A HIPAA Penalty Can Be Avoided Using Key  Online Tools and Training

Technology can only go so far in protecting data and avoiding a HIPAA penalty, but your employees have an almost limitless ability to make mistakes, take shortcuts, or let their curiosity get to them resulting in a HIPAA violation. A HIPAA penalty may even affect your ability to collect your Meaningful Use money through the Electronic Health Record (EHR) Incentive Program.

While the HIPAA Security Rule is focused on protecting electronic data, you may be surprised to learn that over 50% of the HIPAA regulations are Administrative Safeguards—policies, procedures, and training—with a smaller percentage split between Physical and Technical Safeguards. Key tools in protecting Protected Health Information (PHI) are Security Awareness and Training, focused on making sure your staff properly handles protected information in all forms—spoken, written, and electronic.

Two kinds of training are required. For managers and compliance officers, knowing about HIPAA, how to manage a compliant environment, and what to do if something goes wrong will go a long way to protecting your practice. Your general workforce doesn’t need to know details about HIPAA, just what they need to do and not do to make sure they don’t expose you to a complaint or investigation, and what will happen if they violate your rules.

Training records must be maintained as evidence to be used if you are audited or investigated for a HIPAA penalty. Even small organizations will find it easier to manage training using an online Learning Management System (LMS.) This online tool will make it easy to track which employees have taken training and which ones haven’t. The LMS makes it easy to train your current staff around their busy schedules and absences, and quickly train new hires effectively before giving them access to patient information.

HIPAA Management Training

Managers with responsibility for organizational compliance must have a basic understanding of HIPAA. They need to recognize potential problems and prevent them from happening; create procedures to ensure ongoing compliance; and must inspect your employees’ work to make sure it is compliant and not exposing your practice to a HIPAA penalty and a large fine. If there is a security incident, you must investigate and report it in accordance with state and federal regulations. 4Medapproved’s Certified HIPAA Security Professional (CHSP) training is designed for practice managers and compliance officers.

HIPAA Workforce Training

Workforce training needs to be specific and clear, explaining correct behavior. Your staff doesn’t need to know the specific regulations or what constitutes a HIPAA penalty, just your rules. Here are a few examples:

  1. Don’t use an unsecure web mail system like Gmail, Yahoo!, or Hotmail to send patient data.
  2. Don’t ever send patient data through a cellphone carrier’s text message system, because it is not secure.
  3. Never throw copies of patient information in the trash. Keep them separate so they can be shredded.”
  4. Never share your password with anyone, including IT or your boss.
  5. Don’t snoop in records for patients you are not treating.
  6. If you see something that might be a violation, say something to your manager.

4Medapproved’s workforce training teaches workforce members the right behavior so they don’t create a HIPAA violation.

HIPAA Awareness

Security reminders can be effective in keeping your organization compliant. Signs saying things like“Never Share Your Password with Anyone” and“What you see here, and hear here, stays here”can reinforce the behavior you want between annual training sessions. Messages can also be displayed on computer login screens and electronic signage. Just a few words can help you avoid a HIPAA penalty.

Since 2012 HIPAA penalties have noted that the organizations whose data was breached had not trained their workforces. Large fines have been assessed, and Corrective Action Plans have been required where training had to take place after the HIPAA penalty. It’s a lot cheaper to prevent a HIPAA penalty than paying a lot more after one.

"originally written for 4MedApproved"