« Return to List
Posted on 02.21.2014
Treat the Cause, Not the Symptoms
With technological advances come new perils for the workplace that have both operational and brand protection implications.
- A physician office manager posts a comment on social media inquiring about a patient's specific medical condition, resulting in a HIPAA violation.
- An unencrypted flash drive with protected health information (PHI) is stolen from the vehicle of a physician practice employee, costing the practice fines of $150,000.
- A health plan's photocopiers are returned to a leasing agent still containing PHI stored on their hard drives, resulting in a $1.2 million settlement.
Incidents like these examples result in ramifications from negative publicity to hefty fines and other enforcement every day.
So what's an organization to do?
Unfortunately, some organizations approach the issue by treating the symptoms instead of the cause, banning social media in the workplace altogether (good luck with that in the era of the smartphone, by the way) or locking USB ports to prevent users from plugging in removable flash drives. (The latter in no way prevents an unscrupulous employee from simply uploading data to the cloud or emailing it, of course.)
You wouldn't ban office supplies because you had an employee who was stealing them, or rid the office of computers because of an employee who prefers video games to work. You'd warn, discipline or dismiss the employee. New-age disciplinary problems need to be treated similarly by addressing the problem employee behavior, not the digital platform via which it occurred.
While there's no easy fix to certain high-stakes risks, smart organizational leaders ensure they have proper policies, procedures and plans in place, that employees receive proper training and periodic re-training, and take the appropriate disciplinary actions against employees who violate policies.
How many of these policies and plans does your organization have in place to help protect itself from reputational harm?
- A clear, strong social media policy, updated regularly as the world of social media evolves. If large, publicly held companies like Coca-Cola can have both a social media policy and a robust social engagement strategy, your organization can, too.
- Healthcare providers and other "covered entities" as defined by HIPAA will find a social media policy is just as important as its other HIPAA-related policies and procedures. These policies are essential to ensure the organization is doing everything it should to safeguard protected health information (PHI).
- Beyond PHI, data breach is a constant concern for organizations from national retailers to local school systems that hold personally identifiable information (PII). Along with adequate data protection protocols, any organization with records that contain PII should establish a clear data breach response plan to ensure a prompt response and mitigate negative consequences in the event of a breach.
- Speaking of responding promptly and mitigating consequences, does your organization have a crisis response plan? "Unimaginable" crises can range from a shooter in the workplace to major fire or flood damage to allegations of criminal activity or the unexpected death of a high-profile company executive. Smart organizations don't leave such things to chance; they have a thorough plan for how their team will react in a time of crisis to minimize impacts to customers, employees and reputation.
If you have all the applicable policies, procedures and plans in place, congratulations. You're on the right track. But don't forget, without the proper employee training and retraining to go with them, they're just taking up space on your bookshelfâ€¦or your server. Do your policies - and the way you use them - need a check-up?
Dana Coleman is a Vice President at Lovell Communications. You can view more of Dana’s blogs here. Connect with Dana at Dana@lovell.com or @lovelldc