Security and Confidentiality Committees. Organizations should establish standing committees charged with developing and revising policies and procedures for protecting patient privacy and for ensuring the security of information systems. Small organizations that lack the resources or personnel for a formal committee should, at a minimum, designate a person or a small group of people to develop policy.
Information Security Officers. Organizations should identify a single employee to serve as a security officer who is authorized to implement and monitor compliance with security policies and practices and to maintain contact with national organizations that promulgate and enforce guidelines and standards regarding system security. The security officer should have tools available for implementing access and retrieval control mechanisms, as well as the firewall functions that control access and transmittal to remote locations. The information security officer need not be a full-time position in a small organization, but sufficient time should be invested to ensure adequate protection.
Education and Training Programs. Organizations should establish education and training programs to ensure that all users of information systems receive some minimum level of training in relevant security practices and knowledge regarding existing confidentiality policies. All computer users should complete such training before being granted access to any information systems.
Sanctions. Organizations should develop a clear set of sanctions for violations of confidentiality and security policies. Such sanctions should be applied uniformly and consistently to all violators, regardless of job title. Organizations should exercise zero tolerance in enforcing sanctions, ensuring that no violation goes unpunished. Sanctions should be established in relation to the seriousness of the violation. Organizations should terminate employees who willfully violate policy and should report such violations to appropriate licensing boards, where applicable. Negligent, rather than willful, violations of policy should be given lesser sanctions. Organizations should ensure that processes are in place for adjudicating all alleged violations of policy.
Improved Authorization Forms. Health care organizations should develop authorization forms designed to improve patients' understanding of health data flows and to limit the time period for which patients authorize the release of health information. These forms should be separate from other consent forms (e.g., those requesting consent to provide care), should inform patients of the existence of an electronic medical record,