Most breaches of protected health information (PHI) are related to human error, underscoring the need for medical practices to develop and maintain rigorous training programs for employees so they comply with HIPAA regulations. Yet physician organizations simply are not doing a good enough job when it comes to training, according to Jay Hodes, president and founder of Colington Consulting, a HIPAA consulting firm based in Burke, Virginia. Primarily, this is because HIPAA provides little guidance. Aside from broad parameters and a yearly requirement to train staff, practices are on their own.
Practices that want to create a culture of compliance need to have a comprehensive program, Hodes said. Individuals responsible for HIPAA training cannot just pop in a $20 training video and expect everyone to get up to speed.
“At the end of training, the person should walk away feeling like they understand HIPAA better,” he said. “There is nothing worse for an organization than to have someone say after a breach, ‘No one ever told me I couldn’t take that laptop home.’”
Make it user friendly
Training should be succinct, Hodes said. Attention spans are relatively short and people forget pretty quickly what they read. He also recommends making training user friendly and pertinent across the full spectrum of the workforce. It is too complicated, he said, to create different modules for billing personnel, nurses, front desk staff, and physicians.
Practice managers need to consider how training will be delivered, the length of time it will take staff away from their normal duties, and how detailed the training will be.
Online training is one option. For practices that take this route, Hodes recommends implementing some kind of system to ensure staff understand the information presented. At some practices, employees must attest to reading each policy and procedure. At other practices, individuals responsible for HIPAA training score tests and require staff to get a certain grade to “pass.” Another strategy is to provide personnel the answers to questions they miss before they move to the next question for positive reinforcement.
The challenge with online training, however, is that it is not interactive, said Laurie Zabel, director of Coding and Compliance for MedSafe, a healthcare compliance firm based in Wellesley, Massachusetts. In her view, the best option, if time allows and it is affordable, is to sponsor an instructor-led course in which people can ask questions and interact. These classes can be held in person or via video conferencing.
Practices can provide continuous education even without having an instructor come on site. At staff meetings, someone can pick a HIPAA topic and discuss how to prevent breaches. Practices can put monthly reminders on a bulletin board. IT staff can put a banner on computers that brings up a security reminder when staff log in the first time each month. Some topics to hit on include:
- Double-checking things like fax numbers and email addresses before sending any correspondence
- Changing passwords regularly and not sharing them with anyone
- Running reports regularly to find out who is accessing information
- Making sure people have access only to necessary files
- Ensuring people know they cannot go into anyone’s records – including their family’s – unless it is necessary to do their job
- Reminding people to lock the door and set the alarm when they leave at night
- Keeping desks clean, especially of all protected health information
- Showing examples of viruses and how to avoid them
- Reminding staff what minimum necessary information means
Zabel said she has seen practices misdirect faxes; mail test results to a patient and include another patient’s results as well; and a secretary who meant to send a coupon to patients, but instead sent a spreadsheet with patient data to 11,000 patients.
Should a breach occur, practices should immediately follow up with some sort of training that will help prevent such a breach from recurring, Zabel said. This training and any corrective actions taken to satisfy the Office for Civil Rights (OCR) should be documented, Zabel said. “All kinds of weird things happen in practices,” she said. “OCR knows you can’t control human error, so they are just going to look at what steps you do to make sure it doesn’t happen again.”