Safeguarding patients’ electronic health information is an employment matter
Q: In preparation for an employee or other members of a health care company’s workforce quitting, what preventive steps can be taken to ensure that patients’ health information is protected?
A: Two particular measures are critical to health care providers, in their role as employers, to protect the private patient information. Those are preparation and training. First, advance preparation is essential. Administrative, technical and physical safeguards are mandated by HIPAA (the Health Insurance Portability and Accountability Act) and its amendments, and just as we recommend with regard to all types of health care compliance and regulations, a compliance plan should be in place to provide security for protected health information electronically maintained. The person responsible for a health care practice or company’s IT should perform periodic risk assessments, and sufficient access termination procedures should also be in place. Second, an important part of prevention is proper training. Just as we recommend preparation to respond to identity theft, employers must identify the individuals responsible for safeguarding electronically maintained protected health information and responding to a breach, and provide them with appropriate training. Since health care is such a labor-intensive industry, a high rate of personnel turnover requires proportionate re-training and monitoring of employees regarding compliance with privacy and other regulatory requirements.
Q: You mentioned termination procedures — what procedures provide effective deterrents to unauthorized use or access to electronically maintained protected health information in such situations?
A: As a part of an overall separation procedure, there are some critical checkpoints along the way. Health care providers/employers are advised to standardize the process and create a checklist of steps to be taken when an individual leaves. Document that these steps have been taken, including the return of any company equipment. Next, if the company or practice is large enough to have departments, it is important to quickly alert the department or staff members responsible for changing access to electronically maintained protected health information, deactivating or deleting user accounts and monitoring access. Also, after these and other important steps are carried out, I recommend a post-termination audit to verify that all necessary steps to cut off access to electronically maintained protected health information have been taken.
Q: What steps must be taken to terminate access to electronically maintained protected health information?
A: Such steps, in addition to terminating user accounts and reclaiming computers, laptops, iPads and cellphones, should include terminating access to the physical space, which may require changing locks, access codes, and authorized individuals lists. Obviously, keys, fobs, ID badges, card keys and other items by which the former employee gained access to the physician space must be reclaimed or reprogrammed so that access by the former employee or other former member of your company’s workforce to secure areas with electronically maintained protected health information is no longer possible. For all former employees, and particularly for those with remote access, deactivation of any remote accounts and accessibility should reach all levels of access so that portals, web access and email services are no longer accessible.
PAULA BURKES, BUSINESS WRITER