Video: Why HIPAA Compliance is Important for Healthcare Professionals
Jun28

Video: Why HIPAA Compliance is Important for Healthcare Professionals

Many sources explaining why HIPAA compliance is important for healthcare professionals tend to focus on the purpose of HIPAA regulations rather than the benefits of compliance for healthcare professionals. The same sources also tend to focus on how noncompliance affects patients and employers, rather than the impact it can have on healthcare professionals´ lives. This article discusses why HIPAA compliance is important for healthcare professionals from a healthcare professional´s perspective. It explains why healthcare professionals cannot avoid HIPAA; and that, by complying with HIPAA, healthcare professionals can foster patient trust, keep patients safer, and contribute towards better patient outcomes. This is turn raises morale, creates a more rewarding work experience, and enables healthcare professionals to get more from their vocation. Conversely, the failure to comply with HIPAA can have significant professional and personal consequences. Yet the failure to comply with HIPAA is not always a healthcare professional´s fault. Sometimes it can be due to insufficient training or...

Read More
HIPAA Exceptions
Mar11

HIPAA Exceptions

The text of the Healthcare Insurance Portability and Accountability Act is full of HIPAA exceptions – adding to the complexity of complying with the Act and often resulting in organizations and public agencies applying far more stringent restrictions than necessary. In 2007, the Reporters Committee for the Freedom of the Press published a Guide to Medical Privacy Law. The Guide highlighted multiple instances in which hospitals, ambulance services, schools, and public agencies unjustifiably withheld news from reporters for fear of violating HIPAA – even though several of the entities were not covered by HIPAA. According to the Guide, the fear of violating HIPAA led to many entities applying HIPAA overzealously – often applying standards without considering when HIPAA exceptions exist. And there are many HIPAA exceptions. A comb through the Administrative Simplification provisions finds 50 uses of the word “exception” and a further 100+ uses of the word “except”. It is impractical to list all the HIPAA exceptions in one article, especially as some exist which are not mentioned in the...

Read More
Guide to HIPAA Safeguards
Mar09

Guide to HIPAA Safeguards

Requirements to implement HIPAA safeguards appear more often in the text of the Healthcare Insurance Portability and Accountability Act than is often acknowledged. While many sources are aware of the Administrative, Physical, and Technical Safeguards of the Security Rule, less specific requirements relating to HIPAA safeguards also appear in the Privacy Rule. Compared to specific requirements of the Administrative, Physical, and Technical safeguards, most other references to safeguards in the text of HIPAA are intentionally flexible to accommodate the different types of Covered Entities and Business Associates that have to comply with them. While this flexibility means it can be easier for certain organizations to comply with the HIPAA safeguards – and protect the privacy of PHI – other organizations may find the lack of guidance confusing. To demonstrate the difference between the safeguards of the Security Rule and the safeguards of the Privacy Rule, we´ve provided a synopsis of the Security Rule Administrative, Physical, and Technical Safeguards to compare against the...

Read More
What is Texas HB 300? Updated for 2022
Mar03

What is Texas HB 300? Updated for 2022

What is Texas HB 300, who is required to comply with the legislation, and what are the penalties for noncompliance? This article answers these and other important questions about Texas HB 300. What is Texas HB 300? The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets minimum privacy and security standards for healthcare organizations. HIPAA naturally covers healthcare organizations based in Texas, but they also must comply with state laws. Texas has some of the most stringent laws in the United States as far as health data is concerned which are detailed in the Texas Health and Safety Code. In June 2011, Texas HB 300 was passed by the Texas legislature. HB 300 amended four areas of Texas legislature: The Texas Health and Safety Code (Chapters 181 and 182), the Texas Business and Commerce Code (Sections 521 and 522), the Texas Government Code (Chapter 531), and the Texas Insurance Code (Chapter 602) and introduced tougher privacy protections for health data than HIPAA. Who is Required to Comply with Texas HB 300? Compliance with Texas HB 300 is...

Read More
HIPAA Rights
Mar02

HIPAA Rights

The Health Insurance Accountability and Portability Act (HIPAA) introduced multiple HIPAA rights. Some of the rights were introduced directly via the text of the Act, but the majority followed later in the Privacy Rule. Unfortunately, the failure to comply with Privacy Rule HIPAA rights is one of the leading reasons for complaints to the HHS Office for Civil Rights. When HIPAA was enacted in 1996, references to individuals´ rights mostly focused on the original purpose of the Act – to enable employees to carry forward insurance coverage from one employer to another after a break, to prevent the denial of coverage – or additional premiums for coverage – on the grounds of a pre-existing condition, and to guarantee renewability in multiemployer plans. The HIPAA rights most people are familiar with – the right to health information privacy and the right to access and correct health information – are mentioned in the text of HIPAA (Section 264), but only in the context of the recommendations the Secretary for Health & Human Services was tasked with preparing in the event...

Read More
What is HIPAA?
Feb23

What is HIPAA?

What is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act. Among other measures, the Act led to the establishment of federal standards for safeguarding patients´ “Protected Health Information” (PHI) and ensuring the confidentiality, integrity, and availability of PHI created, maintained, processed, transmitted, or received electronically (ePHI). When the Health Insurance Portability and Accountability Act was passed by Congress in 1996, the establishment of federal standards for safeguarding PHI was not one of the primary objectives. Indeed, the long title of the Act doesn´t even mention patient privacy or data security: “An Act to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.” So how did...

Read More
HIPAA Training for Dental Offices
Feb11

HIPAA Training for Dental Offices

HIPAA training for dental offices can be more complex than “mainstream” HIPAA training programs due to the need to cover multi-tasking employees, state licensing requirements, and the disposition of clients attending dental offices. Nonetheless, it is important that the basics of HIPAA are still included in HIPAA training programs for dental office employees. As most dental offices are required to comply with state and federal e-prescribing regulations, most dental offices automatically qualify as HIPAA Covered Entities because they process HIPAA-covered transactions electronically. Consequently, all members of a dental office´s workforce are required to comply with applicable provisions of the Privacy, Security, and Breach Notification Rules. In order for all members of the workforce to comply with the HIPAA Rules, it is important for employees to know what the Rules are and how they apply in day-to-day duties. Therefore, dental offices should provide training on the policies, procedures, and mechanisms put in place to ensure the privacy, confidentiality, integrity, and...

Read More
HIPAA Guidelines for Nursing Students
Feb02

HIPAA Guidelines for Nursing Students

It is important to understand the HIPAA guidelines for nursing students because of the role nursing students play in the provision of healthcare and because of the threats to the privacy of Protected Health Information (PHI) when nursing students have received insufficient training to perform their roles in compliance with HIPAA. The nursing profession is not easy; and, when nursing students start on their career path, there is a lot to take in. In addition to learning the skills of their profession and completing years of coursework, nursing students are frequently asked to assist with the provision of healthcare. Although they are most usually supervised when working with patients, the risk exists that – without an understanding of HIPAA – violations of HIPAA could occur due to a lack of knowledge. For example, if a nursing student shares the events of the day with friends via social media, it is important the student has been trained on what constitutes PHI, when it can be disclosed, and the penalties for disclosing PHI without consent. If the student has not been trained on the...

Read More
Is Gossip a HIPAA Violation?
Jan21

Is Gossip a HIPAA Violation?

The answer to the question is gossip a HIPAA violation is not straightforward because it depends on who is gossiping, who they are gossiping about, and what the content of the gossip is. It is important to know under what circumstances gossip is a HIPAA violation, because – when a violation occurs – there could be significant consequences for everyone. Gossip is casual or unconstrained conversation about other people. It can be communicated verbally, in writing, or electronically; and while some gossip may be communicated in good faith, it frequently involves details that are not necessarily true – especially when gossip is second or third hand – or that have the intention of creating shock (which distinguishes gossip from rumor). Despite research suggesting gossip can be beneficial, it can also be harmful. People´s mental health can suffer when they are the subject of gossip, or when they are a communicator confronted by the subject of the gossip. It can also be the case that details about an individual are released into the public domain which may have a negative impact the...

Read More
HIPAA Training for Healthcare Workers
Jan14

HIPAA Training for Healthcare Workers

The requirements relating to HIPAA training for healthcare workers have limitations which can expose individuals to sanctions for non-compliance. Consequently, it is recommended healthcare workers take responsibility for their HIPAA knowledge and how HIPAA applies in their roles. If you are a healthcare worker, your employer should provide you with two types of HIPAA training – Privacy Rule training on HIPAA policies and procedures (required by 45 CFR § 164.530) and security and awareness training (required by 45 CFR § 164.308). Your employer should also provide you with refresher training if there is a “material change” to HIPAA policies and procedures. These regulations do not go far enough to prevent healthcare workers unintentionally violating HIPAA due to a lack of knowledge or because non-compliant practices have been allowed to develop in the workplace. This article discusses the limitations of HIPAA training for healthcare workers, what the consequences can be, and what healthcare workers should do to avoid the consequences. Privacy Rule HIPAA Training for Healthcare...

Read More
What to do if Accused of a HIPAA Violation
Jan07

What to do if Accused of a HIPAA Violation

What you should do if accused of a HIPAA violation can depend on what your role is, who is making the accusation, and what their role is. Whatever the circumstances, it is important that you do not ignore the accusation; and, if in any doubt about its validity, seek advice. Individuals and organizations can be accused of a HIPAA violation in multiple circumstances. For example, a trainee nurse could be advised by a senior colleague that something they have unwittingly done is a violation of HIPAA, an IT Department could be alerted to software violating HIPAA by a HIPAA Security Officer, or a Covered Entity could be accused of a HIPAA violation by a patient who has been unable to obtain a copy of their PHI in a timely manner. Further accusations of HIPAA violations can originate from reliable sources such as HHS´ Office for Civil Rights, or from unreliable sources such as a blog post written by an author who does not understand what HIPAA is or who it applies to. Indeed, misinformation about HIPAA can sometimes result in false accusations of HIPAA violations. Nonetheless, in every...

Read More
HIPAA and Privacy Act Training
Oct24

HIPAA and Privacy Act Training

When a federal agency provides healthcare services, there may be circumstances in which employees need to undergo both HIPAA and Privacy Act training. In addition, as an increasing number of states enact their own privacy laws, there may also be occasions when employees of state agencies require HIPAA and Privacy Act training. The Privacy Act of 1974 governs the collection, use, storage, and sharing of personally identifiable information maintained by federal agencies. Under the Act, U.S. citizens have the right to request a copy any data held about them and request that any errors are corrected, federal agencies must only collect data “relevant and necessary” to accomplish the purpose for which it is being collected, and sharing data between agencies is restricted and allowed only under certain conditions. People acquainted with the Health Insurance Portability and Accountability Act will find these privacy provisions familiar as they closely resemble Patients´ Rights under HIPAA, the Minimum Necessary Standard, and Business Associate Agreements. Indeed, there are many...

Read More
HIPAA Training for Employees
Oct24

HIPAA Training for Employees

The regulations relating to HIPAA training for employees are deliberately flexible because of the different functions Covered Entities perform, the different roles of employees, and the different level of access each employee has to Protected Health Information (PHI). The degree of flexibility can create misunderstandings about which employees require training, what training should be provided, how training should be provided, and when training should be provided. This blog aims to clarify the regulations relating to employee training. Which Employees Require HIPAA Training? The first issue to resolve is straightforward. Both the HIPAA Privacy Rule (45 CFR § 164.530) and the HIPAA Security Rule (45 CFR § 164.308) stipulate training should be provided to all members of the workforce. That means not only employees, but also agency staff, consultants, and contractors regardless of the level of interaction with PHI – even if they have no contact with PHI at all. However, whereas the HIPAA Security Rule applies to Covered Entities and Business Associates, the HIPAA Privacy Rule only...

Read More
Survey Reveals 24% of Healthcare Employees Have Had No Security Awareness Training
Oct05

Survey Reveals 24% of Healthcare Employees Have Had No Security Awareness Training

Entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) are required to provide security awareness training to the workforce, but a new report suggests training is lacking at many HIPAA-regulated entities. The security awareness training and phishing simulation platform provider KnowBe4 commissioned Osterman Research to conduct a survey on 1,000 U.S. employees to determine their level of knowledge about security threats and how much training they have been given. The findings of the survey were published in the KnowBe4 2021 State of Privacy and Security Awareness Report. The survey revealed employees are generally confident about password best practices but lacked confidence in other areas of cybersecurity such as identifying social engineering attacks. Only a minority understood threats such as phishing, even though phishing is one of the most common ways that hackers gain access to business networks and corporate data. Worryingly, less than half of respondents believed clicking a link in an email or opening an attachment could result in their mobile...

Read More
Compliance Training for Medical Staff
May27

Compliance Training for Medical Staff

Because of the many different roles in the healthcare industry, there is no one-size-fits-all compliance training for medical staff. Furthermore, the nature of healthcare compliance training modules can vary according to location, specialty, or responsibility. Nonetheless, it is a legal requirement that all medical staff undergo HIPAA compliance training. If a Covered Entity is located in Texas, the nature of the privacy and data security training provided for medical staff will be a lot different from the training provided for medical staff located in New York. This is due to the Texas Medical Record Privacy Act (and subsequent amendments in Texas HB 300) which has tougher privacy protections for health data than HIPAA. Similarly, if a medical professional works in an area of healthcare in which they are likely to be exposed to HIV, HBV, or HCV, their compliance training will include compliance with the OSHA Bloodborne Pathogens Standard, while a person with responsibility for health and safety on a general ward should be trained on OSHA´s Incident Reporting procedures. Despite...

Read More
How Often is HIPAA Training Required?
Mar20

How Often is HIPAA Training Required?

HIPAA-covered entities and their business associates must ensure that all members of the workforce that encounter protected health information (PHI) in any of its forms need to be provided with training, but how often is HIPAA training required and how flexible are the HIPAA Rules when it comes to providing employee HIPAA training? What Does HIPAA Say About Employee Training? Both the HIPAA Privacy Rule and HIPAA Security Rule have training provisions. The HIPAA Privacy Rule states: “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and training should be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.” The HIPAA Security Rule training standard states: “Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).” The Privacy Rule does not specify the content of training courses, and scant information is provided in the Security Rule as to...

Read More
How Often Do You Need HIPAA Training?
Mar19

How Often Do You Need HIPAA Training?

The question of how often do you need HIPAA training does not have a definitive answer because the HIPAA training requirements are deliberately flexible in order to adapt to different types of Covered Entities and Business Associates, and the functions they perform. However, the failure to provide adequate HIPAA training can have serious consequences. OCR is Cracking Down on Noncompliance! It can be difficult to fit training into busy workflows; but, if adequate training is not provided, it is possible for Covered Entities and Business Associates to be fined for non-compliance with HIPAA – even if there is no unauthorized use or disclosure of Protected Health Information. This is because HIPAA training is a requirement of both the HIPAA Privacy and Security Rules. The HHS’ Office for Civil Rights has stepped up enforcement of HIPAA compliance. In 2020, the number of investigations conducted by OCR increased by 18%, nineteen financial penalties were imposed, and 1,357 organizations were required to take corrective action to resolve non-compliance issues following patient complaints,...

Read More
Is HIPAA Training Required Annually?
Mar12

Is HIPAA Training Required Annually?

The frequency of HIPAA training sessions needed to comply with the HIPAA Privacy Rule is a source of confusion, with many healthcare providers interpreting the HIPAA text to mean HIPAA training is required annually, even though annual training sessions are not explicitly stated as a requirement anywhere in the HIPAA text. Similarly, the frequency of security awareness training is not stated, other than HIPAA requiring ‘periodic’ retraining. To help ensure you get your HIPAA training right, we have listed some of the best practices below which will ensure you do not fall afoul of regulators and attract a fine for noncompliance. Is HIPAA Training Required Annually? The HIPAA text does not provide a deadline for providing training and incorporates flexibility to make it easier for healthcare organizations to fit training into busy workflows. The HIPAA Privacy Rule states that “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and training should be provided “as necessary and appropriate for the...

Read More