Jeannine LeCompte, Publishing and Research Coordinator
All healthcare providers are legally obligated to comply with applicable laws and regulations regarding security risk management as part of their compliance and ethics program. Managing the risks inherent in handling confidential Protected Health Information (PHI) requires a system which protects that data against all reasonably anticipated threats or means whereby it can be leaked, lost, or otherwise misused.
The organization’s data security officer is the person responsible for the development of the risk management oversight process. This person must develop, implement, and maintain procedures which:
- enforce a formal mechanism for processing records;
- establish access controls;
- deal with security awareness training;
- control all workstation use;
- deal with personnel and resident identification verification and, where applicable, background checks;
- draw up confidentiality agreements;
- ensure partner and vendor adherence to the privacy policy; and
- map out all disaster recovery and contingency planning.
In practical terms, this means that the data security officer is responsible for all physical access controls to PHI storage, and also ensures that vulnerability assessments are current and up-to-date.
In the event of a PHI data breach, authorities will inspect to see if the skilled nursing facility (SNF) follows the regulations contained in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Ensuring compliance with these regulations should be part of every healthcare provider’s compliance and ethics program.
It is also important to keep up-to-date and review all security policies. These should be conducted on an annual basis at the very least. Reviews should consider any changes in privacy or security regulations from federal, state, or local authorities. The impact of any changes to the facility’s IT environment or business processes should also be considered and addressed.
Finally, it is the responsibility of the SNF’s privacy officer to apply sanctions against workforce members who fail to comply with the company’s security and PHI privacy policies.