By Matt Fisher, Esq
Twitter: @matt_r_fisher
The increased focus on HIPAA compliance and anticipated second round of audits makes clear the necessity for an organization to develop and implement comprehensive policies and procedures. The many settlement and breach announcements demonstrate that many issues occur because individuals do not fully understand what HIPAA is or what it does. A lack of knowledge, however, can be combatted though with good training.
Training is required under the HIPAA Privacy Rule. The rule requires entities covered by HIPAA to provide training upon coming under the ambit of HIPAA, when new employees are hired and when an individual’s job responsibilities change such that the individual’s responsibilities under HIPAA materially change. Documentation of the training should be maintained in order to prove later on that the training did in fact occur. While not explicitly stated in the Privacy Rule, entities subject to HIPAA would be well advised to conduct trainings annually.
When individuals are armed with knowledge about HIPAA, then compliance not only becomes possible, but hopefully more likely as well. What aspects of HIPAA should a training program focus on? Should training cover every single detail of HIPAA, only certain hot topics, or some point in between? The answers to these questions may depend upon the organization, but at a minimum all HIPAA training program should provide basic information about HIPAA and what it does as well as a particular organization’s policies and procedures that were implemented for purposes of complying with HIPAA. Accordingly, a HIPAA training program should likely explain what HIPAA is, what the Privacy Rule is, what the Security Rule is and how he particular organization complies with HIPAA.
With the general concepts of a comprehensive HIPAA training program in mind, what else should an organization consider for inclusion in the training? The following are suggested topics based upon common issues that keep arising and resulting in HIPAA violations:
- Mobile Devices. Many recent breaches have been the result of lost laptops, flash drives, cellphones, or other mobile devices. When thinking about a mobile device, the category should be thought to include any electronic device that is portable and in which electronic protected health information may be stored. In order to guard against a breach, organizations and individuals can take certain steps to protect the stored data. For instance, even though not required, it is becoming increasingly apparent that encryption should be mandatory. While these are background steps to take, training should focus upon the risks inherent in mobile devices. For example, a mobile device can be easily misplaced or stolen, data can be stored for longer than suspected, and other related issues. Training should detail the risks and then describe what steps each organization has or is taking to reduce risks.
- Snooping. Another significant risk for organizations is “snooping” or access of protected health information by individuals outside the scope of the job responsibilities. As a training matter, the acceptable bases for accessing protected health information should not only be highlighted, but explained. It may not be enough to say that only information relating to a person’s job can be accessed or to say that a provider should only access information about their particular patients. Providing some concrete examples taken from everyday interactions can be beneficial. What should a provider do if their family members ask them to look at a file? What should a data storage company do if they are reviewing data sent to them? The requirement really needs to be brought to life and not left to potential misinterpretation. Snooping is a major concern and one where education can be achieved.
- Means of Communication. It can be difficult to know whether information can be emailed, texted, faxed or sent in any other way. If information is communicated, how can such communication be done securely. Each organization will need to educate its employees on what measures that particular organization has implemented and what means cannot be used. A training program can highlight the different options as well as explaining the pros and cons of each available type of communication. A training program should also include how to respond to individual requests for the transmission of information. As a baseline though, the training should clearly describe the risks of sending protected health information in an unsecured manner. Avoidable risks should be reduced through understanding.
- Social Media. The rise and prevalence of social media use in so many aspects of daily professional and personal life makes it a very risky area for healthcare or healthcare-related organizations. What, if any, information can or should be shared? Has an organization implemented a social media policy? All of these issues should likely be addressed in HIPAA training. The potential for both intentional and inadvertent disclosures contrary to the requirements of HIPAA is a very real problem. The example of a physician from Rhode Island should not be forgotten. In that instance, an emergency room physician posted about a case on the physician’s Facebook page following their shift. The post did not use a name or other common identifier, but the facts and circumstances were enough that the patient could be identified. The physician not only lost their job, but faced licensing consequences as well. Organizations must educate about these and other risks that have been brought to the forefront by social media.
The above quick list of issues to consider for inclusion in HIPAA training is certainly not exclusive or exhaustive. Each organization should review its own operations and likely take the results from its risk analysis to determine what weaknesses or vulnerabilities should be highlighted in training. For example, an organization newly exposed to HIPAA may need to focus on basics whereas an experienced healthcare provider may be able to cherry-pick certain issues for more exhaustive training.
Regardless of an entity’s experience level, training cannot be overlooked. Even though the Privacy Rule does not explicitly require annual training, organizations should seriously consider annual trainings. Not only may information change over time, but annual training offers the opportunity to cover new developments and identify new risks. Do not allow a violation to occur because of a lack of training: knowledge is power.
About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute.