> no written, signed slip of paper holds any weight with me if I'm a juror if the company did not also take actual precautions to prevent unauthorized data access/transfer
No matter what you make the employees sign, you are ultimately responsible for designing, implementing, and enforcing an environment with policies that will treat PHI accordingly. If you make everyone sign a paper that says "don't do this" but then look the other way when they do, you are responsible.
In the UK, you just might find yourself being directed by the judge on this; UK jurors are not allowed to make up the law to suit their views.
It's not a matter of US jurors making up the law. It's the way the law was written. HIPAA says that PHI has to be protected, that reasonable measures should be made to protect the data, that there has to be ways to restrict data so that only the people who need it to do their jobs get access to it, there has to be an officer in the company to monitor compliance, etc. It's specific in some areas, but when it comes to technological requirements it is quite vague. There's an upside and a downside to this.
The upside is that you will be required to take actions that are considered reasonable in the current environment. Many financial institutions continued to use 56-bit encryption algorithms for decades after they had been proven insecure because that was what was mandated. If the law is vague then it pretty much comes down to requiring you to implement current best practices. It would certainly be possible to take things to an even more secure/protected level, but at a cost that would make it impossible to implement in a useful mannger. So the law doesn't require the strongest security, it just wants best practices.
The downside is that there is a lot of ambiguity there, which means that there's a lot of room for interpretation by a jury (or whoever else). What might be considered industry standard best practices by a large metropolitan hospital may not be feasible in a small, rural hospital. So which standard is used?
But back to the question, at the hospital where I was responsible for data security we had a written policy, signed by the users, requiring that they treat PHI as protected and that they wouldn't transfer it outside the company except through secured/encrypted means, and only to people/ogranizations with whom the hospital had parternship agreements, and then only to people who required that information to perform their job duties.
We did not allow people to use portable storage devices (thumb drives, USB hard disk, iPods) and connect them to PCs. At first the policy was only stated and then enforced when it came to our attention that users had brought in such a device. Eventually we had to lock it down via GPO.
We did allow people to work from home, but only under limited circumstances. They could use a company provided laptop if they had one assigned to them, or they could check one out. All laptops ran with full-disk encryption so that the data was secured if the device was lost or stolen. Users could also work remotely by using a VPN connection to a terminal server that had applications installed on it. This ensured that even though they were working remotely the information was still stored on hospital-controlled systems and was encrypted in transit. Under no circumstances were people allowed to transmit PHI via email, even to another internal email address (it's too easy to forward it outside the company).
![[auto]](/data/assets/smilies/auto.gif "[auto] [auto]")
