HIPAA compliance is more important than ever, and it is not only because the HHS Office for Civil Rights (OCR) has launched phase 2 audits and stiff monetary penalties for non-compliance.1
The more important reason: Security breaches are occurring with greater frequency among small practices. Believe it or not, making an honest effort toward achieving HIPAA security compliance is potentially your best avenue to protecting patient data and your reputation.
You might be surprised, but the greatest threat to patient data is likely to be your staff. While malicious intent is possible, it’s uncommon. Careless actions on the part of staff, however, are quite common and often the root cause of a security breach. With good reason, the HIPAA Security Rule is riddled with references to staff training and makes mention of specific topics your training program must include.
It should be noted, though, that a well-documented security policies and procedures manual is a precursor to training. This is because training must be derived from the manual; therefore, without policies, you cannot be compliant with the training requirement. If you still need to create a policies and procedures manual, visit healthit.gov and download the Information Security Policy Template.2
Annual training topics
The following subjects should be reviewed with your staff every year as part of an annual training program.
Sanction policy: Closely mirror your actual sanction policy document with the sample template mentioned above, and have all employees, contractors, and volunteers sign it upon hiring. A sanction policy contains examples of security violations and their associated disciplinary actions. The act of educating employees about violations and their consequences is arguably one of the most effective HIPAA safeguards to implement.
Breach notification: It’s perfectly reasonable to just read your practice’s breach notification policy to staff members; however, some content is relevant only to your privacy officer and practice owner(s), so feel free to skip material beyond definitions and the importance of reporting a possible breach to the privacy officer. With that said, outline the reporting process your practice must follow in the event patient data is compromised, to reinforce why security is serious.
Password management: HIPAA requires that staff be informed about their responsibilities regarding password management. If you have a password policy, this training session will be brief. Training must cover:
- Number of unsuccessful login attempts before system is locked.
- Passwords requirements regarding: a. Length b. Complexity c. Change d. Reuse
- Avoid common words, names, initials, birthdays, or phone numbers.
- Refuse offers by software and internet sites to automatically log in.
- Password confidentiality.
Emergency operations: Discuss procedures for managing and documenting patient encounters if your EHR and practice management systems are inaccessible due to outages, and your plan for restoring those systems and recovering data following an emergency. Here, too, all you need do is review your written contingency plan, and data backup plan with staff to be compliant.
Workstation use: There are two learning objectives here, the first of which is employee responsibilities. These include challenging unrecognized personnel, workstation configuration (e.g., inhibit incidental screen viewing by non-employees), home use of practice assets, and a clear desk, clear screen policy. The second objective concerns prohibited employee activities, and software-use restrictions, such as crashing software, attempting to break in or inject code, browsing (accessing information for which there isn’t a “need-to-know” basis), personal use, and terms-of-use violations.
Malware: Considering the proliferation of ransomware—especially targeting health care providers— this topic is of great importance. Employees must be trained to avoid malware, to spot email phishing schemes, and know what to do if they suspect an infected workstation. Sufficient training here will greatly reduce the likelihood of a virus wreaking havoc on your system.
No discussion of HIPAA training would be complete without mentioning training documentation requirements. You’ve heard the saying, “If it wasn’t documented, it didn’t happen.” The same is true with HIPAA compliance. At a minimum, training records should include a date, the topics covered, and who was in attendance. It’s that simple.
Remember, required and regular staff training will do more to protect patient information than any other HIPAA safeguard. Plus, it’s free to implement.
Jeff Brown, DC, is obsessed with creating aﬀordable, easy-to-use software to finally end the frustration of HIPAA compliance. Brown’s career spans private chiropractic practice, meaningful use and compliance consulting, and software product management for health care technology companies. He is cofounder and CEO of HIPAAmate, software designed and priced for small practices. He can be contacted at 614-706-2066, firstname.lastname@example.org, or through hipaamate.com.
1 Office for Civil Rights. “OCR Launches Phase 2 of HIPAA Audit Program.” https://www.hhs. gov/hipaa/for-professionals/compliance-enforcement/audit/phase2announcement/index. html. Updated March 2016. Accessed July 2018.
2 HealthIT.gov. “Information Security Policy Template.” https://www.healthit.gov/resource/ information-security-policy-template. Updated September 2017. Accessed July 2018.