HIPAA, Facebook and Temporary Staff
When I conduct a training or draft policies for practices, I always include a prohibition against sharing patient information on social media sites. I usually get a few laughs or rolling eyes in response, as if to say "that's obvious!" Unfortunately for a patient in California, it wasn't obvious to a temporary staff person at Providence Holy Cross Medical Center in Mission Hills, who is said to have recently posted a medical record on Facebook. Allegedly, the patient's name and other complete identifiers were included in the post. According to reports, this agency employee rejected complaints of a HIPAA violation and thought the post was both funny and perfectly acceptable to post to her page.
Along those same lines, I recently received a note from a client asking what to do in terms of privacy and security when a student or temporary staff comes on board. My response? Training first and foremost. Clearly, the agency employee in the Facebook incident had not received appropriate education or preparation in this area.
A "temp" is considered part of your workforce. A new workforce member should not access protected health information (PHI) in any format without first reviewing appropriate privacy and security policies, and signing off on a confidentiality/sanction agreement. Ideally, the new staff member already should have been trained about privacy and security concepts, either by his or her school or staffing agency. You need to screen the individual and confirm background education in this area. Then you need to ensure that the new workforce member is trained in your practices, and the "do's-and-don'ts" of accessing, creating, using and disclosing your PHI.
A "temp" is considered part of your workforce. A new workforce member should not access protected health information (PHI) in any format without first reviewing appropriate privacy and security policies, and signing off on a confidentiality/sanction agreement. Ideally, the new staff member already should have been trained about privacy and security concepts, either by his or her school or staffing agency. You need to screen the individual and confirm background education in this area. Then you need to ensure that the new workforce member is trained in your practices, and the "do's-and-don'ts" of accessing, creating, using and disclosing your PHI.
Remember: Only allow access to electronic records, especially those hosted on a cloud system, during those hours that the the temporary workforce member is actually working for your organization. Failing to terminate access for all those days and weeks in between work days in your office creates a huge risk for you.
Proactively attending to these preliminary steps up front, as a matter of office practice, could spare your entity from dealing with breach issues, investigations, and legal or regulatory sanctions later on.
This is my very first time here, really good looking blog. I found a lot of fascinating things in your blog. From all the remarks on your posts, it looks like this is a extremely popular website. Keep up the good work.
ReplyDeleteRoss Finesmith MD