When the HIPAA Omnibus Rule went into effect in January 2013, it included new privacy and security regulations. It also modified the definition of a HIPAA breach, and included new requirements related to breach notification. If your health system has not briefed all of its employees on these changes, it needs to do so—and soon.
Under the HIPAA Omnibus Rule, maximum penalties for HIPAA noncompliance increased to $1.5 million per violation, depending on the extent of the violation. Should a breach occur at your facility, failure to comply with the Breach Notification Rule in a timely manner could bring you closer to that maximum fine.
To reduce the likelihood of such a problem occurring at your healthcare system, it’s a good idea to dedicate one of your HIPAA training sessions to the Breach Notification Rule. Here are five of the most important issues to focus on during HIPAA training.
#1: Training on the definition of a breach and on the definition of protected health information (PHI).
To ensure your employees help you comply with the Breach Notification Rule, you must first make sure that they understand what constitutes a breach. If not, they may overlook when a breach does occur at your healthcare system, and therefore, fail to help you take the appropriate measures required under the notification rule.
In addition to defining a breach during training sessions, share examples of real-world breaches that have occurred at similar healthcare systems. This will help employees gain a more thorough understanding of what constitutes a breach.
#2: Training on the notification rule.
Your employees must also understand what steps they should take if they suspect a breach has occurred. Depending on how many individuals are affected by the breach, HIPAA requires covered entities to notify the affected individuals, the media, and HHS within 60 days following the discovery of the breach.
To ensure employees understand the importance of acting quickly, make sure they are aware of the basic notification rule requirements, and also, the penalties your healthcare system will face for failure to comply.
Note: The individuals who will be responsible for complying with the breach notification requirements once a breach has occurred, such as your organization’s HIPAA compliance officer, should receive special, more in-depth training on how to handle this process appropriately. For more information, visit www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html.
#3: Training on how employees should handle a suspected breach.
Your employees may be the first to identify a potential HIPAA breach, so provide guidance during training sessions regarding how they should handle such a scenario. Make sure they know who is in charge of HIPAA compliance and how to contact that individual if they suspect a breach. Also, tell them what to expect if they do voice concerns of a suspected breach, such as how they will need to share who they believe may have been involved, how the breach may have occurred, when it may have occurred, and what information may have been breached.
Keep in mind that employees may fear coming forward regarding suspicions of a breach due to fear of backlash from the employees involved. For that reason, make sure employees understand that any concerns they voice regarding a suspected breach will be kept confidential.
#4: Training on consequences for failure to comply.
During training sessions, notify employees of the consequences associated with breaches and failure to notify the compliance officer if a breach has occurred. These consequences should be consistent for all employees, including physicians and administrators.
You may also want to state whether these penalties vary depending on the extent of the violation. For instance, immediate termination may result from a willful disclosure of PHI with malicious intent; while mandatory training may be required if an employee accidentally discloses PHI. Provide employees with a document outlining the various scenarios and penalties.
#5: Training on protections for those who come forward about suspected breaches.
In addition to making the penalties and consequences for violations clear, you may also want to make employees aware that in certain situations, they may be awarded protections. For instance, if an employee who took action that may have led to a breach voluntarily admits his or her mistake in a timely manner, that may lessen the consequences associated with the potential breach. This may increase the likelihood that employees will come forward.