How do you avoid HIPAA violations?

How do you avoid HIPAA violations? Should HIPAA Covered Entities and Business Associates resign themselves to the fact that HIPAA violations are hard to avoid and give up trying to avoid them? Of course, the answer to that question is “no”, and during this article we will discuss what can be done to avoid HIPAA violations. 

HIPAA Training is one of the most important tools a CE or BA has in their arsenal to prevent violations. Training is essential, not only because it is actually required by HIPAA, but because educating employees on what HIPAA is, what protocols are in place to protect PHI, and even what the potential consequences are for violating HIPAA, can help to emphasize the importance of HIPAA and foster an environment of compliance.  

Even given the fact accidental and incidental HIPAA violations will occur and – given human nature – are hard to prevent, training employees can help ensure that they know what to do in the event of a HIPAA violation. Quick reporting can limit the scope and severity of violations. 

HIPAA requires that all CEs and BAs appoint a HIPAA Privacy Officer and HIPAA Security Officer. Often, particularly in smaller organizations, these roles will be consolidated into a single “HIPAA Compliance Officer”. One of the primary duties of these compliance officers is to organize HIPAA training for the workplace. HIPAA does not stipulate how frequently these training sessions should be held. Generally, the industry standard is that all employees should be trained annually, with more frequent “refresher” sessions running throughout the year. Additional training should also be provided if there are any changes to workplace protocols. 

All new employees, students, and volunteers that join an organization should be trained in HIPAA as soon as they join to help to avoid any violations. 

Indeed, HIPAA provides very little information in general on the type of training that should take place. The HIPAA Privacy Rule’s Training Standard states the following: 

“A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”

while the Security Rule Training Standard requires Covered Entities to:

“Implement a security awareness and training program for all members of its workforce (including management).”

There is clearly no information here on what the content of these training sessions should be. However, for the annual session, where all employees should be trained in the same general facts of HIPAA compliance, the following modules should be considered: 

  • HIPAA Overview and Definitions
  • Protected Health Information 
  • HIPAA Rules
  • HITECH Act
  • Disclosure Rules
  • HIPAA Violations and their Consequences 

Aside from HIPAA training, another key way CEs and BAs should use when considering how to avoid HIPAA violations is HIPAA Awareness. HIPAA Awareness means promoting HIPAA in the workplace, so that it is always at the forefront of employees’ minds. This may involve sending weekly emails, requiring employees to carry out regular “pop quizzes”, or having reminders placed around the workplace. These reminders can focus on particular aspects of HIPAA compliance, particularly in areas of “weakness”. For example, a poster reminding patients of the characteristics of phishing emails can be placed in front of a bank of computers.