" An employee’s actions compromised the protected health information of 1,801 people at the Penn State Milton S. Hershey Medical Center. A clinical laboratory technician working with the protected data had entered data into a test log from his home using systems and devices outside the secured Penn State Hershey system. Compromised data included patient names, medical record numbers, name of lab test, visit dates and test results, according to the center."
Data breaches due to unintentional employee actions lead to numerous data breaches every year. Most of us take our work home. We take data home on a laptop or a USB memory stick, store and share files using online file sharing services and/or access work computer systems remotely. All these actions are potential scenarios for a data breach if proper data security controls are not implemented. These include security technology like encryption as well as policies and procedures for appropriate and secure technology usage.
In my conversations with healthcare organizations, I have realized that most of them are aware of the HIPAA Privacy Rule, but not many are aware of the HIPAA Security Rule compliance which mandates the protection of its electronic protected health information (ePHI) by a healthcare organization and its business associates. Employees in these organizations are not aware of their compliance responsibilities and can unknowingly become the weakest link in the security chain. Regular employee training on HIPAA Security Rule compliance is the only way a healthcare organization can educate their employees on secure technology usage and lower the risk of a data breach.
The HIPAA data security compliance training should cover the following:
- What is the HIPAA Privacy and Security Rule?
- What is electronic protected health information (ePHI)?
- Who is a covered entity and a business associate?
- Why is protecting patient data so important?
- What are the consequences of Medical Identity Theft?
- What are the organizational policies and procedures that all employees need to adhere to in order to comply with the HIPAA Security Rule?
- What is the organization sanction policy for non-compliance with its security policies?
- What is acceptable and unacceptable employee behavior when working with the organization’s computer systems?
- What are the common data breach scenarios that employees should be cognizant about?
- What should employees do if they come across a potential data breach scenario in their workflow?
Creating a culture of data security in an organization does take time and commitment from the senior management. However, the disastrous consequences of a data breach far outweigh the cost of regular data security training.