Risk analysis and training

If you want to improve HIPAA compliance and need to prioritize, refresh your risk analysis and strengthen training.

A billing and coding vendor was hit with a HIPAA investigation and ended up paying a $75,000 settlement to the Office for Civil Rights (OCR) for failing to comply with HIPAA. iHealth Solutions is a HIPAA business associate (BA) that provides coding, billing, and onsite information technology services to health care providers. It experienced a data breach on one of its servers exposing the protected health information (PHI) of 267 patients. OCR found two core pieces of HIPAA compliance were missing: risk analysis and training. This is a wake up call for business associates that OCR is paying attention.

OCR Director Melanie Fontes Rainer said in the settlement announcement:

“HIPAA business associates must protect the privacy and security of the health information they are entrusted with by HIPAA covered entities. Effective cybersecurity includes ensuring that electronic protected health information is secure, and not accessible to just anyone with an internet connection.”

Risk Analysis and Training

OCR highlighted the need for a risk analysis:

“In addition to the impermissible disclosure of protected health information, OCR’s investigation found evidence of the potential failure by iHealth Solutions to have in place an analysis to determine risks and vulnerabilities to electronic protected health information across the organization.”

In addition to the settlement payment, iHealth must follow a corrective action plan, with oversight by OCR for two years.

The Corrective Action Plan mandates iHealth develop, maintain or revise compliant BA Privacy, Breach Notification and Security Rule Policies and Procedures, train workforce members on those policies and procedures and submit to OCR (italics added for emphasis):

“A copy of all training materials used to train workforce members on the new or revised policies and procedures required by Section V.D., including a description of the training, a summary of the topics covered, the length of the session(s), a schedule of when the training session(s) were held, and a list of attendants. The owner or officer of iHealth shall attest that such workforce training has been provided.”

HIPAA Training that Works

Two kinds of training are required – general HIPAA concepts and cybersecurity awareness. And training should be tailored to the workforce member’s job.

All workforce members including senior management need training on the basics – what HIPAA is, why it is important and why they need to be mindful of it. Major health information cybersecurity data breaches frequently result from low tech infiltration methods using information obtained from social media or phishing emails. It follows that all workforce members need training to recognize, avoid and report common privacy and security threats.

Workforce members also have different levels of exposure to protected health information and electronic protected health information depending on the work they perform. Aside from basic HIPAA familiarization training they only require limited training that covers their specific duties to protect PHI they use or disclose to perform their jobs.

Take Charge of Your HIPAA Compliance

Enforcement is not letting up. Stay ahead of OCR by reviewing your policies, risk analysis and HIPAA training. You can avoid paying for an investigation and settlement by taking action now. Set priorities and commit to improve. The HIPAA E-Tool® can help.

Free HIPAA Checklist
What best describes you?