• E-mail
• Print
• RSS

HIPAA compliance requires human resource support

HIM Connection, April 1, 2003

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

Dear Colleagues:

The human aspect of protecting privacy and security is often the most difficult to control. We forget our passwords, we fail to shred confidential information, or we are unaware of our surroundings and potential eavesdroppers.

HIPAA adds to that the formal procedures for providing clearance checks, for special classes of systems users; ensuring that access privileges are appropriately authorized, established, and modified when there is a job change; that access is removed when a member of the workforce leaves the organization; and that sanctions are applied consistently.

HIPAA's security rule is not very specific on the requirements for clearance checks. However, many organizations have increased the level of clearance checks they perform on all members of their workforce. Pay special attention to those who work in the information systems department or those who have system administration duties in other departments.

More clearly identifying the process for authorizing and terminating access should be a priority. Authorizing access privileges "just like Jane's" for a new employee is no longer an acceptable method in many environments. Jane may have had unique access that John does not need. It is better to specifically identify what functions John will perform and what access he needs.

Notification of termination should be clearly one person's role so that stripping access does not fall through the cracks. Determine whether it is the human resources (HR) department or the terminating manager's responsibility.

Finally, coming to grips with a sanction policy for privacy and security violations is important. This affects HR policy as well as the medical staff bylaws, rules, and regulations. Some organizations have set a zero-tolerance policy; others one of escalating sanctions for severity of violations. Whatever is chosen should be consistently applied.

Members of the workforce should also be reminded that violations may have to be reported to law enforcement, licensing agencies, or certifying associations and that civil and criminal penalties can be imposed. It may even be appropriate to remind employees that HIPAA is not the only legislation that affects use of computers systems and the Internet; copyright and other laws apply as well.

This week's HIM Connection was adapted from the book "HIPAA Made Simple: A Guide to Fast-Tracking Compliance, Second Edition" by Margret Amatayakul, MBA, RHIA, FHIMSS. The goal of this book is to provide you with a practical guide to implementing the administrative simplifications regulations under the Health Insurance Portability and Accountability Act (HIPAA) of 1996. It's geared toward helping to ease your workload in these demanding days of preparing for HIPAA compliance on top of all of your other responsibilities.

For more information, or to order your copy, click here.

Sincerely,

Laura Motta
Editorial Assistant
lmotta@hcpro.com

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

• E-mail to a Colleague
• Print
• RSS
• Archive