In my last column I talked about medical facilities doing very well as regards the HIPAA requirements to protect patient sensitive and personal information. The thrust of the article however, was to emphasize the value and importance of staff awareness training on identity loss and theft. Below is a short piece that reinforces that point. Although Kaiser is a pioneer in using electronic medical records, and has sophisticated systems to govern how patients' information is used and protected, this relatively unsophisticated crime occurred right under their noses.
Unknown to Kaiser, someone stole the personal information of Kaiser employees! HIPAA doesn't address personnel files, only those of patients. Owing to a compliance mentality the hospital group sought compliance with the law as a risk management tool but did not train the HR or payroll staff on how to protect the employees' files. The protection of personally identifiable information must be a holistic business to include both clients and employees or it is only half a program. It must include awareness training or it will not be effective.
"Kaiser Permanente is notifying nearly 30,000 Northern California employees that a security breach may have led to the release of their personal information. Some employees have reported identity thefts resulting from the breach,Kaiser reported.A law enforcement agency seized a computer file with Kaiser data from a person who was subsequently arrested. The suspect was not a Kaiser employee. The file contained the type of information typically held by a human resources department, according to a written statement issued by Gay Westfall, senior vice president of human resources for Kaiser. "