Kudos to you for taking a crack at a policy where the information is governed primarily through laws and regulations. It clear in your policy that it certainly takes additional thinking and consideration when crafting a policy around PHI/PII healthcare related information.
Additionally, as you have highlighted, compliance regulations can also be helpful in identifying key requirements and controls for the policy. I would have expected to see a bit more connection to the risks related to not protecting this type of information. I like the “Oversight” section as you clearly layout what could happen if there is a breach.
The video was comprehensive and encompassed everything in your policy. I think a real life example or scenario around proper data destruction would be helpful for a new hire to see. Overall, very good.
Nathan – thank you for the feedback. Regarding a real life scenario, do you think it would be helpful to include the dollar amounts for actual violations since they are well publicized or would it be better to highlight the impact of a breach?
I ask about scenarios because healthcare inherently has a professional requirement for ethics and I wonder what could be a sticky/top of mind scenario for emphasizing the point of following the policy. The most risk someone faces is lost of license which could be the outcome of a scenario.
Thank you for any additional suggestions you make.
I think an example, any example, would help connect an employee’s actions to real-world actions and consequences. Often in training that I’ve received on a number of topics, the real-world examples help paint a picture and clear up any questions that I have.
For this particular group, they could use any number of HIPAA violations that have been reported in the last few years.
Your policy is well formatted and goes into depth nicely. The tables providing definitions and examples of PII and PHI are laid out nicely for quick reference if needed. The idea to add an annual policy review and update section at the end where the CIO signs it is a great idea. I noticed, unless I missed it when reading, that there is no requirement stipulating an annual review or a review whenever applicable laws are changed, updated, or revised. Would that be helpful in such a policy in such an industry with the level of statutory and regulatory compliance associated with it? Or is the underlying assumption that Section 7 of the policy covers any changes without outright saying so?
I applaud you for taking such a critical policy within the health industry and making it so understandable for people that are not familiar with it. The formatting of this policy makes it easy to view and was very informative. Along with the comments above, the tables identifying PII/PHI is very comprehensive. I’m not sure that this would apply, but are any stipulations regarding how long medical records are kept, either electronically or paper-base. How does an employee know when records needs to be destroyed or reviewed for destruction? Please educated me, as you probably have more knowledge are completing this policy.
I thought the policy was laid out very well. I really like how you laid out the key terms and explanation for each. The video was good, but I think if you would have added an example of where your policy was effective and not effective, that would of really drove home the point of the policy.
I like this policy a lot. I appreciate your work to define and specify information that is regulated and protected by law. HIPAA presents an interesting situation for the business when it come to retaining documents, and I think you did a great job laying out what each type of document is and the impacts of each. PII can be a tricky area and you helped me understand it through your tables.
Plus the revision log being handwritten and signed was a nice stylistic touch.
I like your video. First of all, it is quite simple which help employees get the main point as soon as possible, and do not need read a lot, which can help them focus on what speaker says. Then, in the video, overviewing company and talking about the policy purposes real help employees review their own company and let them think that this policy is very important for the company. However, maybe you should improve the voice’s quality because there are some noise in it which make the video not very clearness.
For the document, it is very good that writing a special chapter for outside vendor. In the company, outside or third-party vendors are hard to control because they may think they are no belong to this company. Thus, they do not need follow the rules or policy in this company. Therefore, I think this is very good for the company.
Very well done policy. I liked how the policy was detailed but not complicated. It was made in a way where employees would be able to read it without falling asleep. Nice job incorporating HIPAA into your policy as well. It made the policy relevant to today’s laws and regulations. Also liked how the signatures were simulated showing who approved the policy at the end, shows you guys went through the effort in making sure the policy was as complete as can be.
I work in Healthcare and the policies are extensive and strict and therefore a lot to cover. Team 5 or Sprenger Healthcare did a good job in covering so much and properly turning such an encompassing rule set into a policy of handful of pages. Its ironic as my hospital is migrating to EPIC as our EMR and the policy stated that further definitions of PII and PHI were listed in the EPIC portal. Yet the foundation of what PII and PHI stand for and generic definition was properly listed in the policy. I like how the 2nd page had a glossary of definitions – basically an employee needs to learn the terms first and then policy will make more sense. That was creative and practical and the outside vendor of work is of much importance. I work with vendors on a daily basis incorporating that into the plan was very good as well.
Nathan A. Van Cleave says
Team 5,
Kudos to you for taking a crack at a policy where the information is governed primarily through laws and regulations. It clear in your policy that it certainly takes additional thinking and consideration when crafting a policy around PHI/PII healthcare related information.
Additionally, as you have highlighted, compliance regulations can also be helpful in identifying key requirements and controls for the policy. I would have expected to see a bit more connection to the risks related to not protecting this type of information. I like the “Oversight” section as you clearly layout what could happen if there is a breach.
The video was comprehensive and encompassed everything in your policy. I think a real life example or scenario around proper data destruction would be helpful for a new hire to see. Overall, very good.
Ivy M. McCottry says
Nathan – thank you for the feedback. Regarding a real life scenario, do you think it would be helpful to include the dollar amounts for actual violations since they are well publicized or would it be better to highlight the impact of a breach?
I ask about scenarios because healthcare inherently has a professional requirement for ethics and I wonder what could be a sticky/top of mind scenario for emphasizing the point of following the policy. The most risk someone faces is lost of license which could be the outcome of a scenario.
Thank you for any additional suggestions you make.
Andres Galarza says
Ivy, I’ll piggy-back onto what Nathan said.
I think an example, any example, would help connect an employee’s actions to real-world actions and consequences. Often in training that I’ve received on a number of topics, the real-world examples help paint a picture and clear up any questions that I have.
For this particular group, they could use any number of HIPAA violations that have been reported in the last few years.
http://www.inforisktoday.com/prison-term-in-hipaa-violation-case-a-7938
Sean Patrick Walsh says
Your policy is well formatted and goes into depth nicely. The tables providing definitions and examples of PII and PHI are laid out nicely for quick reference if needed. The idea to add an annual policy review and update section at the end where the CIO signs it is a great idea. I noticed, unless I missed it when reading, that there is no requirement stipulating an annual review or a review whenever applicable laws are changed, updated, or revised. Would that be helpful in such a policy in such an industry with the level of statutory and regulatory compliance associated with it? Or is the underlying assumption that Section 7 of the policy covers any changes without outright saying so?
Loi Van Tran says
Team 5,
I applaud you for taking such a critical policy within the health industry and making it so understandable for people that are not familiar with it. The formatting of this policy makes it easy to view and was very informative. Along with the comments above, the tables identifying PII/PHI is very comprehensive. I’m not sure that this would apply, but are any stipulations regarding how long medical records are kept, either electronically or paper-base. How does an employee know when records needs to be destroyed or reviewed for destruction? Please educated me, as you probably have more knowledge are completing this policy.
Joseph Henofer says
I thought the policy was laid out very well. I really like how you laid out the key terms and explanation for each. The video was good, but I think if you would have added an example of where your policy was effective and not effective, that would of really drove home the point of the policy.
Kevin Blankenship says
I like this policy a lot. I appreciate your work to define and specify information that is regulated and protected by law. HIPAA presents an interesting situation for the business when it come to retaining documents, and I think you did a great job laying out what each type of document is and the impacts of each. PII can be a tricky area and you helped me understand it through your tables.
Plus the revision log being handwritten and signed was a nice stylistic touch.
Xiaodi Ji says
I like your video. First of all, it is quite simple which help employees get the main point as soon as possible, and do not need read a lot, which can help them focus on what speaker says. Then, in the video, overviewing company and talking about the policy purposes real help employees review their own company and let them think that this policy is very important for the company. However, maybe you should improve the voice’s quality because there are some noise in it which make the video not very clearness.
For the document, it is very good that writing a special chapter for outside vendor. In the company, outside or third-party vendors are hard to control because they may think they are no belong to this company. Thus, they do not need follow the rules or policy in this company. Therefore, I think this is very good for the company.
Ahmed A. Alkaysi says
Very well done policy. I liked how the policy was detailed but not complicated. It was made in a way where employees would be able to read it without falling asleep. Nice job incorporating HIPAA into your policy as well. It made the policy relevant to today’s laws and regulations. Also liked how the signatures were simulated showing who approved the policy at the end, shows you guys went through the effort in making sure the policy was as complete as can be.
Sachin Shah says
I work in Healthcare and the policies are extensive and strict and therefore a lot to cover. Team 5 or Sprenger Healthcare did a good job in covering so much and properly turning such an encompassing rule set into a policy of handful of pages. Its ironic as my hospital is migrating to EPIC as our EMR and the policy stated that further definitions of PII and PHI were listed in the EPIC portal. Yet the foundation of what PII and PHI stand for and generic definition was properly listed in the policy. I like how the 2nd page had a glossary of definitions – basically an employee needs to learn the terms first and then policy will make more sense. That was creative and practical and the outside vendor of work is of much importance. I work with vendors on a daily basis incorporating that into the plan was very good as well.