Staff working on the ground sees everything; they are the ones likely to come across a problem that demands your attention. You need to have a reporting system established that the staff knows exists to ensure the issue will be communicated.
First, you must manage reporting systems for your agency. Create a process through which staff can submit reports either anonymously or by name. Have a system in place to ensure that once a potential breach has been communicated you have the tools ready to complete an investigation efficiently.
Remember! Review whistleblower reports regularly! Monitor to make sure investigations take place in a timely manner and are resolved.
Having a reporting system in place is only half the battle. You have to also make sure your staff:
Understands yourorganization's reporting system, and Does not fear retaliation for reporting.
Make the duty to report a part of your agency's culture. Promote awareness and understanding of the availability of whistleblower reporting and other resources your agency offers. Also promote your agency's non-retaliation policies. Make these policies known to staff in new-hire orientation and annual training, on your website, in staff memos and through other ways you communicate with staff.
Keep in mind! Communication is a two-way street. Creating a reporting system is meaningless if staff does not know to use it!
For more information, check out the section on Preventing Breaches on page 26 of the MyHIPAA Guide Compliance Manual. MyHIPAA Guide subscribers may access available templates for security incident reports and incident investigations under Appendix E of the Security Policies and Procedures template on Step 3 of the MyHIPAA Guide website.