When Should you Promote HIPAA Awareness?
You should promote HIPAA awareness whenever it is feasible to promote HIPAA awareness because, as an entity responsible for the health of individuals, there are sometimes more important things to prioritize than explaining what designated record sets are or what direction workstations should face.
If your organization qualifies as a HIPAA covered entity or business associate, compliance with all applicable HIPAA Administrative Simplification Regulations is mandatory. As two of the Regulations (§164.306(a)(4) and §164.530(e)(1)) require workforce compliance with the Privacy, Security, and Breach Notification Rules, the implication is that you should promote HIPAA awareness at all times.
However, promoting HIPAA awareness at all times is not feasible. There are times when operational incidents must be given priority, times when technologies fail and facilities have to work in emergency mode, and times when staff shortages make it difficult to consider HIPAA compliance. In addition, workforces have to comply with more regulations than just the Privacy, Security, and Breach Notification Rules.
In fact, hospitals and health systems are required to comply with up to 629 sets of regulatory requirements according to the American Hospitals Association. While not all of these will impact healthcare workforces, workforce members are more likely to need awareness of professional licensing requirements and safety and health regulations on a day-to-day basis than they are of Business Associate Agreements and the HITECH Act.
Why Should You Promote HIPAA Awareness
Most members of the public are aware of the HIPAA acronym and that it relates to patient privacy and the confidentiality of medical records. When healthcare providers demonstrate HIPAA awareness, it increases patients’ trust in the healthcare provider – whereas when patients receive breach notifications in the mail, it damages patients’ trust. HIPAA awareness can be demonstrated in many ways. For example:
- A physician might seek a patient’s consent before discussing the patient’s symptoms while a family member is in the room “because of HIPAA”.
- A home healthcare workers might ask the permission of a patient to bring a translator with them on the next visit “because of HIPAA”.
- An administrator might ask for verification of a caller’s identity before releasing details of a patient’s condition “because of HIPAA”.
- An office worker might think twice about interacting with a phishing email – and flag the email to ITsec as a threat – “because of HIPAA”.
Despite the challenges of promoting HIPAA awareness, it can still be worthwhile. Studies have shown that when patients trust their confidential information will remain confidential, they tend to be more forthcoming about health issues and symptoms. This helps healthcare professionals more accurately diagnose patients’ conditions and prescribe more effective courses of treatment – resulting in better patient outcomes.
Better patient outcomes reduces the demand for healthcare, patient readmissions, and the risk of clinical burnout. They also raise morale in the workplace, which can lead to higher workforce retention and lower recruitment costs. The financial benefits continue through the lack of fines for violations of HIPAA, corrective action plans, and the requirement to provide extra HIPAA training after a data breach or as the sanction for a HIPAA violation.
How Best To Promote HIPAA Awareness
Because members of the workforce respond in different ways to prompts, reminders, and HIPAA training, there is no one-size-fits-all best way to promote HIPAA training. Frequent compliance monitoring, emails, and refresher training can work for some members of the workforce, but not all. Furthermore, learning about HIPAA compliance and applying it in practice is not the same if the objective of an exercise is to promote HIPAA awareness.
What can be done to increase the frequency with which HIPAA is mentioned in the workplace is to integrate HIPAA awareness into other training requirements. A number of the 629 sets of regulatory requirements have mandatory annual training requirements, and it should not be too difficult to integrate HIPAA into the conversation when discussing (for example) bloodborne pathogen safety and CMS’ Emergency Planning Requirements.
The more an organization is able to instill HIPAA awareness into its workforce, the higher the likelihood of a compliant workforce that is trusted by patients. While promoting HIPAA awareness at all times is not feasible, there are ways in which it is possible to raise awareness. HIPAA covered entities and business associates who need advice on how to promote HIPAA awareness in non-HIPAA training should speak with a compliance expert.
