What Employees Should Know about HIPAA Compliance

What Employees Should Know about HIPAA Compliance. HIPAAGuide.net

What employees should know about HIPAA compliance is that the objective of HIPAA compliance is not to avoid sanctions and penalties, but rather to protect patients and health plan members from medical identity theft. If this is explained in HIPAA training, it can help focus minds and reduce the number of errors made by healthcare employees. ย ย ย ย 

What employees are told they should know about HIPAA compliance usually focuses on HIPAA rules, standards, and policies. For this reason, HIPAA training often consists of (for example) rules for disclosing health information, standards for securing electronic Protected Health Information (ePHI), and policies for responding to patients exercising their HIPAA rights.

In many cases, healthcare employees are simply told in HIPAA training to comply with the HIPAA rules, standards, and policies, or there will be sanctions. However, while it is important employees are trained on HIPAA rules, standards, and policies โ€“ and alerted to the sanctions for violating them – it is also important that all workforce members understand why they exist.

Why HIPAA Privacy and Security Standards Exist

What employees should know about HIPAA compliance is that, when HIPAA was passed in 1996, Congress instructed the Secretary for Health and Human Services (HHS) to make โ€œrecommendations with respect to the privacy of certain health informationโ€ (Sec. 264). The recommendations were to be adopted as HIPAA privacy standards if Congress did not enact separate legislation to protect the privacy of health information within three years.

The recommendations noted that legislation was necessary because โ€œpatients have a legitimate need for assurance of the confidentiality that permits them to be frank with their physicians about their health conditions and behavior. That assurance is fundamental to effective diagnosis, treatment, and healing.โ€ This note became the foundation for all future HIPAA rules, standards, and policies, and is equally applicable today as it was then.

The HIPAA security standards evolved separately as they were originally intended to protect the security and integrity of health information transmitted electronically between healthcare providers, health care clearinghouses, and health plans. Because of the length of time it took to finalize the HIPAA Security Rule, the scope of the Rule was extended to cover all Protected Health Information (PHI) created, received, maintained, or transmitted electronically.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

The Value of Protected Health Information

The reason why threats exist to the confidentiality of Protected Health Information is because it is so valuable. It can be used by whoever obtains it to commit medical identity fraud and obtain healthcare or prescription drugs in the victimโ€™s name. It can also be used to apply for finance, commit insurance fraud, or submit fictitious tax returns in the victimโ€™s name, or to stigmatize, embarrass, blackmail, or discriminate against the victim.

Not everybody who obtains Protected Health Information impermissibly uses the information themselves. In 2019, HHSโ€™ Office of the Chief Information Officer estimated that a designated record set containing a full package of individually identifiable health information sold on the dark web for an average of $1,170. This means that a hacker could potentially realize more than $1 million for a relatively small data breach affecting just 1,000 individuals.

In addition, compared to the theft of credit card data, stolen Protected Health Information has a long โ€œshelf likeโ€. Whereas the misuse of a credit card is often quickly realized and stopped, with stolen funds returned, the misuse of Protected Health Information can continue for many years โ€“ not only costing healthcare providers and health plans millions of dollars, but also having personal consequences for victims whose identities have been misused.

The Personal Consequences of Medical Identity Theft

In 2013, a survey was conducted on the consequences of medical identity theft. Of the confirmed victims of medical identity theft that responded to the survey, 48% believed there were inaccuracies in their medical records because of treatment provided to imposters. The most common consequences of these inaccuracies were the misdiagnosis of an illness (15%), a delay in receiving medical treatment (14%), and the mistreatment of an illness (13%).

Importantly in the context of HHSโ€™ recommendations for HIPAA privacy standards, 56% of respondents lost trust in their healthcare provider. As has been shown in subsequent surveys, when patients lose trust in healthcare providers, they tend not to disclose so much personal information about themselves โ€“ making it harder for healthcare providers to accurately diagnose their conditions and prescribe effective courses of treatment.

Less trusting patients are also less likely to comply with their treatment regimens โ€“ leading to slower recoveries, reoccurring illnesses, and higher levels of readmissions. The takeaway from this, and what employees should know about HIPAA compliance, is that if you impermissibly disclose Protected Health Information โ€“ knowingly or unknowingly โ€“ or you cause a data breach through carelessness, the consequence of your actions are likely to personal human costs.

Why Are There so Many Data Breaches in Healthcare?

Each year, HHSโ€™ Office for Civil Rights publishes a report on HIPAA Privacy, Security, and Breach Notification Rule Compliance. It the most recent report, it is revealed that HHSโ€™ Office for Civil Rights receives more than 60,000 HIPAA breach notifications per year. Also each year, Verizon publishes a Data Breach Investigation Report. In 2024, Verizon calculated that 68% of data breaches had a โ€œhuman elementโ€ once malicious insiders were removed from the calculations.

This implies that more than 40,000 data breaches in healthcare each year are attributable to human error, and HHSโ€™ Data Breach Report Archive of data breaches affecting 500 or more individuals would appear to confirm this implication. Each archived Breach Report contains a web description of the nature of each breach and the reason for it. By reviewing the Archive it is possible to find thousands of examples of:

  • Healthcare employees accidently mailing Protected Health Information to unauthorized recipients,
  • Healthcare employees falling for phishing scams and revealing their login credentials to cybercriminals,
  • Healthcare employees failing to protect physical devices containing Protected Health Information from theft and loss, and
  • Healthcare employees failing to configure software to safeguard Protected Health Information from unauthorized access.

Each one of these data breaches could potentially expose patients to medical identity theft and have personal human costs. Therefore, what employees should know about HIPAA compliance is that it is more important to take care when mailing Protected Health Information, interacting with phishing emails, leaving devices unattended, and configuring software than it is to know (for example) the HIPAA documentation retention requirements.

What Employees Should Know about HIPAA Compliance and Sanctions

What employees should know about HIPAA compliance and sanctions is that covered entities (and where applicable, business associates) are required to sanction members of the workforce who violate any standard of the HIPAA Privacy Rule or HIPAA Breach Notification Rule. This requirement (ยง164.530(e)) applies even if a workforce member violates a privacy standard about which they have receive no HIPAA training and the violation does not result in a data breach.

Covered entities and business associates are required to conduct nontechnical evaluations and risk assessments to identify reasonably anticipated uses and disclosures of Protected Health Information and implement measures to mitigate them. However, not all do. This leaves employees and other workforce members potentially exposed to sanctions such as warnings and suspensions; and, in worse case scenarios, termination of employment and loss of license.

Employees can avoid these sanctions by subscribing to a HIPAA awareness training course. HIPAA awareness training courses include basic information about HIPAA that may not be included in an employerโ€™s HIPAA policy and procedure or security awareness training โ€“ for example, an explanation of what PHI is, why it is highly sought by cybercriminals, and the types of mistakes which most often result in medical identity theft and personal human costs.

Training of this nature not only reduces the likelihood of an accidental HIPAA violation due to a lack of knowledge, but it can also help put an employerโ€™s HIPAA training into context so it is better understood and complied with. Better understanding and complying with an employerโ€™s HIPAA training reduces the likelihood of sanctions, and the likelihood that a patient or health plan member will be the next victim of medical identity theft.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/