Tip: Auxiliary staff need to feel safe to report violations. As HIPAA breaches rise in the industry, a highly-trained staff is essential to combat violations head on. Employees from the top down need to know the basics to ensure the integrity of patients' data and care. Training needs to be ongoing versus an annual event because the rules, regulations, updates, and laws that are pervasive in healthcare today don't come out annually; they change daily. Put These 5 Training Tips Into Your HIPAA Checklist Checks and balances keep the healthcare industry honest from top to bottom, and education is at the heart of any successful compliance plan. Remember: The HHS Office for Civil Rights (OCR) requires staff training. According to the HIPAA Security Rule, covered entities (CEs) "must provide for appropriate authorization and supervision of workforce members who work with ePHI." Not only must each practice train its staff on its individual HIPAA protocols, but CEs also need to enforce determined requirements "and apply appropriate sanctions against workforce members who violate its policies and procedures," the HIPAA Security rule cautions. Take a look at these five areas where HIPAA expert Jim Sheldon-Dean, Principal and Director of Compliance Services for Lewis Creek Systems, LLC, in Charlotte, Vermont suggests practices need better training: Tip 1: Cybersecurity. Avoiding ransomware attacks and phishing expeditions takes know-how. A thorough cybersecurity education is essential, maintains, Sheldon-Dean. "Don't open the attachment or click the link!" Tip 2: Devices. Many of the high-profile HIPAA violations over the last year were directly related to the management (or lack thereof) of portable devices. Train employees on the proper use of portable devices and remote access, advises Sheldon-Dean. "Don't put PHI on your phone unless you are supposed to; don't start using new apps or devices without clearing them with IT; and don't access any email with any PHI unless you must for your job." Tip 3: Upper management. Front desk employees often get minimal training, and that needs to change. But clinicians and upper management must also be on board and remain updated on HIPAA guidance, too. Upper management must be aware of "the importance of and processes in information security," explains Sheldon-Dean. "Good information security is a patient safety and corporate survival issue." Tip 4: Risk awareness. Evaluating risk through assessment, analysis, and management is critical for practices, and it's required under the HIPAA Security Rule. An area in need of improvement is "training for managers to always be alert for risk issues," Sheldon-Dean says. "Local managers need to know how to watch for and act on things that may affect information security." Tip 5: Incident management. HIPAA violations happen, but employees are often nervous to verify breaches or tell practice management about their hunches. Sheldon-Dean encourages, "Train in incident management, top to bottom." He adds, "Staff need to feel like they are empowered to report their suspicions of information security incidents, the handling of incidents needs to be clearly defined, and top management needs to understand the impacts of incidents and the necessity to prevent them as reasonably practicable."