Protected Health Information Breaches: Employee Duties
Jeannine LeCompte, Compliance Research Specialist
Employees of healthcare facilities are not only on the frontline of operational services, but are also directly responsible for ensuring that the facility for which they work remains compliant to all the demands of the Privacy Rules as established by law. Employees have to be made aware of their responsibilities, and the following items should be standard in employee handbooks and training sessions:
– Staff must not discuss or disclose any Protected Health Information (PHI) that is learned while performing their work. This means not telling anyone who does not have a “need to know,” and this includes co-workers, friends, and family.
– Staff must keep all documentation which contains facility and patient/resident names and identifying information covered or out of sight of casual observers.
– Staff must not discuss patients or residents in corridors or other public areas where passersby can overhear. All discussions of patient conditions must be done in private in a place where it cannot be overheard.
– All documents containing PHI must be destroyed when discarded. Too many breaches have resulted from important paperwork simply being discarded in the trash.
– Any inquiries made for PHI must be referred to a senior staff member who is in a position to verify that the release of such data is authorized.
Staff must also be aware of the basic requirements for protecting electronic medical records. Training should emphasize the use of strong passwords which are easily remembered and never written down, and the absolute rule that they are never to be shared with anybody, even fellow staff members.
Staff should also be made aware of the danger of ransomware—malicious software which locks down a system until a crypto-currency ransom is paid. As the healthcare sector is one of the prime targets for such malicious hackers, all staff must be trained on how to avoid opening emails, links, etc., which are typical of ransomware infections.
Staff must be made aware that when there is a PHI breach which results from a phishing email or other computer virus attack, the facility becomes liable for penalties.
Finally, all staff must be able to report PHI violations to management without fear of retaliation or reprisals. This should be written into all operating and staff manuals as a matter of course.