Employees Are Your Biggest HIPAA Vulnerability
May 10, 2016
While 2015 was accurately dubbed “The Year of the Healthcare Hack”, according to Experian’s 2016 Data Breach Report, 2016’s largest threat hits much closer to home – it’s your own employees.
The Experian report states, “While large breaches may be compromising millions of people’s records in one fell swoop, smaller incidents caused by employee negligence will also continue to compromise millions of records each year.” Experian predicts that these employee driven breaches will actually cause more damage.1
These smaller incidents collectively put you at a risk for an OCR audit, which in addition to being a distraction from your business can also lead to fines and penalties. Even if there are no fines or penalties, a minor breach can add up in legal fees, customer notices and above all the cost of customer retention communication.
In most cases these are not malicious employee breaches. The majority will be caused by lack of understanding and complacency. The first is very easy to address, you train and test your employees on your HIPAA Policies and Procedures, as required by HIPAA, so they understand the role they play in protecting health information they touch..
Complacency can be a little more difficult to remedy. Once you have trained your employees on your Policies and Procedures, they go back to their daily routine. Initially, they are more aware of HIPAA and protecting important data, but after a short while they let down their guard. After all, they know their job; they know your customers and a breach has never happened before so they begin to feel immune to the potential dangers. Fortunately, there are two steps you can take to keep your employees sharp:
- Educate them about the Value of Healthcare Data – It can be difficult for employees to understand why anyone would go to great lengths to get this health information. Helping them see what that data is worth in the wrong hands will give them more of an appreciation for the Policies and Procedures you’ve put in place to protect it.
- Remind them regularly – To maintain your HIPAA compliance, all of your employees should be trained annually, but it is unrealistic to expect them to keep that information at the top of their minds long term. Brief monthly trainings or reminders that touch on just one piece of your Policies and Procedures can be enough to make HIPAA a priority all year long.
Employee breaches may be the biggest threat to healthcare data this year, but it doesn’t have to affect you. The Experian Report points out that, “Organizations that implement regular security training with employees and a culture of security committed to safeguarding data will be better positioned for success.”1