With the publication of the final enforcement rule, many observers are saying that the era of lax enforcement is at an end. Among those who think so are the folks at Law.com and Jennifer Wilcox has written a fine and scary piece called "HIPAA Gets 'Teeth'"--- among her suggestions for avoiding trouble in the future are these quite excellent queries:
Training: Are new benefits employees trained on the requirements of HIPAA Privacy and Security? Do you keep records documenting the training programs run for such employees, such as having employees sign statements certifying they attended the training?
Use of PHI for Employment Purposes: Do you have an appropriate "firewall" between your health plan and other human resources functions? Particularly for companies with relatively small human resources/benefits staff, do your employees know about the prohibition on using information obtained or created by the health plan for other employment-related purposes?
E-mails: Are you careful about disclosing PHI in e-mails that travel over open networks, unencrypted? Do employees use common-sense precautions to limit the amount of PHI used in e-mails?
Information Security: Has your HIPAA security risk assessment been updated to incorporate any new software, applications, or information technology systems purchased by your company? Does your Security Officer keep up to date on developments in information technology, and monitor warnings and reports regarding external PHI security threats such as viruses and worms?
There are several other questions in the full article that you should be asking yourself. It really does make sense to be ready for full enforcement, because it was inevitable that the day would come. It is so much better to be prepared, and compliant than to go through a scrambling panic remediation under the threat of federal attention. You are most of the way there now, and there is no reason for terror. Just spend a little effort and make sure that it is someone else held up as a cautionary tale on the six o'clock news.
No comments:
Post a Comment