PART 1 – HIPAA Benchmark Survey Insights: Training, Policies, and Managing Workforce Risk
Earlier this year, Strategic Management Services (Strategic Management) hosted a webinar highlighting the results of our 5th Annual HIPAA Benchmark Survey Report, which explores how healthcare organizations are structuring and managing their Health Insurance Portability and Accountability Act (HIPAA) privacy programs, from training and policies to breach response and regulatory interaction. The discussion sparked a number of thoughtful questions from attendees, many of which focused on real-world challenges for privacy programs ranging from training, workforce accountability, to managing risk and using artificial intelligence.
This blog kicks off Part 1 of a four-part series where we answer those questions and share practical guidance. In this installment, we focus on employee training, HIPAA-related policies, and managing workforce behavior. Our thanks to everyone who participated in the HIPAA Benchmark Survey and attended the webinar.
Employee Training
Q: Should training be customized in a multi-tiered HIPAA hybrid organization and if so, how?
A: HIPAA Basics Training should be required for all employees. Refreshers are important to ensure that everyone has access to the same information, especially as it relates to how your organization may operate under the HIPAA Privacy Rule. The next phase is to develop specialized training based on the employee’s role in the organization. This is where collaboration with HR and department leaders becomes critical. Especially in larger or remote organizations, the Privacy Official may not be able to know each employee’s role and responsibility, so connecting with those who are closer to the employee will be invaluable. Once roles and responsibilities in the organization are clearly understood, organizations can better assess the risk of potential privacy violations based on those responsibilities. For some employees, the HIPAA Basics may be sufficient. For other employees, especially those who access electronic medical records or work with social media, may need to create specialized training. This does not have to be a lengthy, separate course. It may mean creating a few extra slides, news articles, videos, etc., that are specific to the role and responsibility. For example, organizations might consider hosting a “lunch and learn” for certain departments to discuss their increased HIPAA privacy responsibilities. The essential point is to make sure that all employees are aware of their role in protecting patient privacy.
HIPAA Policies
Q: Is there guidance recommending a specific number of single-topic HIPAA-related policies?
A: As with all compliance programs, having strong HIPAA policies in place is an essential element of an effective HIPAA compliance program. The HIPAA Privacy Rule requires covered entities to implement policies and procedures that are designed to comply with the standards, implementation specifications, or other requirements of the rule. They must be reasonably designed and scaled to the size and operation of the organization.
As a best practice, Strategic Management recommends that each policy topic be separate and linked to the Privacy Rule covering subjects such as the minimum necessary standards, breach notification, breach assessment, and requests for confidential communication. These are foundational. Other privacy-related risks may give rise to the need for other policies such as social media, phishing, and snooping.
Employee Snooping
Q: Can we provide more information about the risks associated with employee “snooping” and how to monitor to ensure staff are not snooping?
A: Organizations should have zero tolerance for employee “snooping” into certain medical records without a legitimate need to know. The workforce should be continually reminded that their access to the electronic health record (EHR) is monitored. Training should ensure awareness that snooping is prohibited. The Health and Human Services Office for Civil Rights (OCR) guidance focuses on the requirements for technical safeguards such as audit controls, logging, and review under the HIPAA Security Rule. Audit trails, access logs, and monitoring mechanisms must be in place to record activity and detect unauthorized access. Check your specific EHR to see if there is a way to detect when medical records are inappropriately accessed. Organizations should also ensure that access to protected health information is based on the employee’s role. If their role changes, their access must be re-assessed and changed accordingly. If they leave the organization either voluntarily or through termination, their access should be cut-off immediately. This requires strong collaboration between Privacy and IT.
Finally, organizations should have strong HR disciplinary policies with escalation provisions if members of the workforce are found to have snooped.
HR and Workforce Discipline
Q: Our Human Resources (HR) generally wants to factor in employee tenure and performance reviews when making a disciplinary action decision for privacy violations. How should this be dealt with best?
A: HR should be a strong partner to ensure that staff are fully aware of the ramifications of snooping, failure to complete required privacy training, or violating other HIPAA privacy regulatory requirements. It is best practice for there to be policy outlining the combined and separate responsibilities of Compliance/HIPAA and HR to ensure that all similarly situated employees are treated the same, thereby promoting consistency and fairness when levying a disciplinary action. That being stated, HR is ultimately the decisionmaker regarding disciplinary action with input from Compliance/HIPAA when appropriate.
An employee’s tenure and performance reviews may also be factored into disciplinary decisions regarding a privacy violation, but only if the performance reviews reflect the employee’s awareness of privacy requirements. Evidence that the employee has completed the required training, successfully passed any requisite quizzes, and has not habitually violated privacy policies, etc., may be factored into the severity of any disciplinary action if these factors are applied consistently.
Takeaway
Together, role-based training, well-structured policies, proactive monitoring, and consistent discipline form the backbone of an effective HIPAA privacy program. In Part 2 of this series, we’ll explore managing third-party relationships, data sharing risks, and emerging technologies. For more information on this topic, please contact rwatnik@strategicm.com and [email protected].
