Study Confirms Importance of Screening Workforce Members for Access and Training, Training, and Training: HIPAA & HITECH Act Blog by Jonathan P. Tomes

JonTomesA recent report was released by the Association of Corporate Counsel (“ACC”) (where my Vice President, Alice McCart, used to work as an editor when it was known as the American Corporate Counsel Association (“ACCA”), and which published two of my HIPAA articles, “Risk Analysis: Your Key to Compliance,” ACCA Docket, Vol. 21, No. 10 (November/December 2003), p. 38 (with Bao Tran), and “What Employers Need to Do Now to Comply with HIPAA’s Privacy Rule,” ACCA Docket, Vol. 20, No. 3 (2002), p. 86), (with Susan Tahernia and Julienne W. Bramesco)). The ACC report, the ACC Foundation: The State of Cybersecurity Report, was not limited to the health care industry. It has statistics that apply to all business organizations. More than one third of in-house counsel reported that their organizations had experienced a data breach. The report also found that breaches were most likely to be the result of internal factors—that is, employee error or an inside job.

More specific to health care, this report found that in-house counsel in the health care/social assistance industry were almost twice as likely (56 percent versus 31 percent) to report that they had experienced a data breach. The report’s statistics that most breaches were due to employee error or an inside job are confirmed in the number of civil money penalties for lack of policies and insufficient training.

Although the Workforce Clearance Policy in the HIPAA Security Rule is addressable rather than required, if you have addressed it and found it not to be reasonable and appropriate and hence unnecessary, you might want to rethink that finding because of this report. Or even if you screen workforce members before hiring them, you may want to consider credit checks and social media checks periodically to determine, say, whether an employee is in severe financial difficulties and, hence, may be a risk to commit identity theft. Those of you who have either of my CDs with the policies on them may want to consider my Workforce Clearance Procedure, my Social Media Policy, my various access policies, my Training Policy and my Termination Procedure. And remember that merely having a training policy is insufficient. You have to use it and document the training. Remember that, for HIPAA, if it’s not written, it’s not. And you can’t just train them the first time and forget it. Periodic refresher training is required. And keep records of that training, too.

Even if your training is aggressive and you keep good records of it, keep on the lookout for issues with your workforce that may alert you to a problem that they have that may turn them into a risk. If within your competence, you may want to guide them to help. The other option is to put more limits on their access or audit it more.

For more information on the ACC Foundation: The State of Cybersecurity Report, including details on how to purchase a copy or order a customized benchmarking report, contact ACC at



seo by: k.c. seo