When a study released this fall found that more than 50% of staff fail Health Insurance Portability and Accountability Act (HIPAA) assessments, two-thirds witness internal breaches, and more than 80% of organizations only provide HIPAA training once a year or less, most of the experts Medscape Medical News spoke with weren't shocked.
"The findings are a little disappointing, but they're not a surprise," said Steve Alder, editor-in-chief ofThe HIPAA Journal, which published the study in conjunction with ComplianceJunction, which develops online HIPAA compliance training. "Annual HIPAA training is a best practice rather than a requirement of HIPAA."
One implication of not providing annual training sessions to physicians is an increased risk of accidental HIPAA violations, Alder added.
"This erodes patients' trust in their healthcare providers," he said. "Employees also need to be regularly reminded of the consequences of HIPAA violations, which the survey indicates are not well understood. There have been too many cases of employees snooping on health records."
The survey data, which reflects the feedback of 245 participants who work in the healthcare sector, found that staff were most likely to fail in four most challenging areas, including HIPAA Violation Consequences, HIPAA and Social Media, Computer Safety Rules, and HIPAA in Emergency Situations. This has major ramifications for physicians and patients alike.
To mitigate this, Alder added that regular training can help reinforce the need to keep health records private.
This survey is yet another reminder that healthcare organizations can't rely on one training per year, suggested Stacey Williams, CHPC, an information management and privacy specialist at Southwestern Vermont Medical Center in Bennington, Vermont.
"There should be additional efforts made, and this includes sending staffers a newsletter or putting out regular HIPAA reminders," Williams said.
An Innovative Approach
At the UBMD Physicians' Group in Buffalo, New York, Lawrence C. DiGiulio, general counsel and chief compliance officer, has spent the past decade setting up an office that is essentially the practice's infrastructure to ensure that laws, rules, and regulations that govern the healthcare industry are understood and followed.
He's also been focused on devising new ways to keep staffers up-to-date and engaged about HIPAA awareness assessments.
"We've tried to approach our physicians through different platforms to make sure they're engaged in the training," said DiGiulio of the practice that currently employs 1,800 staffers, including 631 physicians. "We've moved our training online, and we do this through our web portal, but we don't stop there — we do quarterly compliance newsletters with quizzes that the staff have to complete to show that they read and understood the material."
This training focuses on everybody in the workforce, from the front office, the billers, the coders, the HR department, the finance department, and the healthcare workers, including nurses, doctors, and support staff who work at the practice.
"We also send out regular email blasts with updates in compliance notifications," he said. "It's an ongoing communication."
In addition to all of these efforts, DiGiulio said he's always looking for additional ways to train doctors and their staff efficiently.
"We don't see training as a check-the-box kind of thing," he said. "By taking this multi-platform approach, we're able to keep our physicians engaged, interested, and benefiting. We don't want people to get bored hearing about this in [only] one way."
And if asked, his team will gladly conduct in-person HIPAA training.
"This is great because it allows us to get immediate feedback," he said. "Anyone doing the training can let us know what they understand and what they don't."
Ultimately, Alder urges healthcare organizations to regularly conduct HIPAA training sessions.
"It's important to develop trust between patients, and physicians and HIPAA compliance is one way of achieving this," he said. "If patients believe that their healthcare provider is taking HIPAA compliance seriously, they are likely to be more forthcoming about their health issues, which leads to better-informed decisions, improved patient outcomes, and higher patient satisfaction."
Williams added that communicating the importance of HIPAA training might be most effective if physicians and nurses are reminded to imagine what it's like to be the patient.
"I urge everyone to consider everything private and to always put themselves in the person's shoes," she said. "If this was your private and very personal health information, would you want it out there?"
Lambeth Hochwald is a New York City–based journalist who covers health, relationships, trends, and issues of importance to women. She's also a longtime professor at NYU's Arthur L. Carter Journalism Institute, United States.