HIPAA Requirements – Still Posing a Challenge for Healthcare Organizations and Business Associates | HIPAA Compliance for Medical Practices | Scoop.it

Last fall, during the HIPAA Security Conference in Washington, DC, statistics were released by the HHS Office for Civil Rights detailing the types of security breaches that were reported. The biggest takeaway was that 80% of the reported breaches were caused by human error. That astonishing figure clearly indicates that one of the primary reasons these breaches are occurring is due to the lack of employee training in HIPAA requirements and safeguards.

 

The reported breaches were caused by theft, loss, unauthorized access or disclosure, and improper disposal of protected health information. All, if not most of the causes are preventable. The HIPAA Security Rule mandates that if your organization is a Covered Entity or a Business Associate, you must have a HIPAA Security Awareness Training Program in place.

 

The HIPAA Security Rule specifically states that a Covered Entity or a Business Associate must provide training that meets the requirements of the Code of Federal Regulation, as follows:

 

  • The training for a Covered Entity or Business Associate must cover all policies and procedures with respect to safeguards for electronic protected health information;
  • Each member of the Covered Entity's or Business Associate’s workforce must receive the training;
  • The training must occur within a reasonable period of time after the new staff member joins the Covered Entity's or Business Associate’s workforce;
  • A Covered Entity or Business Associate must document that the training was provided;
  • Training must occur on an annual basis, at minimum.

 

Keeping a workforce educated and aware of how to prevent HIPAA regulation breaches is critical to any compliance program. Training a workforce must be ongoing and comprehensive and not just ticket punching to meet the annual regulatory requirement. The use of periodic security reminders is vital. Discuss best practices to safeguard protected health information on a regular basis, such as during staff meetings or through email reminders.

 

Reinforcing an organization’s HIPAA Sanction Policy can highlight the serious repercussions, including disciplinary actions or termination, if someone in your workforce violates policy and procedures.

 

Protenus, an organization that advocates patient privacy protection, recently released a white paper that examined the cost of data breaches to healthcare companies. The costs reported in the paper are staggering, e.g., “Breach notification costs $560,000 on average;” and “for each data breach, healthcare organizations average $3.7 million in lost revenue.”

 

Among 2016’s HIPAA settlements, there were three substantial fines in the amounts of $5.5, $3.9, and $2.75 million. This year began with another large settlement of $2.2 million in a case involving the theft of an unencrypted USB drive containing the protected health information of 2209 individuals.

 

HIPAA training and education is cost effective and plays a critical role in reducing or even eliminating breaches caused by human error  that can result in substantial fines.