The privacy and security policies and procedures are in place and updated, encryption of e-mail and computers is completed, risk assessment and mitigation plan is close to done, and business associate agreements are in place, it is time to breathe a sigh of relief and feel confident in your HIPAA Compliance Program. Right? What else could have been missed? Wrong -- Many healthcare organizations fail to understand and effectively prepare their workforce members to understand how privacy and security relates to their specific job.
Workforce members have proven to be one of the top underlying reasons for HIPAA data breaches – both large and small. Recently a large data breach in Florida brought to light that workforce members have been printing facesheets of patients and selling them on the market. Another recent breach showed a patient leaving a USB containing PHI in a backpack in the car, which ended up stolen.
Many healthcare organization train staff once per year and assume that education and training is enough to provide workforce members adequate information and tools to support proper understanding of healthcare privacy and security requirements. Is that enough? Period training and updates should also be done throughout the year. Here are some common issues seen with training:
Timing - education is happening yearly (maybe) or upon hire with no additional education provided. Failing to adequately and consistently train workforce members on privacy and security in healthcare can set an organization up for many vulnerabilities in protecting patient information.
Workforce Members – healthcare organizations misunderstand the definition of workforce members and miss training workforce members on healthcare privacy and security requirements. When people are left out of training due to misinterpretation of who is part of the workforce, gaps are created in understanding privacy and security in a healthcare organization.
Methods & Information – using the same methodology and information for training year after year can prove ineffective on gaining the skills and understanding necessary for successful safeguarding of patient information. Re-using the same education materials and methods over and over again is a common practice in healthcare organization and results in improper education and understanding by workforce members. Many people learn in different ways and not acknowledging and building training off of many methods can cause some workforce members to never fully grasp the concept of healthcare privacy and security.
Relevant Data – training focused on just the regulations and not on how the specific healthcare organization’s technology and policies and procedures interact with privacy and security compliance can cause issues. By not understanding the current practices of the organization’s and how the technology supports protection of patient information, an organization creates risks and inconsistencies in day to day practices to safeguard patient information.
Regular Updates – many organizations do not provide regular updates and information on current compliance issues with healthcare privacy and security outside the regular scheduled HIPAA training. Out of sight, Out of mind – without regular updates and current industry concerns, workforce members will push protection of patient information to the back burner and make careless mistakes, potentially causing a data breach.
Privacy and security education should be more than looking at a computer screen, watching a video, answering a few questions, and printing a completion certificate. Proper training should take part in a variety of ways such as e-mail reminders, staff meeting discussions, current articles, and question and answer sessions. Successful training should be interactive, relevant, and memorable to the workforce to create understanding and knowledge in the area of healthcare privacy and security. It is time to start effectively preparing the workforce to help safeguard and protect patient information. Don’t find your organization making one of the top 5 mistakes when training the workforce in regards to healthcare privacy and security. Make 2015 the year when you create a robust HIPAA Training program that will properly prepare your workforce for success in safeguarding patient information!