Provide periodic training so that staffers don’t completely forget the tenets of HIPAA. Those working in the healthcare arena need to stay vigilant, as the potential ways to accidentally expose patients’ protected health information (PHI) continue to expand. From privacy violations at the reception desk to email phishing ploys to lost unencrypted mobile devices — the opportunity for you and your fellow employees to bring censure and penalty down upon your practice grows exponentially as healthcare changes and evolves. Consider this: Most violations are caused by staff who accidentally expose PHI or electronic PHI (ePHI) due to a poor understanding of HIPAA. That’s why training and keeping your staff up to date on HIPAA is essential. Every existing and new employee must be fully educated on the HIPAA laws and rules and how to comply with them. To help your office steer clear of problems, consider the following actions that can help you stay on top of the regulations. While training methods and materials will vary from one practice to another, these eight parameters can help guide you through the compliance basics. 1. Explain HIPAA and What It Entails Your staff members should be able to articulate in simple terms what HIPAA is and what it aims to protect. You have to protect your patients’ health information, and clinical and administrative staff should walk away from training understanding that everyone has the right to have their PHI kept secure.
Covered entities (CEs) (i.e., medical practices) should keep in mind that there are two parts to HIPAA, says Melissa Dill, managing director for the healthcare consulting practice at Crowe in Indianapolis, Indiana. “There’s the Privacy Rule, which tends to be more focused on the non-electronic and access aspects of an individual’s protected health information [PHI]; and then there’s a Security Rule, which focuses on the electronic management of that individual’s information.” 2. Identify Your Practice HIPAA Officer You absolutely need a dedicated HIPAA security officer. No matter the size or scope of your practice, if patients’ ePHI is being held or transferred at your office, the HIPAA Security Rule mandates the assignment. “A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures,” notes the Administrative Safeguards section of the HIPAA Security Rule. It’s vital that everyone in the office knows who your practice’s HIPAA compliance officer is. Otherwise, you won’t know where to turn with potential privacy and security breaches that staff may cause, encounter, or report during the day. Remember: It will be your HIPAA security officer who acts as the liaison between the HHS Office for Civil Rights (OCR) and your legal team should a data breach occur. They must know your HIPAA compliance plan and speak to any issues that arise. 3. Set Specific PHI-Access Limits At the end of your training, your staffers should know their level of PHI access. This knowledge will enable them to conduct “self-audits” regarding their use of — or exposure to — PHI. 4. Know Where to Get a Copy of Your Privacy Notice You and your coworkers should know where to locate or obtain a copy of your notice of privacy practices. Anyone in the office should be able to point to the handout and make a copy available to a patient. 5. Discuss Privacy Violations, What To Do When You See Them When it comes to the Privacy Rule, violations vary in intensity, from minor violations to serious ones. Dill points to common issues like “simple things such as physicians’ handwritten notes being left somewhere where they can be seen by individuals who don’t have a need to see those notes, things being printed out and left on a printer for others to see, or an individual calling an office and wanting information and perhaps not being the patient, but being a patient’s parent, daughter, or child who does not have permission to access such records.” She cautions, “Those sorts of things that you don’t necessarily think of as an issue are the easy things to have a compliance issue or a violation.” Complacency is a threat to any HIPAA-compliant entity. Therefore, you and your entire staff must know your office protocols for reporting potential privacy and security violations or the accidental or inappropriate disclosure of PHI and ePHI. 6. Put the Patient First HIPAA wasn’t ever meant to direct you on how to care for your patients. It was created to direct CEs on how to keep patients’ information secure. Protect patient information when you can but remember that these rules were never intended to hinder patient treatment. Make sure everyone in the office understands that HIPAA allows the disclosure of health information for treatment purposes. In addition, HIPAA does not require a business associate agreement (BAA) in order for a provider to share health information for the purpose of treating a patient. So, if another physician on your patient’s care team needs information about the patient to treat them, it’s okay to share that information, and a BAA is not required between your practice and the other physician’s practice. Keep in mind: HIPAA also allows the sharing of patient PHI for payment (third-party payer) and healthcare operations (consultant) purposes. Note that a BAA may be needed for some aspects of payment/operations sharing — for example, with a billing company that works for the practice or with a consultant that is doing an audit — to ensure that the BA safeguards the PHI as the practice would. 7. Don’t Stop at the Top If you’re planning to educate only your managers in hopes that the crucial information will trickle down to your frontline staff, you need to reassess your strategy. The rule is very specific about having everyone in your organization trained on privacy. 8. Consider Creating a Script There’s nothing wrong with preparing responses in anticipation of certain patient questions about HIPAA. For example, when patients come into your office, your employees can use a script to present them with your notice of privacy practices and to answer common questions they may have regarding the form. You should tailor your scripts to your office’s most frequently asked questions and your staff members’ comfort levels.
For instance, if a patient asks what their privacy rights are, you can hand them the form and say, “Your rights are set forth clearly in the notice of privacy practices. After you review the notice, I would be happy to have our HIPAA compliance officer discuss them further with you.” Important: The HIPAA Privacy and Security Rules offer organizations guidance on how best to set up policies and implement procedures to assess risks, protect PHI/ePHI, and circumvent violations. The rules advise not only on the provisions of the federal law, but also provide practices with guidelines to assist with HIPAA compliance planning. “Your staff are your greatest asset, but can also be your biggest weakness,” maintains Brand Barney, HCISPP, CISSP, CISA, PCI-QSA, security consultant at Coalfire in Mont Vernon, New Hampshire. “[HIPAA] security awareness training doesn’t have to be a once-a-year event or happen only when there’s a new hire. Make sure your staff understands that they must reasonably and appropriately restrict access to only those persons/entities with a need for access to PHI and systems.”