Let me count the reasons for an employer to conduct HIPAA training. While orange is in this season, nobody wants to be on the receiving end of a criminal prosecution for the misuse of PHI. The headlines can kill even a thriving business and the penalties are equally terrifying.
With the capture and sale of Protected Health Information (PHI) quickly growing, employers should take proactive measures to protect themselves from the ethical, legal and criminal misconduct repercussions that can arise from a HIPAA violation. The complexities of HIPAA and the Privacy Rule can be mind-numbing, and organizations may be tempted to gloss over the nitty gritty, not understanding exactly how the law is enforced should an unlawful disclosure occur. This lackadaisical approach is a grave mistake as the enforcement provisions for HIPPA are actually statues of Title 42 of the U.S. Code which require civil and/or criminal remedies for violation.
HIPAA training is a vital operational component for any Covered Entity and should be a top priority every time a new employee is on boarded. Additionally, regular trainings should occur as a refresher for employees who have already undergone their training. While the regulations do not explicitly note a timeframe requirement for continued trainings, annual refreshers are a generally accepted best practice.
In the midst of normal business operations, HIPAA training may seem like a financial drain and time-consuming inconvenience. However, ensuring that all training requirements are instituted is a necessary safeguard against both intentional and unintentional employee violations.
Training every employee with access to PHI is an important step towards ensuring HIPAA compliance. While managers and physicians are typically the first to receive training, even the newest intern should receive training to ensure compliance. Many violations occur inadvertently because an entry- or mid-level employee is not well-versed in privacy requirements and has no frame of reference for appropriate use of PHA. Proactively training and offering refreshing learnings can help Covered Entities steer clear of violations.
Sometimes, even proper training and good faith efforts to foster a HIPAA-compliant workforce do not protect an employer from liability in court. With this liability trend in mind, employers may choose to re-consider the accesses that employees have to information across the computer system of the organization. Limiting access will reduce the incidences where an employee can illegally access personal patient information. As learned through the $1.33 million award in Walgreen Co. V. Abigail E. Hinchey, misguided employee activity that falls within the “normal scope of employment” can lead to employer liability. Reducing the access that an employee has within his or “normal scope of employment” can afford greater legal protections for an employer in the instance of a violation.
All employers should take the following steps to reduce the potential for liability should an employee wrongfully use or disclose PHI violation of HIPAA:
1. Establish corporate policies that align with HIPAA compliance standards
2. Audit employee activity
3. Pre-determine disciplinary policies should a violation occur
4. Document all HIPAA trainings
When building the privacy standards and training policies for an organization, remember that HIPAA establishes the national minimum standard. State laws can – and some do – require even greater privacy protections. All employers should be familiar with the additional requirements of the state they operate in. HIPAA compliance and appropriate training is a foundational aspect of any Covered Entity.
Written by: Meagan Bates