Are HIPAA violations at all avoidable? Is it inevitable that mistakes will be made, and that Covered Entities will end up paying fines for HIPAA violations? In short: how do you avoid HIPAA violations? We will discuss that here.
Unfortunately, to some degree, HIPAA violations are hard to avoid. Human nature means that mistakes will be made – employees will fall for phishing emails, doctors will overhear other doctors discussing patients, an email will be sent to the incorrect recipient etc.. However, there are several steps that can be taken to avoid these violations.
The most important way to avoid HIPAA violations is to ensure that all those who could come into contact with PHI in the workplace – medical staff, accountants, administrators etc. – know about their duties under HIPAA, how to best protect PHI, and what procedures are in place to ensure PHI is not accessed by unauthorized individuals. This is achieved through HIPAA training.
Indeed, not only is HIPAA training a good idea from the point of view of the CE or Business Associate (BA), it is actually required by HIPAA. However, the guidance on training provided by HIPAA is vague. The Privacy Rule states:
“A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
This standard does not actually provide guidance on how often training should take place, what topics should be covered during training. The Security Rule Training Standard is similarly vague, requiring Covered Entities to:
“Implement a security awareness and training program for all members of its workforce (including management).”
Both Rules require that CEs and BAs appoint HIPAA Privacy Officers and HIPAA Security Officers (“Compliance Officers”). These Compliance Officers oversee HIPAA compliance in the workplace and deals with any questions or concerns employees have. They are also responsible for implementing HIPAA training in the workplace.
Even though there is no official guidance from the Department for Health and Human Services’ Office for Civil Rights (OCR) on how frequently training should take place, the industry standard is usually to have sessions at least once a year. Additional sessions can be run as “refreshers”, or to update staff on any changes that have occurred regarding workplace HIPAA protocols.
All employees joining the workforce should also be HIPAA trained as soon as possible after their start date. CEs and BAs should consider closely monitoring their use of PHI in the first few months to ensure that they are correctly following protocol.
The Standards do not offer any guidance on what the training sessions should cover. Ideally, the annual session would provide a “basic” level of knowledge to all employees, with additional training sessions focussed on different roles. Potential topics for these basic training sessions include:
- HIPAA Overview and Definitions
- Protected Health Information
- HIPAA Rules
- HITECH Act
- Disclosure Rules
- HIPAA Violations and their Consequences
Another key way how to avoid HIPAA violations is to promote HIPAA Awareness in the workplace. Promoting awareness can involve a range of methods, from “pop quizzes” that test employees’ ability to recall HIPAA protocols to posters around the workplace. These posters should be strategically placed (e.g., a poster reminding employees not to discuss patients in the break room). HIPAA Awareness can help to remind individuals of proper HIPAA compliance, and help to avoid HPAA violations.