It could be time for some refreshers. Just because the physicians and staff in your practice routinely hear about – or speak of – HIPAA doesn't mean everyone is as compliance savvy as they could be. The ins and outs of HIPAA can be confusing, so be sure all your employees – from the top down – are familiar enough with the basics to protect your patients and your practice. Starting point: Training needs to be ongoing versus an annual event because the rules, regulations, updates, and laws that are pervasive in healthcare today don't come out annually; they change daily. And open communication and a willingness to invest in education are the hallmarks of successful providers. Why aren't healthcare organizations more prepared for HIPAA breaches? "The number one issue is lack of awareness that this can happen," says Kurt J. Long, founder and CEO of FairWarning, Inc in Clearwater, Florida. "Providers are worried about patients and focused on patient care and for whatever reason many practices of all sizes are remarkably unaware of the threats." Create Your HIPAA Checklist That Focuses on These 5 Tips Checks and balances keep the healthcare industry honest from top to bottom, and education is at the heart of any good compliance plan. The HHS Office for Civil Rights (OCR) also mandates training. According to the HIPAA Security Rule, covered entities (CEs) "must provide for appropriate authorization and supervision of workforce members who work with ePHI." Not only must each practice train its staff on its individual HIPAA protocols, but CEs also need to enforce determined requirements "and apply appropriate sanctions against workforce members who violate its policies and procedures," the HIPAA Security rule cautions. Take a look at these five areas where HIPAA expert Jim Sheldon-Dean, Principal and Director of Compliance Services for Lewis Creek Systems, LLC, in Charlotte, Vermont suggests practices need better training: Tip 1: Cybersecurity. Avoiding ransomware attacks and phishing expeditions takes know-how. A thorough cybersecurity education is essential, maintains, Sheldon-Dean. "Don't open the attachment or click the link!" Tip 2: Devices. Many of the high-profile HIPAA violations over the last year were directly related to the management (or lack thereof) of portable devices. Train employees on the proper use of portable devices and remote access, advises Sheldon-Dean. "Don't put PHI on your phone unless you are supposed to; don't start using new apps or devices without clearing them with IT; and don't access any email with any PHI unless you must for your job." Tip 3: Upper management. Front desk employees often get minimal training, and that needs to change. But clinicians and upper management must also be on board and remain updated on HIPAA guidance, too. Upper management must be aware of "the importance of and processes in information security," explains Sheldon-Dean. "Good information security is a patient safety and corporate survival issue." Tip 4: Risk awareness. Evaluating risk through assessment, analysis, and management is critical for practices, and it's required under the HIPAA Security Rule. An area in need of improvement is "training for managers to always be alert for risk issues," Sheldon-Dean says. "Local managers need to know how to watch for and act on things that may affect information security." Tip 5: Incident management. HIPAA violations happen, but employees are often nervous to verify breaches or tell practice management about their hunches. Sheldon-Dean encourages, "Train in incident management, top to bottom." He adds, "Staff need to feel like they are empowered to report their suspicions of information security incidents, the handling of incidents needs to be clearly defined, and top management needs to understand the impacts of incidents and the necessity to prevent them as reasonably practicable."