When the Quality Improvement Organizations (QIO) took over the role of education and enforcement for the 2-midnight rule on October 1, 2015, many anticipated that their reviews would only look at records from that date forward. But in an unpleasant turn of events, some hospitals have reported QIO records requests zeroing in on cases as far back as May 2015.
Prevention is better than a cure. In the world of HIPAA privacy and security, training and awareness are among the most important aspects of prevention. The best laid policies and procedures won't keep your patient's PHI safe if no one knows how or why to follow them. But effective and engaging training methods can be elusive. Employees and administrators might begin to treat their annual training as routine, going through the motions to get their certificate, and then falling victim to a phishing attack that could have been avoided. New hires may be overwhelmed by the scope of HIPAA?it's a huge law?or struggle to connect it to their job duties. Developing education and awareness strategies that capture employees' attention and build privacy and security into the culture of their workplace can be a tall order.
Security officers may sometimes feel that they're asked to do too much with too little. Limitations surrounding staffing, budgets, or resources, or an administration that simply doesn't understand the importance of information security, can make a difficult task even more complicated. In some organizations, information security is a relatively new department and might lack the connections and relationships that more well-established departments rely on for support. Security needs allies. Fortunately, there's one they may already work closely with who is ideally suited: internal auditors.
