Whether you are the Privacy Officer, the Security Officer, or both, the question remains the same. When was the last time you scheduled a "walk through" of your work space for the sole purpose of looking into the "eyeballs" of your personnel and finding out what they are really doing (or not doing) to protect the privacy and security of your patients’ health information?
No, this is not the annual HIPAA security risk assessment. No, this is not a surprise, mock survey in preparation for some third-party visit. Instead, you are simply showing up and letting your personnel know, first hand, that you really are interested in what they are actually doing to safeguard your patients' protected health information or "PHI." Nothing more.
In this article by legal firm Kreig DeVault, it is advised that practices uphold an annual HIPAA assessment calendar that sets out a series of compliance "questions" that will be reviewed -- one for each of the 12 months -- as part of an ongoing assessment process. The calendar can always be updated (or supplemented) as new questions or issues arise through the year.
For example, if this is January, then you may be in the HR department with the education coordinator reviewing a sample of personnel files to confirm that documentation exists to confirm completion of all new hire and annual HIPAA training. In March, you may join a supervisor and walk through their department work space at the end of the business day to look for any printed copies of PHI that may have been left on a counter or on a fax machine or in a "shred" bucket under their desk, all for easy "view" by the after-hours cleaning staff, or otherwise.
In June, you may seat yourself in a public waiting area with one of the admissions staff and listen for any "incidental" disclosures that could be overheard by other patients. During September, you may request a current copy of your organization's "workstation" inventory and confirm whether its up-to-date by conducting an assessment of all computing devices, including desktops, laptops, tablets and smartphones.
Of course, HIPAA assessment worksheets can be used to score and report your observations to create a paper trail and to keep your leadership apprised, but it is the "eyeball" connection with your workforce that is truly the bottom line here. Make sure your staff knows that HIPAA privacy is a priority at all times, and not just for a once a year checkup. To read this article in its entirety, click here. To learn more about HIPAA compliance, visit HIPAAcraticRx.