They say “an ounce of prevention is worth a pound of cure.” As a healthcare provider, you know this to be true so you educate your patients about the importance of preventative healthcare. The idiom applies to protecting your patients’ health information as well. Are you as proactive about protecting your patients’ health record as you are their health?
Just as with serious illness, people everywhere believe data breaches will never happen to them. Perhaps they think the organization they work for is too small to attract the attention of data thieves. Perhaps they consider themselves to be tech savvy and thus immune to phishing schemes. Over-confidence leads to complacency putting not only your patients’ data but your practice at risk. If you fail to protect patient information, you are not only subject to fines for the violation but you risk the loss of your clientele as well. Patients expect you protect them. If you fail to do so, they will leave.
Do you know that the biggest threat to the protection of your patients’ confidential information is the very employees that you hire to care for those patients? Your staff is the single weakest link in your computer system. It does not matter how large or small your practice is, how intelligent your staff members are or how sophisticated your network architecture is, your biggest liability is your employees. This is true in all businesses.
Training your staff to be security-minded requires more than putting your policies and procedures down on paper or sharing your policies with your employees at the time of new hire orientation. Security must be a regular part of your daily activities. It must be a core value of your practice that is ingrained in your culture.
How do you create a culture that emphasizes the importance of data security for your patient information?
- Document Your Policies and Train Your Employees.
HIPAA Privacy and Security Rules require you to maintain written policies and procedures regarding how your practice operates daily with respect to protecting patient privacy. You are also required to train your staff on these written policies including what they are to do in the event of a breach. How thorough are your policies? Are you confident your staff knows what to do in the event of a breach?
- Practice.
One way to know your staff is well-trained is to regularly test their abilities to apply privacy policy. Make it fun with Cybersecure, a free online game created by the Regional Extension Center Program’s Privacy and Security Community of Practice. This online game tests your staff members’ knowledge by requiring them to respond to privacy and security challenges often faced in a typical medical practice. Users choosing the right response earn points and see their virtual medical practices flourish. Users making the wrong security decisions can hurt their virtual practices resulting in illustrated consequences.
- Make it Real. Regularly Seek Opportunities to Bring Security into the Forefront of Daily Activities.
Share news related to heath data breaches with your staff as learning opportunities. Use Google Alerts to have timely news stories related to HIPAA data breaches delivered right to your email. Catch your staff members doing good. Compliment them on actions you see them take to protect clients and make an example out of those good deeds.
- Apply and Enforce Your Policies.
If you observe an action that violates one of your policies, take action immediately. This is a make or break area. Do not be guilty of making policy for the sake of making policy. Commit to enforce what you have documented and demonstrate that commitment. If you do not take security seriously, neither will your employees.
Technology becomes more sophisticated every day, as do the criminals who seek to take advantage of it for their own personal gain. The threat to your practice will intensify as your dependency on technology increases. Follow these steps to put your practice on the path towards protecting your patients’ privacy just as fiercely as you protect their health.