When should you promote HIPAA awareness? Shouldn’t employees always be aware of their obligations under HIPAA? In an ideal situation, that would be true, but reality prevails and employees will need to be regularly retrained on the ins and ours of HIPAA.
Covered entities (CEs, which are defined under HIPAA as healthcare clearinghouses, health plans, and healthcare providers) should provide training to their employees before they come into contact with patient protected health information (PHI). Indeed, the training should be extended to all individuals under the CE’s direct control that may come into contact with PHI, including volunteers or subcontractors. Business Associates should also ensure that any of their employees that can access PHI are HIPAA-aware.
HIPAA does not provide an exact timeframe or guidance on how often the training should occur, but only stipulates that it must occur at the beginning of an employee’s contract. Aside from this, HIPAA only states that “regular” training must occur.
Unfortunately, despite the importance of HIPAA awareness training, there is no strict curriculum outlining how often employees should receive training or what the sessions should cover. At minimum, annual training sessions are required, with additional training to be provided if there are updates to HIPAA, or if any changes to the CE’s own workplace practices are made.
Even though there is no pre-defined curriculum, there are a few major topics that should be covered in annual training sessions. This includes the appropriate use of PHI, how PHI is stored and protected, who it can be disclosed to, and what the employee should do if they suspect that a HIPAA violation has occurred.
Ideally, HIPAA awareness should be pervasive in the workplace and not just highlighted in annual training sessions. More regular newsletters could be sent to employees that highlight recent HIPAA news, or what the current workplace protocols are. Posters placed around the workplace can be strategic reminders of what employees should be doing to ensure HIPAA security protocols are in place (for example, reminding them of any “clear desk” policies or alerting them to the dangers of phishing). Monthly quizzes on security protocols can also help keep them at the front of employees’ minds.
There are many facets to HIPAA, and not all parts will be equally important to each different role. CEs can therefore provide “job-specific” training that highlights that parts of HIPAA that are specific to different tasks, or emphasize what the most common violations are. Even so, there are some categories of training that should be provided to all employees, such as security awareness training.
In summary, you should always be promoting HIPAA awareness, as this is the best way to guard against HIPAA violations. Depending on their severity, such violations can lead to hefty fines. It is therefore more efficient to provide regular and thorough education to employees to safeguard against violations.