April 15th, 2019
HIPAA compliance entered the public eye in 1996 when the Health Insurance Portability and Accountability Act was passed. For organizations dealing with any facet of healthcare, it revolves around the protection of private information of patients. Any health information stored, accessed, or transmitted electronically falls under this protection. Penalties for violating HIPAA compliance come in many shapes. Monetary fines start as low as $100 for each violation and reaching as high as $1.5 million.
The punishment does not stop at a company’s pocketbook, however. More severe violations can result in jail time up to five years. Since HIPAA violations are made public record, failing to comply will cost your organization dearly in brand trust and the ability to land future clients as well as quality employees.
When HIPAA non-compliance occurs, it is often because of mistakes or a lack of knowledge of company employees and is done accidentally, without malice. Regardless of how it occurs, organizations must install the proper protocol to get violations down to a rate of zero. The best way to do this is to combine best practices with recurring training to ensure employees not only understand what needs to happen to ensure HIPAA compliance but also grasp the importance of it, to the organization and most importantly the patients.
Getting employees to value these higher concepts takes leadership, time, and training. A combination of educational guidance and technological mandates is the key to keeping your employees on the right side of the HIPAA compliance line.
Educating Employees on HIPAA
Every employee at every company has gone through some sort of education course prior to beginning work. But HIPAA compliance goes far beyond a one-time onboarding training package. It’s not something you pick up in a one-hour module during your first week on the job.
Experts will tell you that the real flaw in HIPAA training is a lack of passion from the course instructors. If the leaders of an organization, or a third party they hire to train staff in HIPAA compliance, cannot connect with employees and get them fundamentally connected to the task at hand, retention rates are bound to suffer.
A key is to make training sessions more interactive and present employees with real-life scenarios rather than written quizzes. While people learn in different ways, having employees engage in role play guarantees a level of interaction that can be more specifically remembered than words on a screen.
Of equal importance is the timing of the HIPAA compliance training. Once a year is not nearly frequent enough to meet the challenges of keeping compliance rules fresh in one’s mind. Training needs to happen at least once per quarter or when new rules and regulations come online, whichever happens in a shorter time period.
Ultimately, HIPAA compliance education is a true test of an organization’s leadership. Great leadership does not eliminate the possibility of non-compliance, but poor leadership will invariably lead to it at some point down the line.
HIPAA Technology Concerns
The exponential growth of technology is both a blessing and a curse to those working in the medical industry. New innovations are connecting doctors and research like never before, and breakthroughs are happening in real-time. But the advance of technology also exposes more gaps for patient information to be mishandled, exposed or stolen. Constant vigilance and adherence to set policies are imperative to maintain HIPAA compliance in the digital era. There are five basic tenets of this stance that require guiding policies and procedures to ensure they do not become leaks in an organization’s HIPAA security system.
- Author and maintain a strict policy on work-issued mobile devices. The convenience of laptops, tablets, and smartphones is tempered by them being a bit too convenient in instances when they are lost or not shut down properly. Leadership must establish precise boundaries for where the devices can be taken, who can use them, what the procedure is when leaving them unattended, and more.
- Enforce company policy about social media. The average employee seldom has restrictions on posting information or photos from their office. The opposite must be enforced for businesses practicing HIPAA compliance. No information should ever be posted to social media or blogs, and photos are risky because most can be enlarged to show background elements such as files, paper, or screens.
- Never use personal email or IM accounts to transmit information that is work-related. All transmissions of protected documents should be through wire-to-wire encryption. Imagine your doctor telling you that he tried to send your test results through or SnapChat. Impress on employees how important the right channels are. Anything that’s not 100% approved should be traded as a major violation.
- No sharing of credentials for access-controlled systems including cloud-based work environments. As prior attacks have shown us, the cloud is not always as safe as its proponents would have you believe. Every individual must have his or her own entry point into the system to ensure they are using the system precisely as they are intended to. Independent audits are a great way to ensure everything is proceeding as it should.
- Beware of using screens to highlight patient information as they can be viewed by other patients, non-authorized staff, etc. The devil is in the details sometimes. Big display monitors might make your doctors and nurses’ jobs a lot easier, but if they’re making patient data visible to untrained staff members and other patients, you’re going to fall out of compliance. Patient privacy must supersede everything.
Technology has had a transcendent effect on healthcare in recent years but has also increased the number of ways that HIPAA compliance can be threatened. Healthcare industry leaders must be cognizant at all times of how technology is being used by their employees to ensure no violations are taking place. HIPAA compliance education is also vital to keep organizations from being cited for violations. Planned, passionate training sessions should be considered best practices.