Top 10 Reasons to be Up To Date on HIPAA Training
Most organizations have been providing HIPAA training to employees for years. However, given recent regulatory and enforcement changes, here are ten reasons why now is the best time to ensure that your organization’s HIPAA training is up to date.
- HIPAA Requires Training Updates. HIPAA requires all covered entities to deliver Privacy and Security training to its workforce to ensure that operational activities are carried out in compliance with the law. These training materials must be updated on a regularly basis to reflect regulatory or organizational changes.
- HITECH Act Regulatory Changes. The Health Information Technology for Economic and Clinical Health (HITECH) Act, recently enacted, made several significant changes to the Privacy and Security rules. As such, HIPAA training materials should be updated to reflect these recent regulatory modifications.
- Breaches Cause Reputational Harm. Failure to properly educate employees on how to comply with HIPAA can result a breach, which will most likely cause irreparable damage to any organization’s reputation. Covered entities now are required to report breaches to HHS. Additionally, for breaches involving 500 or more individuals, the covered entity must also notify a major media outlet. This negative publicity can take years, if possible, to revert.
- Control Mobile Device Usage. Mobile devices are used daily in the health care industry. Due to their small size and portability, the loss and/or theft of these devices is often the primary cause of major breach scenarios. Every organization should educate and train its employees to properly use and protect devices that hold and store protected health information.
- Social Media Use. The use of social media communications is ever increasing. Employee insight, commentary and pictures posted on a variety of mediums (e.g. Facebook, Twitter) can easily become public and can be viewed by other individuals, including patients and the government. As such, employees should be trained to exercise good judgment and adhere to proper social media usage guidelines to ensure that a breach incident does not occur.
- Business Associates. The HITECH Act significantly changed the responsibilities of Business Associates with respect to HIPAA. Given the complexity of business associate agreements, employees should receive updated training to guarantee that all written agreements include the necessary requirements and that Business Associate HIPAA compliance is periodically assessed and documented.
- Evidence of an Effective Compliance Program. Organizations that are able to evidence up-to-date training completion have a better chance of advocating that they are effective in providing employees with the information necessary to comply with HIPAA.
- OCR Audits. The Office of Civil Rights (OCR) is currently evaluating covered entities and business associates compliance with the HIPAA Privacy and Security rules. In selecting who to audit, OCR has clearly stated that all covered entities, large and small, are eligible. Up to date HIPAA training for employees is key to surviving any OCR visit.
- HITECH Act Increased Violation Penalties. The HITECH Act significantly increased penalties for HIPAA non-compliance, including increased levels of culpability and fines for each violation. With the maximum penalty amount for repeat violations per year capped at $1.5 million, these penalty amounts, already in effect, establish a very costly price on HIPAA non-compliance.
- OCR Compliance Review. If deficiencies are noted during an OCR audit, the government may opt to initiate a compliance review to further address serious problems. This may lead to a Department of Justice investigation, which could result in a Resolution Agreement with the Department of Health and Human Services and further monetary penalties.