Regardless of whether clinics are part of large healthcare systems or independent entities, the nature of HIPAA training for clinics should be the much the same. All members of the workforce should undergo Privacy Rule training and participate in a security and awareness training program.
The content of HIPAA training for clinics is determined by the Administrative Requirements of the Privacy Rule (45 CFR § 164.530) and the Administrative Safeguards of the Security Rule (45 CFR § 164.308). Respectively, the relevant Standards state:
- Members of a Covered Entity´s workforce should be trained “on the policies and procedures with respect to PHI […] as necessary and appropriate for the members of the workforce to carry out their functions with the Covered Entity”. Further refresher training should be provided “to each member of the workforce whose functions are affected by a material change in the policies and procedures.”
- Each Covered Entity must “implement a security awareness and training program for all members of its workforce including management” – a workforce being defined as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity, is under the direct control of such Covered Entity, whether or not they are paid by the Covered Entity”.
This effectively means clinics are required to train members of their workforces on the policies and procedures they have developed to ensure the privacy of Protected Health Information (PHI) as they apply to individuals´ roles and the policies and technologies they have implemented to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI). Unfortunately, these requirements alone can leave gaps in HIPAA knowledge which can lead to inadvertent violations of HIPAA.
The Issue with the HIPAA Training Requirements
The issue with the HIPAA training requirements for clinics is that members of the workforce can be exposed to PHI – or asked to disclose PHI – in circumstances not usually within their functions for the Covered Entity. For example, a maintenance engineer might recognize a patient entering the clinic and share their identity on social media. Or they may reveal the location of a patient to journalists who have heard rumors the patient is attending the clinic.
These types of HIPAA violations are foreseeable and should be identified in a risk assessment. However, because the requirement to conduct a risk assessment (also in 45 CFR § 164.308) only applies to ePHI, the risk of inadvertent physical or verbal violations of HIPAA can sometimes be overlooked. Nonetheless, both examples of a HIPAA violation provided above will likely result in a patient complaint which could be investigated by the HHS` Office for Civil Rights.
If an investigation into an unauthorized – but foreseeable – disclosure of PHI reveals that the disclosure occurred because the individual was not provided with “necessary and appropriate” HIPAA training, the clinic will be considered liable for the HIPAA violation and penalized accordingly. If the investigation reveals that the individual had been trained on unauthorized disclosures, but failed to comply with the requirements, the clinic will not be considered liable.
How to Fill Gaps in HIPAA Training for Clinics
The way to fill gaps in HIPAA training for clinics is to provide all members of the workforce with basic HIPAA training on a regular basis. The basic HIPAA training should cover areas of HIPAA law such as unauthorized disclosures, the Minimum Necessary Standard, and patients´ rights as these are the areas of HIPAA about which the HHS´ Office for Civil Rights receives the most complaints. It may also be worth providing background information about HIPAA to provide context to these areas of HIPAA law.
Providing basic HIPAA training doesn´t absolve a Covered Entity from providing Privacy Rule training or security and awareness training, but it does lay the foundations of HIPAA compliance among all members of the Covered Entity´s workforce to mitigate the risk of inadvertent violations of HIPAA. The provision of basic HIPAA training to all members of the workforce also mitigates the risk of an HHS investigation and the requirement to provide training as part of a corrective action plan.
HIPAA Training for Clinics FAQs
What should a security and awareness training program consist of?
As most of the measures implemented to safeguard ePHI are technology measures (i.e., Internet access controls, email filters, automatic logoff, etc.), technology users need to know how to use the technology compliantly and be aware for threats to the confidentiality, integrity, and availability of ePHI such as malware, phishing emails, and the denial of authorized actions.
Who is responsible for providing HIPAA training for clinics?
Each Covered Entity has to designate a Privacy Officer responsible for Privacy Rule training, and a Security Officer for security and awareness training. In independent clinics, these roles will usually be assigned to a healthcare administrator and a senior member of the IT team, while larger organizations will likely have a separate compliance department.
How can background information provide context for HIPAA training?
One of the original objectives of HIPAA was to prevent fraud in the healthcare industry, and one of the most common ways in which fraud was committed was the theft of PHI so individuals lacking health coverage could receive medical treatment. The cost to healthcare organizations, insurance carriers, and victims of fraud was substantial, which is why regulations relating to unauthorized disclosures, the Minimum necessary Standard, and patients´ rights exist.
What is an inadvertent physical violation of HIPAA?
Inadvertent physical violations of HIPAA are any violation attributable to a lack of physical safeguards. Examples include public-facing computer terminals revealing patients´ identities, test results left unattended, and the incomplete disposal of paper records containing PHI. Even if these events do not result in the unauthorized disclosure of PHI, they are still considered violations.
If an investigation reveals that an individual failed to comply with the HIPAA requirements after being trained, what happens to the individual?
This depends on the nature and scale of the violation, its consequences, whether or not it was a repeat offence, and the penalties for non-compliance stipulated by the clinic´s sanctions policy. Penalties could range from a verbal warning to loss of employment; and, in the most serious cases, law enforcement involvement with the potential for a criminal conviction.