Jeannine LeCompte, Publishing and Research Coordinator
All healthcare providers are legally obligated to develop a robust privacy plan to safeguard protected health information (PHI) as part of their compliance and ethics program. A privacy plan must be placed under the control of a designated privacy officer and a security manager. These two officials should have a committee to help them oversee the program. They should then develop policies and procedures to ensure PHI is kept secure.
The privacy officer is responsible for training employees on the topic of PHI privacy requirements and to make sure an appropriate reporting system is in place. This officer is also responsible for the reporting of data breaches and documenting all efforts to achieve compliance.
The security manager should focus on the physical methods whereby data is protected. This includes, but is not limited to, the accessibility and integrity of digital data through firewalls, access controls, and encrypting data when the information is transmitted or stored. The security policy should also include specific procedures to ensure that all PHI which is stored in physical format (documents which are not online) is suitably protected from unauthorized access.
The security manager is also responsible for the implementation of the PHI security system and its overall effectiveness. In addition, this officer is responsible for the upkeep and development of data security policies and procedures to ensure that they are adapted as new threats arise.
All individuals involved in the capture, use, or transmission of PHI must be aware of this privacy policy. This includes all employees, contracted individuals, volunteers, students, researchers, medical staff, members of the governing body/board of directors, consultants, business associates, or any representative thereof.
Once developed, the company privacy plan should be communicated to the personnel listed above. All individuals must be trained in the details of the company’s privacy and security policies. Upon completion of the training, written acknowledgement must be obtained from all these individuals confirming that they know and understand the policies and will act in compliance with them. These signed documents should be kept in everyone’s personnel record.