A lack of training seems to be one of the causes of many healthcare information breaches involving business associates. In the TRICARE incident, unencrypted computer backup tapes containing information on 4.9 million beneficiaries were stolen from the car of an employee of a contractor, Science Applications International Corp. Perhaps a refresher course on HIPAA compliance could have helped avert the mistake.
So when's the last time you asked your business associates for proof that they've trained their staff members on how to protect patient information? And do you know the details of their training programs, including how frequently refresher courses are offered?
So when's the last time you asked your business associates for proof that they've trained their staff members on how to protect patient information?
The Department of Defense and two other agencies want to ensure that their contractors' employees are getting training on such issues as:
- The handling and safeguarding of personally identifiable information;
- Restrictions on the use of personally owned equipment to process, access or store personally identifiable information;
- The prohibition against access by unauthorized users;
- Breach notification procedures.
When it comes to the "handling" of personally identifiable information, training is desperately needed on how to safely transport backup tapes and other computer media to a secure storage location. After all, the TRICARE incident is one of several examples of tapes or hard drives being removed from a vehicle. In another major breach, New York City Health and Hospitals Corp. reported computer backup tapes with information on 1.7 million patients were stolen from a business associate's unlocked truck.
Of course, transporting backup tapes would be less worrisome if the tapes were routinely encrypted.