What is the easiest way to prevent HIPAA violations at your practice?
The answer: training. Training is the easiest thing you can do to prevent a HIPAA violation at your facility.
HIPAA lawyer Scot Ganow was quoted recently in an article about a former hospital working who is facing HIPAA charges. He said “training programs are one of the easiest, cost-effective ways to reduce risk, yet I see so many organizations fail to implement them, implement them poorly, or if they do implement them, they do not maintain them and keep them current as part of an ongoing awareness program.”
If It’s So Simple Why Doesn’t Everyone Do It?
Unfortunately, Scot is right. Far too often practices and facilities pay for access to HIPAA training materials thinking that alone will make them HIPAA compliant but fail to follow through and fully and appropriately train their staff. Some may consider the training to be too time consuming. Others may simply assume that patient privacy is common sense. However, with technology constantly evolving, it’s not so common sense anymore. Employees may know not to take patient information home with them or share it over the phone, but will they think before tweeting information about a patient?
“I Was Just Trying to Help”
A customer service employee may be asked for certain patient information over the phone and may give it to them because they simply feel they are being helpful. If not properly trained they may not understand why this creates the potential for a violation. Many data breaches are not a result of employees knowingly distributing patient information or acting out of malicious intent but rather because of a sheer lack of knowledge. By educating your staff you empower them to make appropriate and informed decisions when handling patient information.
In addition to extra training being required in response to advancing technology, there are tons of papers that need to be properly handled as well. With many practices switching to an electronic system for health records, this becomes even more important.
Technology, Technology, Technology
With the constant advances in technology there are more and more changes that need to be made to secure patient information. Technology is not inherently secure, even with a password. With the implementation of EHRs there are risks associated. EHRs will not change any of the security safeguards that apply to patient information. However, it is vital that employees be trained to use this new technology and how to appropriately transition from paper records to electronic health records. However, there are many benefits to using electronic and online tools for patient information and even for employee training.
Other Ways to Reduce Risk
There are other ways to reduce the risk of a HIPAA violation beyond the basic employee HIPAA training and certification program.
- Have a mobile device policy in place. See our example mobile device policy.
- Train employees about appropriate social media practices.
- Have specific training sessions for different departments after the initial online or in-person HIPAA training. There will be different ways of protecting information for nurses than there are for customer service personnel or receptionists based on their individual responsibilities.
- Make training an ongoing process with inservices, review sessions, questions/answer sessions and an open stream of communication.
- Post cheat-sheets around the work area. Purchase a HIPAA poster or design your own. You could even have an employee contest to design the best one. It will make employees review HIPAA guidelines and be a memorable way for them to engage with the information.