Why Ebola Makes HIPAA Training UrgentAttorney Offers Privacy Compliance Insights
Offering HIPAA compliance refresher training to hospital staff members is urgent, says privacy attorney Brad Rostolsky, because of the risks that could come with treating patients infected with Ebola.
"The Ebola situation right now is very representative of any sort of very public situation that could result in [record] snooping," Rostolsky, a partner at law firm Reed Smith, says in an interview with Information Security Media Group. "Now is absolutely the right time to ensure that your workforce understands what the rules of the road are" regarding appropriate access to records, he adds.
Reminding workers of the importance of privacy policies in the effort to prevent record snooping in these high-profile cases is key in avoiding potential breaches, Rostolsky says.
In late September, Nebraska Medical Center fired two workers for inappropriately accessing the medical records of Ebola patient Rick Sacra, M.D., who contracted the illness while providing care to Ebola patients in West Africa (see Ebola: Preventing Record Snooping).
Healthcare organizations "should take the time right now to ensure that their policies say what they want them to say, and that the folks ... in the workforce appreciate what that policies say and understand their obligations," he says.
In addition to offering HIPAA compliance refresher courses, another step that healthcare organizations can take to prepare for treating Ebola patients is having system audit logs ready for more intensive review to detect and respond to inappropriate access into patient records, Rostolsky suggests.
The exercise of re-examining HIPAA compliance as it relates to possible Ebola cases has other potential benefits as well, Rostolsky says.
"Anything you're doing in beefing up, or reinforcing, or buttressing your compliance efforts with respect to the Ebola situation can only better serve you in light of an audit," he says.
The Department of Health and Human Services' Office for Civil Rights is expected to launch the next phase of HIPAA compliance audits at the end of this year, or early in 2015 (see HIPAA Compliance: What's Next?).
In the interview, Rostolsky discusses:
- How to keep privacy and security from falling by the wayside in the chaotic situation of dealing with a potential or confirmed Ebola case;
- How safeguarding the privacy of Ebola patients is similar to dealing with the treatment of a celebrity;
- Advice for dealing with Ebola-related phishing scams.
Rostolsky is a partner in the life sciences health industry group at Reed Smith's Philadelphia office. With a focus on healthcare regulatory and transactional law, he leads that group's HIPAA and health privacy and security practice. He's also a member of the firm's new global Ebola task force. Rostolsky has extensive experience advising clients on all aspects of health information privacy and security compliance.