The Inadequacy of HIPAA Policies and Procedures

I am often amazed at the questions I receive and the scenarios that are presented either when I speak or advise on HIPAA. One item that never ceases to amaze me is the confusion over what content is required in HIPAA policies and procedures. I kid you not; some entities contend that having a binder with the Code of Federal Regulations (CFR) section is enough. Let's think about that - how is that a policy, what are the procedures for implementing it, and what are the sanctions in the event the policy is not followed? The answers to these questions are what auditors, government officials, and lawyers look for when bringing a case or assessing fines.

Case in point: "Employee Sacked After Snooping Patient EMR Records," a true story. Ohio-based University Hospitals notified approximately 700 patients after a single employee "snooped" and accessed protected health information. This scenario raises multiple issues:

• The employee accessed the records for nearly three years without the hospital's knowledge;

• It was not until a complaint was received did the hospital audit their EHR system;

• The information accessed included names, diagnoses, health insurance information, and other sensitive information; and

• There were inadequate policies, procedures, and training on HIPAA.

What are the best ways to thwart this type of behavior? First, compile and implement substantive policies and procedures. Second, audit the EHR system regularly and have alerts set up that notify the IT department when records are inappropriately accessed. Third, have sanctions in place for HIPAA offenses. Fourth, provide annual staff training. And, finally, recognize the importance of identifying both your internal and external data security threats to the organization.