Simply creating policies and procedures (P&P) to protect ePHI, and carrying out a comprehensive risk assessment won’t prevent data breaches. Instituting technical safeguards will serve only up to a point. The Security Rule requires you to enforce compliance by your workforce. How will they know what is compliance with HIPAA, HITECH, and the affiliated rules, and what constitutes a violation unless they have been trained?
Make It an Ongoing Affair
You are required by the Security Rule, as a covered entity, to train your staff before providing any authorization to access ePHI. They must be trained on the requirements of HIPAA, HITECH, and the affiliated rules, as well as your policies and procedures regarding how to ensure the confidentiality, integrity, and availability (CIA) of all PHI and ePHI. They should understand the limits to access, and disclosure of any PHI. You might need to carry out the training in phases to prevent information overload, and resultant confusion in their minds. They’ll be less anxious if they realize that they can get doubts clarified at the next round.
Try this: Set aside a specific time during the work day sometime mid-week for personnel who have doubts to seek clarifications from a designated individual – your security officer or anyone else who is responsible for training. Check to see that all new employees receive appropriate HIPAA training upon being hired. Ensure that all existing employees receive appropriate HIPAA compliance training at least annually.
Keep Updating Information for Your Team
Whenever HIPAA or related health information regulations/rules change, ensure that all staff members receive updated training. List all security awareness and training programs, and evaluate their content in relation to the standard. This will enable you to identify any gaps in the training program. The incident response team and staff members dealing with a data breach should be provided with the necessary training to be effective in their roles, and to be able to carry out their responsibilities during an incident, or when an incident is suspected.
Have You Defined Any Punitive Actions for Personnel Who Violate Prescribed P&P?
It is vital that you define punitive actions to be taken against personnel who violate prescribed policies and procedures. Once they know that violations of P&P might even cost them their jobs, team members will be disinclined to indulge in any willful transgressions. They must understand that unauthorized viewing of line of care of a family member or close friend also constitutes a violation of HIPAA.