Training Employees in HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. This act protects workers from losing their health insurance coverage when they change jobs; reduces health care fraud; provides industry standards for electronic billing and other health care information; and requires confidentiality when handling health care information.
It’s important to educate workers in industries such as health care to ensure they’re complying with the standards set by HIPAA. It’s also crucial that your employees know how to handle sensitive data if your organization is under review. Here’s what you need to cover when training your employees in HIPAA.
Why Privacy is Important
First and foremost, employees have to understand why privacy is such a significant part of HIPAA. If they don’t understand the importance, it’s easier for employees to become lazy.
Start by explaining that patients and clients trust you with this data. If data is not protected, it will diminish your organization’s credibility and put your reputation — and possibly your entire business — on the line. Patients have a right to their privacy, and it’s the employees’ job to handle their information confidentially.
Continue the conversation by detailing that patient privacy is the law as part of HIPAA and that a breach in privacy can result in fines up to $1.5 million. Try to find real-life stories of privacy breaches and the fines those organizations incurred because of it.
What Is Expected of Employees?
When training your employees, it’s important that you’re specific about what is expected of them. It’s not enough to say, “Keep patient information private.” Detail what type of information your organization stores, which information is protected under HIPAA, and who is allowed to review that information (the patient, the patient’s doctor, etc.).
Educate your employees about the specifics of your organization. Where is the information stored? What types of security measures are in place to secure that data? Which doors should be locked/unlocked during business hours? What’s the company’s visitor policy?
Your employees should also know what to do in the event of suspicious activity or a breach. Is there an anonymous method in place for filing a report? Discuss the specifics of how to do this.
What Document Expectations Are in Place?
Once you’ve covered expectations on how to physically handle sensitive information, cover what is expected of documentation practices. First, go over your document retention policy with them, and explain that through HIPAA, organizations must have at least a 10-year document retention policy.
Other questions you’ll want to answer in your training include:
- How do employees go about filing documents?
- Who can access these documents, and what should employees know about accessing them?
- How do you dispose of documents once the retention period has passed?
- How do you dispose of computers that contain sensitive digital information?
- Where should you store data, and where should you never store data (such as shared folders)?
How Should Employees Use Computers?
With so much sensitive data stored on computers, it’s crucial that your employees are practicing safe procedures online. Data breaches can commonly occur due to poor computer practices, such as weak password credentials, which accounts for 76 percent of network intrusions.
Detail what employees can and can’t use work computers for (such as for work-related email but not for Facebook). Explain your policies regarding passwords, document sharing, document access, use of removable media like USB drives, etc. You’ll also want to cover how to spot phishing scams or other viruses. Finally, detail what to do if an employee notices suspicious activity.
After you’ve completed HIPAA training, be sure you maintain detailed records of who has completed the training and whether or not they understand the procedures you covered. Consider offering a quiz at the end of the training to ensure trainees were paying attention. Also make sure to repeat training annually, although you may choose to offer employees a pre-quiz so they can test out of the training.