This is the third in a series about how to create an effective HIPAA compliance program. Last week we covered the role of Senior Management, and the week before that, the role of a HIPAA Compliance officer.
The healthcare workforce is the front line for HIPAA compliance. Armed with knowledge, they safeguard privacy. A lack of knowledge makes them the weakest link.
HIPAA Training is Essential
Not everyone needs to know all the details of HIPAA compliance. In fact, the most effective training is specifically aimed at the employee’s role in the organization. People need to know and are more likely to remember things that are useful in their day to day job – don’t confuse the message with clutter.
Everyone, from the Board of Directors to the receptionist, should know about the “Minimum Necessary Rule” under HIPAA – simply, that whenever protected health information is used or disclosed, only the minimum necessary information is revealed. More specific education, for example, about helping patients obtain access to their own information, should be given to anyone who interacts with patients, whether in person, on the phone or by email.
The IT staff need to know about the Security Rule – how to safeguard electronic information with access restrictions, tracking electronic equipment and systems, backing up data, and installing software updates and patches.
Everyone in the organization should learn about cybersecurity – hacking, phishing, spearphishing, etc., and what to do/who to call, when it occurs.
HIPAA Compliance = Quality Care
A culture of compliance creates a strong organization. Patients who trust their healthcare provider are better patients – they’re more honest, communicate more, and participate in their own treatment. When an organization’s leadership believes in quality care, takes compliance seriously and communicates it to the workforce, everyone who works there helps make it true every day.
Insider Threats to HIPAA Compliance
Even the best training may not be enough for every single person. Unfortunately, insiders are the majority of threats to data privacy in healthcare. Some insiders cause breaches accidentally, so regular training really can help.
So does the following:
- Prohibit the use of social media at the office.
- Provide constant updates to cybersecurity training – how to recognize phishing attacks – because the methods change as the hackers become more sophisticated.
- Encrypt email and text messages with patients.
- Establish and follow a clear Bring Your Own Device Policy.
Others are intentional, so how do you control those?
Take these steps to reduce intentional breaches and theft of patient information:
- Limit information access to only what’s necessary for the job.
- Promote a culture of compliance and reward those who speak up when they see something wrong.
- Follow through with sanctions when an employee does not follow the rules.
Sanctions matter when it comes to HIPAA compliance. The Office for Civil Rights will impose sanctions from the outside for violations, but an organization required to comply with HIPAA needs to have clear rules, and sanctions for violating them when it comes to patient privacy, up to and including termination.
HIPAA Compliance Officer is Team Leader
Workforce members should always be able to call the Privacy Officer or Security Officer with questions, or to report a problem – in some organizations this may be the same person. Not everyone needs to know all the answers but they need to know where to find them.
The HIPAA E-Tool® supports the Privacy and Security Officers, and everyone in the workforce with training and easy answers a click away. It also contains every patient form needed, confidentiality agreements, access controls and a self-guided Risk Analysis. With answers to any question you can imagine, we fill the gaps and strengthen the whole HIPAA compliance team.