- HIPAA Training that is too basic and not focused on specific risk areas and organizational policies is not only non-compliant, but also largely ineffective.
- HIPAA covered entities should have clear policies and training that address specific employee behaviors that are “high risk” for HIPAA violations.
- Organizations must make sure they are training everyone, and implementing effective Security Reminders.
Subscribe HERE to Legal HIE’s Compliance Library to gain access to sample HIPAA policies, tools and training materials. HIPAA Train© training modules for workforce are coming soon! Email us here to get on our notification list.
An Indiana Court of Appeals recently reinstated a patient’s claim that an Indiana hospital is vicariously liable for the actions of its employee who shared the patient’s confidential information with an unauthorized third party. Although the lower court originally dismissed the case, the appellate court found that there is a “genuine issue of fact” and remanded the case for further proceedings. Now a potential monetary settlement teeters on the edge as the hospital’s potential liability for this employee’s HIPAA non-compliance rests in the hands of further proceedings in the lower court – so, you might want to ask why did this happen in the first place?
Reason #1: Your HIPAA Training is Too Basic.
HIPAA rules require every “covered entity to train all members of its workforce on the policies and procedures with respect to protected health information . . . as necessary and appropriate . . .” (45 C.F.R. 164.530(b)(1)). Additionally, covered entities and business associates are both required to “implement a security awareness and training program for all members of its workforce (including management).” (45 C.F.R. 164.308(a)(5)). Therefore, high-level “HIPAA 101” education does not meet the standard required under the HIPAA rules. Unfortunately, over the years an entire cottage industry has emerged with hundreds of companies and consultants offering “HIPAA training” with promises of making your organization “HIPAA-certified,” and even granting “HIPAA compliant” badges to display on your website. However, not only is basic HIPAA awareness and education insufficient to meet HIPAA regulatory requirements, it is essentially wholly ineffective in getting your workforce to focus on what they really need to know in order to avoid behaviors that violate HIPAA, and which put your organization at risk for penalties and potential lawsuits.
Therefore, the first step towards getting your employees to stop snooping in patients’ electronic medical records is – drum roll – training them specifically on your organization’s policy making “snooping” a prohibited activity (see Reason #2). More broadly, HIPAA training of workforce should be tailored for the organization, and cover specific employee behaviors that are known to create “risk” for HIPAA violations. For example:
- “Curiosity viewing” (a.k.a. “snooping”) in EMRs for unauthorized purposes, including “quick looks” at health information of: celebrities, high-profile patients, neighbors, friends, ex-boyfriends/ex-girlfriends, ex-husbands/wives, “my daughter’s boyfriend, who I wish she was not dating,” etcetera …;
- Smart Devices (ex. iPhone) being used to take pictures of patients or their PHI, text PHI, or send attachments with PHI;
- Downloading or copying PHI to personal laptops, smart devices, flash drives, or other unsecure medium;
- Posting PHI on Social Media, including pictures, names, or a description of a situation involving a patient which might be “recognizable”;
- “But I didn’t mention the patient’s name” (which does not equal “de-Identification” under HIPAA);
- Physically Removing PHI off the premises;
- Leaving PHI in unsecure locations (ex., laptop in your car trunk);
- Sharing Passwords .. and more.
So, if your HIPAA training is too basic, your workforce is not getting the heart of what they really need to help your organization avoid violations. Many of the Settlement Agreements that OCR has entered into for resolution of HIPAA violations require the settling organization to complete HIPAA retraining of its entire Workforce. Thus, the first step an organization can take to help prevent employees from engaging in behaviors that violate HIPAA is to develop and implement a thoughtful and tailored HIPAA training program.
Reason #2: You Do Not Have a Policy on the Topic.
Dovetailing off of tailored HIPAA training, another reason an employee might engage in behavior that violates HIPAA is because your organization does not have a clear and specific policy covering the topic. For example, in one of the first HIPAA Resolutions Agreements for $1M, OCR found that a large hospital system had no policy governing the removal of PHI documents from the premises, which led to an employee removing such documents and leaving them on a subway train (which were never recovered). In another October 2019 Resolution Agreement, OCR found that a dental practice failed to implement policies and procedures with respect to prohibiting the posting of PHI on social media and public platforms, which led to a dentist improperly sharing PHI on Yelp in an attempt to defend himself against a patient’s complaint about services received. Therefore, an organization’s HIPAA policies and procedures must, at a minimum, cover the “special topics” that OCR has identified in its Resolution Agreements. OCR has reached over 73 Resolution Agreements or issued CMPs, and each such case offers a lesson learned and topic that is a “must add” to every organization’s HIPAA policies and training.
Reason #3: You Have Not Implemented Security Reminders.
Covered entities and business associates are required to implement “security reminders” if doing so is a “reasonable and appropriate” step to safeguard its environment, when analyzed with reference to the likely contribution to protecting electronic PHI. Using “security reminders” is a fantastic tool to again regularly remind your workforce about key “HIPAA risk” behaviors, which in turn can help your organization prevent such behaviors from occurring in the first place. Everything from posters, to pamphlets, to printed “post-its” can be used at work stations, employee lounges and other areas that are “high-visibility” to employees, as well as reminder emails, and even a “pop-up” security reminder-of-the-week upon log-in. Here is an example:
Reason #4: You Did Not Train Everyone.
In 2013, a Shasta Regional Medical Center paid a $275,000 monetary settlement and entered into a Corrective Action Plan (CAP) after OCR found that senior leaders – i.e., the CEO & CFO – who disclosed a patient’s PHI to multiple media outlets were not sanctioned for such violations and had not received any HIPAA training. OCR specifically noted: “senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected.” Therefore, Shasta highlights that organizations should include all workforce members in its HIPAA training program, including C-Suite executives, medical staff, and even individuals who do not have a direct need to access and use PHI.
In addition, the HIPAA rules require each new member of an organization’s workforce to receive HIPAA training within a reasonable period of time after the person joins the organization’s workforce. Under the CAP entered into in Shasta, OCR required such training to be provided to each new member of the workforce within thirty (30) days of the workforce member’s start date. Each workforce member who is required to attend HIPAA training was also required to certify, in electronic or written form, that he or she received the HIPAA training, including the date training was received. So, organizations need to make sure they are including all workforce members in their HIPAA training programs to prevent the “I did not know” excuse to being the cause of a HIPAA violation for your organization.
Reason #5: Employees Are Not Truly Aware of the Consequences.
Finally, employees must be made aware of the consequence to them personally if they violate HIPAA. The primary consequence an employee could face for noncompliance with HIPAA and the organization’s HIPAA policies is sanctions. The HIPAA rules require covered entities and business associates to develop and apply appropriate sanctions against members of its workforce who fail to comply with their HIPAA privacy or security policies and procedures. Therefore, employees should be made keenly aware that their HIPAA non-compliance could potentially lead to sanctions which could include immediate termination.
In addition to sanctions, workforce should be made aware that the HIPAA statute includes a criminal provision under which any individual — including an employee in his/her personal capacity – can be criminally prosecuted. Specifically, the HIPAA Statute provides:
(a) OFFENSE– A person who knowingly and in violation of this part–
(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual; or
(3) discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b). For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d–9(b)(3) of this title) and the individual obtained or disclosed such information without authorization.
(b) PENALTIES — A person described in subsection (a) shall–
(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;
(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
Workforce should be made aware that individuals have been prosecuted under HIPAA’s criminal provisions for everything from “casual snooping” to purposeful access for a personal reason. In any case, including this lesser known consequence that an employee could face for unauthorized access, use or disclosure of protected health information often gets the attention and raises the stakes, and is an effective tool to disincentivize employees from engaging in non-compliant behavior, which in turns helps decrease the employer’s exposure to liability and risk as well.
Subscribe to Legal HIE Member-Only content to gain access to resources including: (1) HIPAA training materials which are tailored for specific employee behaviors that are “high risk” for HIPAA violations; (2) sample policies covering “special topics” (ex., “social media & PHI”) that OCR has identified in its Resolution Agreements as requiring a P&P; and (3) over a dozen sample Security Reminders.
