Even though the Health Insurance Portability and Accountability Act (HIPAA) has been around since 2004, there are still plenty healthcare organizations that fall short in their compliance efforts. No provider intentionally chooses to violate HIPAA; however, many often break the rules because organization staff are either not familiar with what constitutes a breach or are unsure of their role in preventing one. Unfortunately, the Department of Health and Human Services (HHS) is not all that sympathetic to organizations that do not have an effective HIPAA compliance program in place given the age of the Act.
Over the past few months, we have discussed different areas where healthcare organizations commonly fall down with HIPAA compliance, including attitude toward potential breaches and resources, as well as developing appropriate policies based on gap analyses. In this article, we delve into the need for adequate and documented workforce training and responsive incident management.
Workforce Training
Since HIPAA regulations are so vast, it can be difficult to fully understand what training is required and how often it should occur. That said, it's essential to make sure staff are properly trained to prevent breaches and mitigate effects should they occur. Below are some best practices organizations can follow to bring their training up to par.
Provide annual refresher courses. Once a year, a provider organization should give a comprehensive HIPAA training that reacquaints current staff with the legislation's pertinent elements, and outlines staff roles in preserving patient data privacy and security. This training goes hand-in-hand with new staff orientation on the topic. Whenever an individual starts work in an organization, he or she must receive HIPAA training as part of the overall introduction to the facility. Organizations should not have new staff wait until the annual training to learn about their responsibilities.
Let the gap analysis guide training. As we mentioned in a previous article, organizations should perform a gap analysis to uncover areas where compliance is weak. This will involve an in-depth review of current policies, visual observations of existing operations and conversations with staff members about how they maintain patient health information security. Using the results of the gap analysis to inform training content will lead to more focused education, which can directly address the problems the organization faces.
Encourage information retention. Having an annual training is not enough to ensure your organization remains compliant throughout the year. To keep HIPAA on the front burner, providers should consider offering quarterly education activities that help staff retain information and apply it to their daily work lives. These exercises can take many forms, and organizations should consider offering several different ones to keep material fresh. For example, a provider may want to survey staff on different compliance tips or requirements to see if people can correctly answer some basic questions. Along with the gap analysis, these surveys can highlight training opportunities.
Role-playing exercises are also a good way to help staff practice how to speak with patients about HIPAA. Moreover, engaging in a "personal shopper" exercise can be a good idea. This is where someone (not a staff member) poses as a patient and enters the organization, asking about his or her personal health information. Observers then monitor how staff reacts to the patient, later pointing out areas where staff could improve performance. For instance, you could have the "patient" request information on a spouse or family member and see how the staff responds. If the spouse or family member has not indicated that the individual has permission to access the medical information, and a staff member grants the individual access, the organization could be violating HIPAA rules and that would be something to cover more closely in refresher programs.
Incident response
Despite having good policies, robust training and an overall commitment to HIPAA compliance, breaches can still happen. Organizations should have a plan to respond to these incidents, documenting them appropriately and addressing root causes to prevent future occurrences. Again, there are some best practices to keep in mind.
Be efficient when determining whether a breach occurred. An organization has 60 days from the time of a breach to address it. How the organization responds will depend on the severity of the compliance issue. Although it may be tempting to wait before tackling the problem, providers should take action right away. If they don't, they run the risk of a patient or staff person reporting the incident to HHS, which will result in an onsite visit and potential penalties. The government wants to see that an organization is aware of the event and has made an effort to respond, so demonstrating this commitment can help mitigate the risk of severe consequences.
Document the details. A key element in dealing with a HIPAA breach is documenting what occurred. Organizations can approach this in a variety of ways, including using spreadsheets or third party documenting tools. Whatever method the provider uses, staff should note the date of the incident, what happened, who was involved, what was done to respond and how the organization plans to prevent such issues going forward.
Be transparent with patients. When a patient's health information is inadvertently compromised, organizations must be upfront about what happened and what's being done to remedy the situation. In many cases, a letter to the patient will suffice; however, organizations should also be prepared to discuss the problem with patients in person and find ways to ease concerns. For example, some organizations offer to pay for a 1-year subscription to a data monitoring service. This type of company will keep watch on the patient's private information and make sure it is not being used for nefarious purposes.
Protect patient information & your organization
Taking time to develop a good HIPAA training and incident response program is not only the right thing to do, it makes good business sense. Organizations that do the work can see improved compliance while avoiding unwieldy fines, law suites and a tarnished reputation.