Officials haven’t explained yet how the medical records for up to 1800 people wound up in a dumpster in Houston. Somehow they were thrown out from an office of the Texas Health and Human Services Commission. Records apparently contained patient names, conditions, even bank account information. Here’s a full rundown on the story from Houston’s KPRC-TV.
While this is an extreme case, many companies have their own problems managing the medical records of their employees. Privacy and record security fall under the Health Insurance Portability and Accountability Act (HIPAA) and fines for HIPAA violations range from $100 to $50,000 per violation (or per record) with a cap of $1.5 million. Even though the law has real teeth, company handling of medical information can be pretty sloppy.
Roughly 70% of companies say they have experienced HIPAA security breaches, according to one survey. Here are a few of top problems companies experience:
- Employee Snooping – Someone is curious about a co-worker and the records are not secure, so he or she peeks.
- Loss of records or equipment holding electronics – Companies have been slow to adopt security protocols to protect the actual records or the electronic memory that holds records.
- Gossip – Yes, conversations are frequently overheard or information is shared outside the authorized channels.
- Texting test results – Sometimes the quickest way to send information is not the best way.
- Training – Few companies take the time to fully train the employees who are responsible for controlling HIPAA-sensitive information.
What I tend to find with companies is that the sheer logistics of managing employee records is hard for them to overcome. For example, let’s say company A has a number of regional offices and crews that travel to remote locations for maintenance jobs. The company has random substance abuse testing done on or near the job site. It soon becomes very difficult to keep up with the information flow and, when communications break down, exposure to HIPAA violations increases. Then it is a short step to a records management system that consists of cardboard boxes in offices scattered around the country.
How One Leader In Occupational Medicine Handles Records
CORE Occupational Medicine caters to companies that may work in multiple areas or need to manage occupational medicine testing and injury care for numbers of employees. One way that it delivers its services is through an online database, CORE Connect. For clients it can move records management from cardboard boxes to a digital cloud-based system. The approach allows companies to:
- Access information on any covered employee from any location.
- Comply with both HIPAA and OSHA’s requirement for certain information to be kept for 30 years.
- Provide role-based security access to limit information to company managers who are authorized to see it.
- Have automatic reminders of key dates, like OSHA compliance testing.
- Find clinics, schedule tests and receive online clearances for employees.
Would this approach help your company? Contact me at firstname.lastname@example.org.