You are probably wondering: HIPAA again? Yes, again and every year! Every January I re-train my clients on the HIPAA requirements, revise policies and procedures, and make sure we have no unnecessary exposures. The HHS recommends that you train your workforce yearly because human memory fades, you might have hired new people, revised your policies, or just need to tighten your compliance.
Penalties for lack of training could be huge: up to $1.5 mil per violation of HIPAA provisions. Let’s say a reportable breach has occurred and the OCR investigates your practice. The very first thing they will ask is your training documentation, and if you have none to produce or produce some de facto policies and procedures, which no one remembers seeing, the OCR will deem the breach a “willful neglect.” And the OCR imposes mandatory penalties for willful neglect going up to $50,000 per violation. We are likely talking about millions of dollars: if you lost a laptop containing records of 500 patients, this will constitute 500 violations! Did I get your attention?
So, let’s talk about what should be in your training:
If you are a covered entity, the training should cover all three parts of HIPAA: Privacy, Security, and Breach Notification.
If you are a business associate, HIPAA requires training only on the Security Rule. But because Business Associates enter into contracts with covered entities, I also make sure that during a seminar I cover Privacy Rule and how to identify and properly report a breach.
The HHS has prepared Security Risk Assessments tools (you should be re-assessing every year): https://www.healthit.gov/providers-professionals/security-risk-assessment-tool
And of course, make sure you document all your training, who attended it, what they learned – and you surely will significantly reduce one of your multiple legal exposures.