An Easy and Cost-Effective HIPAA Safeguard: Training
Federal requirements mandate only that the entire workforce in a practice be trained as 'necessary and appropriate to their functions.'
By this time, most people working in physicians' offices should have received some form of Health Insurance Portability and Accountability Act (HIPAA) training, but this isn't always the case. And the Department of Health and Human Services (HHS) has not been shy about sending the message to small practices—to the tune of $100,000 fines—that they had better get on board.
If any breach occurs that brings HHS into your office, all of your HIPAA practices can be scrutinized, including appropriate training and documentation proving it has occurred. Fortunately for small offices, HIPAA training is one of easiest and quickest ways to avoid inadvertently releasing protected health information.
When to train
The administrative requirements for HIPAA outline the kind of training that needs to be performed. They are somewhat vague, which allows providers leeway in their training practices. They simply mandate that a practice's entire workforce be trained as “necessary and appropriate to their functions.”
This translates—according to industry consensus—to initial training, followed by annual refreshers. Angela Rose, director of health information management practice excellence at the American Health Information Management Association, said offices should also provide training when there is a new hire, if there are changes to state or federal regulations, or if an office has a software, system or organizational change that impacts protected information.
“The good thing is, most of HIPAA practices that are recommended are common-sense practices,” said Peter Cizik, CEO of BridgeFront, an organization offering employee development for healthcare providers. “Providers may say they know about HIPAA, but if they aren't refreshed on a regular basis, the nuances of certain practices can get forgotten.”
He recommends quarterly security reminders that could come in the form of an email blurb offering tips like “Don't walk away from your computer with protected health information on the screen” or “Remember to speak quietly when discussing private health information at the front desk.”
How to train
Information provided to staff should be somewhat tailored to their status. For instance, anyone accessing health information on a regular basis needs to know the acronym PHI (protected health information). They should know what can and can't be shared, how to properly disclose PHI, and what constitutes a breach. Depending upon their job, they may need to know more than that.
Cizik said people using a laptop need to know security basics like using a strong password, logging off after use, not walking away from it if PHI is accessible to others, and not leaving it in the car.
“If they know practical privacy and security practices in relation to their own computer, things that are easily controlled don't spin out of control,” he said.
Mid-level training may last about an hour, and people with more access to PHI may take up to 2 hours, Cizik said. Annual refreshers may only take 30 minutes.
“The point is to deliver enough information without overwhelming people,” Cizik said. “Giving everyone an A to Z on HIPAA isn't necessary, and they might not take it seriously if the front desk receptionist has to go through a 3-hour-long training.”
There are various types of HIPAA training available for physicians' practices, including lunch-and-learns, seminars, and webinars. These may not suit the “ebb and flow” of practices, however. For instance, they might not occur at the same time a new hire joins the group, Cizik said. Office managers can also train themselves and, in turn, other employees, but this can be immensely time consuming.
A good, quick option can be online training, which is available at any time and is often inexpensive. Online training also provides a “paper trail” showing when people took it and if they passed the training, which is required during an audit.
“If you don't document it, then from an auditor's standpoint, you can't prove it is done,” Cizik said.
One good place to look for training is HHS' website, which offers continuing education courses on things like electronic health records, mobile devices, security risks, patient privacy and compliance.
“Training is probably the most impactful and cost-effective thing providers can do,” Cizik said. “Even if they don't have all of other components in place, they can train now and work on others—like policies and procedures or risk assessment—over time.”