Given how serious they are, how can you avoid HIPAA violations? Is there any sure-fire method of preventing workplace violations of HIPAA, which can attract hefty consequences for Covered Entities and Business Associates (CEs and BAs)? Sadly, no, but we will discuss here one of the most important ways in which violations can be avoided – HIPAA training.
To some degree, HIPAA violations are inevitable. Human nature means that, even if extensive training is undertaken and employees are aware of every potential threat to the safety of PHI, mistakes will be made, and some violations will occur. That said, ensuring that employees are regularly trained in HIPAA compliance and are up-to-date on whatever HIPAA protocols are in place can help reduce the frequency and scope of these violations.
Every CE and BA must appoint a HIPAA Privacy Officer and HIPAA Security Officer (often termed “HIPAA Compliance Officers”). These Officers have a range of duties, including organizing regular training for all employees, contractors, volunteers, and students under the “direct control” of the CE.
Frustratingly, HIPAA does not offer any direct guidance on how regularly training should take place, or what should be the subject of training sessions. The Privacy Rule Training Standard requires that:
“A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
While the Security Rule requires that CEs:
“Implement a security awareness and training program for all members of its workforce (including management).”
Neither of these standards states how regularly training should be conducted. The industry standard is to have annual training sessions, with more frequent sessions available if there are changes in workplace policies. All new employees should be trained within a few weeks of joining the workforce, and they should not be in charge of any PHI-related tasks until that training has taken place.
The standards laid out in the Privacy and Security Rules also do not offer any guidance on the contents of the training modules. The purpose of training is to provide all employees with the same basic knowledge of HIPAA compliance, which can then be tailored in line with their roles and duties. Potential modules include:
- HIPAA Overview and Definitions
- Protected Health Information
- HIPAA Rules
- HITECH Act
- Disclosure Rules
- HIPAA Violations and their Consequences
Another necessary means of preventing HIPAA violations is by promoting HIPAA Awareness in the workplace. This is not as structured as actual training sessions but can include weekly emails about HIPAA news, regular quizzes to refresh certain aspects of HIPAA compliance, or hanging safety-related posters around the workplace. These posters can be positioned at points of “weakness”. For example, a poster reminding employees about the dangers of phishing would be well-placed in an office full of computers.