Protecting Health Information Requires Training, Says Richard Campanelli

01/19/2010

"People are not computers, and we have to remember both the protection of orally communicated information and paper-based information implicates the privacy of the patient, and we must continue to focus on all those protections," Richard Campanelli of Baker & Daniels told the Report on Patient Privacy in its story on HIPAA patient privacy provisions.

"While the emphasis on electronic breaches is justified, we still need to focus on the personal aspects of protecting information, and that requires training, diligence and leadership so that there is a culture of compliance," Campanelli added.

Training the work force "just once and then forgetting about it" isn't going to protect the covered entity (CE), Campanelli told the Report on Patient Privacy. "And the privacy officer should be given the kind of authority and gravitas to be able to help create that culture … at all levels of the organization." This is important because sometimes doctors are the offenders, and employees may have a difficult time challenging their behavior, the story reported.

Campanelli added that, under the HITECH Act, the clock to address and report on breaches starts ticking as soon as the CE — or its work force members — knows or should have known of them. So employees also must be trained to alert the privacy official or their superior ASAP whenever there is an incident that might be of concern.