How This Incident Could Have Been Prevented
Breaches, such as the one that occurred at Yakima, are easily preventable when organizations implement an effective HIPAA compliance program. The security guards working for Yakima should have never had access to patient files in the first place. HIPAA requires access to PHI to be limited to only those that require access to perform their job duties. To enforce this, organizations must implement policies and procedures, train employees, and adopt access and audit controls.
HIPAA Policies and Procedures
HIPAA policies and procedures ensure that organizations implement measures to limit access to data, have systems in place to secure data, and have a process for reporting breaches. HIPAA policies and procedures must be designed for a specific organization to ensure that they account for nuances in their business.
Employee HIPAA Training
Employees’ lack of training is one of the leading causes of healthcare breaches. When employees don’t understand how to access patient information appropriately, it can lead to a breach. Lack of cybersecurity training can also lead to healthcare phishing incidents. All employees with the potential to access PHI must receive annual HIPAA training that covers the organization’s policies and procedures, HIPAA basics, and cybersecurity best practices.
Access and Audit Controls
Access controls limit access to data using unique login credentials. With unique login credentials, different levels of access to ePHI can be set for various job roles. Audit controls monitor access to ePHI based on unique login credentials. This allows organizations to track who is accessing what information easily, and allows for improper access to ePHI to be identified quickly.