Security and Incident Reporting Policies for DeVry Medical Center

Security and Incident Reporting Policies for DeVry Medical Center

1. Policies 

Policy no.1: Incident Reporting

Medical Center of DeVryINCIDENT REPORTING AND MANAGEMENT POLICYLast Updated: 10th January 2018Purpose: The proper reporting and management of incidents is central to the effective governance interests of the DeVry Medical Center as well as international best practices of healthcare institutions worldwide. In addition, it augments well with the desire to provide quality services and ensuring patient safety as well as that of various stakeholders who work with the facility. To that end, the purpose of the present policy is to streamline governance and enhance safety of patients and all stakeholders. More importantly, the policy serves to update existing policies on incident reporting and management in order to gain compliance with the Health Insurance Portability and Accountability Act (HIPAA). This shall assure safety of patient information while steering the institution towards the path of quality services (Macrae, 2015).RequirementsWho Should ReportAny employee of the healthcare institution has both a right and duty to report incidents. This applies to both full time and those on contract or working part time. The reporting individual should be the one directly involved in the incident, and without them a witness to the incident should assume the responsibility. Processes for Internal ReportingAll incidents should be reported immediately as they are witnessed using the online incident form available in the organization’s website. If the incident has already occurred, an incident report should be filed appropriately with the organization. This is done by typically filling the incident report form. This applies to both temporary and permanent workers.Processes for External ReportingAny major/significant incident that should be reported to the professional, local, state or federal agencies should be expedited as per the law governing them. It is the responsibility of all employees to be aware of and adhere to such regulations. Reports must be made within three (3) months.Incidents to ReportTo be reported are unauthorized accesses to patient information to third parties and external players, unauthorized/inappropriate use of computers and other digital devices, failed decryption/encryption of sensitive information, lose/sharing/misuse of unique ID cards offered to authorized persons, security lapses in transmission of patient information, misplacement/ loss of computers and/or data (Drolet et al., 2017).Procedures to be followed Once an incident is reported/an incident report is filed, the systems administrator (Risk and Safety) takes up the report and forwards it to the relevant manager. In most cases, these are managers in the units/departments where the particular risk has occurred. It is the responsibility of the manager to follow up and confirm the incident from which he/she forwards it to the Serious Incident Review Group that takes up the case and carry further investigations (Sujan & Furniss, 2015). The team shall get down to the bottom of the matter and report back to the manager of the unit/department who shall then take action.Special CircumstancesThere are some incidents that do not require reporting many of which are those affecting the general public. For instance, application hitches such as Facebook, Twitter and WhatsApp downtime should not be reported even if members of the organization are affected.

Policy no.2: Security

Medical Center of DeVrySECURITY MANAGEMENT POLICYLast Updated: 10th January 2018Purpose: The purpose of this policy is to update existing structures for security to ensure more patient safety and that of other stakeholders. An assessment of the present settings revealed that some of the policies were outdated and as such the proposals to be made in the new policy are meant to provide an update while also buttressing the general security (physical) of the DeVry medical center. Noteworthy, the improvements to be made are aimed at gaining compliance with the Health Insurance Portability and Accountability Act.RequirementsWho the policy applies toAny employee of the healthcare institution has both a right and duty to adhere to the security guidelines.  This applies to both full time and those on contract or working part time. The policy concerns any issue to do with having appropriate physical safeguards for information and property in the institution. Securing WorkstationsVarious steps should be taken in ensuring that the workstations are secure. In particular, the following safeguards should be instituted:Equipment such as laptops should be secured to ensure access to them is limited to those with authorization.The auto-lock feature should be put in place to put unauthorized persons at bay.The access to the workstation should be restricted by the use of highly reinforced, burglar proof doors and windows. There should be security officers at the facility to take note of and even act on any physical breaches to security.There should be emergency provisions in the workstation such as fire extinguishers and a fire exit. Set up security checkpoints prior to the access of the workstation. Record DisposalThere is need to dispose electronic and paper waste once it is no longer of use to the health facility in a way that ensures security of any information in them is maintained. For hard drives and DVDs, all information in them should be wiped clean before they are disposed into bins (Anthony, Appari & Johnson, 2014).  For the paper documents, they should all be shredded prior to disposal. Procedures to be followed To ensure that all physical safeguards are in place and the proper method for record disposal has been adhered to, there should be frequent audits in the facility. These should be done by the management as well as the occupational health and safety officer (Agris & Spandorfer, 2016). Such audits should identify gaps and set out clear plans on how to fill them. Special CircumstancesThere are a few exemptions to the policy above. These include the disposal of publicly available information that was previously in use in the facility that does not have any sensitivity (Kotz et al., 2015). For instance, news papers, public notices and some general memos shall not require shredding. In the same way, some digital records that are not sensitive shall not need to be wiped prior to disposal. For physical safeguards, some areas such as the washrooms shall not require security officers, barriers and checkpoints.

2. Incident Reporting Form

Medical Center of DeVryINCIDENT REPORTING FORMDear User,Kindly fill out this form with the highest level of accuracy and honesty. We value the information provided in this form and shall act on it accordingly.Date of Incident……………………………………………….Type of incident/complaint……………………………………..Staff Involved…………………………………Complaints details……………………… Signed…………………………………..

The following is a checklist for security and audit staff when checking for compliance to the requisite incident reporting and security policies.

• Presence of security checkpoints prior to accessing the workstations
• Security barriers in accessing workstations.
• Burglar proof windows and doors. 
• Presence/absence of security cameras and other surveillance equipment around entry and exit points of the facility.
• Presence of fire exits and equipment for handling emergencies
• A paper disposal mechanism 
• Safe disposal of media including DVDs and CDs
• Presence of online incident reporting forms 
• Accessibility of online incident reporting forms 
• Presence of internal reporting mechanisms including a whistleblower website
• Presence of external reporting mechanisms such as the relevant forms and the necessary channels of communication.

3. Communication Tools

The two communication tools for the purposes of the policy shall be emails and an internal memo. The two shall be used to inform the workforce of the training on the two policies and the reporting tools that shall be available to them.

Email

From: Privacy officer

To: various recipients

Subject: New incident Reporting and Security policies

Dear all,

I trust you are well and enjoying your work at the Medical Center of DeVry. This is to inform you that the organization has come up with two policies regarding incident reporting and management and security management for this coming year. The purpose of the policies is to improve on our privacy policy and improve governance. The new policies are also consistent with the desire to comply with the Health Insurance Portability and Accountability Act (HIPAA). 

In the foregoing, we shall be conducting trainings on the new policies to help you familiarize with them while also acquainting to the incident reporting tools that shall be available for you. To that effect, there shall be trainings from 13^th February 2018 to 20^th February 2018 at the auditorium covering different groups. We shall communicate the order to be followed in executing the trainings.

We look forward to your participation and consequent cooperation in implementing the new policies. If you have any questions, kindly email us anytime.

Best,

Privacy officer. 

Internal Memo

To: All staff

From: Privacy Officer

Date: 11^th January 2018.

Subject: New policies on incident reporting and security management

We recently carried out an assessment of our security and privacy policies and unearthed some weak areas that need improvement. Upon completing the assessment report, we came up with two policies, one on incident reporting and management and the other on security management. The two policies shall play a significant role in improving our privacy and safety of patient information as well as streamlining governance here at DeVry. The policies are also aimed at ensuring compliance with the Health Insurance Portability and Accountability Act (HIPAA), which as you are aware, has become an imperative of all health institutions. We shall provide advance copies of the two policies for your perusal in due time.

For the purposes of domesticating the policies and encouraging compliance, we have also scheduled trainings for the same next month from 13^th February 2018 to 20^th February 2018 where we shall break down the content and intent of each policy as well as the reporting tools available for you. There are essential elements to learn in that respect including the incident reporting forms and how to fill them, various processes of reporting and so forth. We shall roll out the order of trainings to take place at the auditorium in due course.

We look forward to your cooperation in this. 

Signed…………………….

Privacy Officer.

References

Agris, J. L., & Spandorfer, J. M. (2016). HIPAA Compliance and Training: A Perfect Storm for Professionalism Education?. The Journal of Law, Medicine & Ethics, 44(4), 652-656.

Anthony, D. L., Appari, A., & Johnson, M. E. (2014). Institutionalizing HIPAA compliance: Organizations and competing logics in US health care. Journal of health and social behavior, 55(1), 108-124.

Drolet, B. C., Marwaha, J. S., Hyatt, B., Blazar, P. E., & Lifchez, S. D. (2017). Electronic communication of protected health information: privacy, security, and HIPAA compliance. The Journal of Hand Surgery, 42(6), 411-416.

Kotz, D., Fu, K., Gunter, C., & Rubin, A. (2015). Security for mobile and cloud frontiers in healthcare. Communications of the ACM, 58(8), 21-23.

Macrae, C. (2015). The problem with incident reporting. BMJ Qual Saf, bmjqs-2015.Sujan, M., & Furniss, D. (2015). Organisational reporting and learning systems: Innovating inside and outside of the box. Clinical risk, 21(1), 7-12