feedback and suggestion forms on the
organization intranet
• Track the number and type of privacy and
security incidents that occur before and
after training
13. References
AHIMA. (2010). HIPAA Privacy and security training (updated).
Retrieved from http://library.ahima.org/xpedio/groups/public/
documents/ahima/bok1_048509.hcsp?dDocName=bok1_048509.
Cascardo, D. (2013). What to do before the Office for Civil Rights
comes knocking-Part 2. Podiatry Management, 32(8), 169-174.
Herold, R., & Beaver, K. (2015). The practical guide to HIPAA Privacy
and Security compliance (2nd Ed.). Taylor & Francis Group: Boca
Raton, FL.
Polito, J. (2012). Ethical considerations in Internet use of electronic
protected health information. Neurodiagm Journal, 52(1), 34-41.
Zamosky, L. (2014). Avoid the breach: Put data security measures in
place. Physician Executive, 40(4), 82-84.
Editor's Notes
(Zamosky, 2014)
Patients have the right to obtain and control their medical records, including who gets to see them (). Who is responsible for maintaining confidentiality? How will confidentiality be monitored? Who will be accountable for breeches and to what degree (Polito, 2012).
(Polito, 2012)
Moreover, the Security Rule sets physical safeguards (protecting computer systems and network systems from physical intrusion and hazards), technical security services (regulates the safety and security of stored data on a network), and technical security mechanisms (for encryption of PHI (protected health information) (Polito, 2012).