Since the implementation of HIPAA there have been many road signs to help guide us all through the tedious ins and outs of this important policy. When it comes to securing Patient Health Information (PHI) in the context of HIPAA compliance, we need to remember that even after developing policies and procedures that it doesn’t end there. Developing and implementing a set of HIPAA policies and procedures needs be revisited regularly to ensure compliance with changes. An example of this change may be the purchase of new computer hardware/software or added IT security. If this happens, it’s important that employees are aware and trained on these changes, and the policies or procedure are updated as well.
HIPAA states in the Administrative Safeguards, under Section 164.308(a)(5)(i). that “An Office will implement a security awareness and training program for all of its workforce (including management).” Even though we’re told we must comply with this, it’s important to remember why we should. It’s the responsibility of everyone to understand the office’s policies and procedures and how their role at the organization is important in securing ePHI and the compliance of HIPAA.
The law states that a minimum of an annual training is mandatory for security and awareness, but annual training is no longer considered sufficient, as the organization is not routinely keeping staff members knowledgeable on the HIPAA regulation. It can leave your office open to vulnerabilities if employees aren’t as knowledgeable as they should be.
Strategies for being proactive in HIPAA training and awareness:
- Ongoing education of staff members is the best way to be proactive. This can be completed in many ways but quarterly meetings are one method of compliance. During these trainings, It should be discussed what sanctions are taken against the noncompliance of the office’s policies/procedures.
- Your office can conduct trainings many ways, through HIPAA security software, online training modules, seminars and through third-party organizations. While thorough education takes time, it’s the best investment a healthcare office could make.
- If things change, new policies and procedures may need to be developed and employees should be made aware of these changes once implemented.
There are items in every office that need to be addressed to help with compliance of HIPAA. A few of these would be:
- Enable encryptions and firewalls – Staff should be aware of the technologies that can remotely lock or wipe apps and software programs. You should have a backup plan, stress the importance of maintaining encryptions and firewalls updates and the use of employee authentication.
- Correctly storing files – Discuss why it’s important to handle paper and electronic files, and remind employees to focus on what they are doings so files are saved or properly stored.
- Hiding PHI from the public – Reiterating to employees to keep folders closed and screens out of the view of others are ways to keep the staff mindful so unauthorized eyes don’t see concealed information.
- Using Social Media – Express to staff how being on social media can put them at risk of violating HIPAA. The office can be fined heavily if an employee is caught sharing protected information on social media. It’s better to have a training on this for employees to understand there are risks of using social media with huge consequences.
- Keeping up with mobile devices – Continually remind staff to be aware of the location of mobile devices and make sure they are shut off or locked up when not in use.
NeKY RHIO can help train your employees on HIPAA training and awareness. Don’t let lack of employee training and knowledge be the reason your office encounters a breach. Ensure each member is trained on being compliant, knows the consequences and understands why compliance is important for protecting patient’s information.