by Jodie Cannon, BS, OSHA/HIPAA Consultant
A recent study in the Journal of the American Medical Association showed that over half of data breaches are caused by internal issues – many of which are directly related to a lack of effective employee training. You can read more about the recent study at https://www.hcinnovationgroup.com/cybersecurity/news/13030905/study-internal-negligence-not-hackers-responsible-for-half-of-data-breaches. Clearly employee training should not be taken lightly.
While the implications of this are probably obvious, let’s review some examples that we at Modern Practice Solutions have seen unfold in the recent past. The employee sends incorrect ePHI (electronic Protected Health Information) via unencrypted email to a patient. The employee did not obtain prior authorization to send ePHI in a secure manner. A disgruntled employee in the process of termination downloads ePHI onto an unencrypted jump drive. An employer had to hire an attorney to retrieve the media device and cease and desist was served. If upper management has not provided proper oversight, the organization can be held liable. This is a rathole that no one wants to go down. Are you 100% sure that none of your employees will ever commit a HIPAA breach? Either intentionally or unintentionally? Of course not, because you can never be 100% sure. Even if your organization does not have an employee breach, lack of training could be flagged in an audit or an investigation. The bottom line is that you need to make sure that your staff is trained and aware of the consequences of causing a HIPAA violation or breach. The average cost for a breach in the medical industry is $408.00 per patient record.
The top two causes of breaches for 2018 were IT/hacking incidents and unauthorized user/access. The best course of action is to provide meaningful and impactful HIPAA training. In fact, this is a HIPAA requirement. STANDARD § 164.308(a)(5) Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
At Modern Practice Solutions, we provide HIPAA Privacy and Security training for your employees either onsite or via remote video. Our programs are easy to implement and provide you the documentary proof you need to show an auditor or investigator that you are providing training to your employees on the privacy and security of protected health information.
It should be mentioned that many data breaches are caused by unintentional acts of employees. By now you are familiar with all the ransomware incidents that are occurring. Many of these ransomware issues are caused by an employee unwittingly clicking on a link in an email. Employees are receiving emails that look like they came from a credible source such as a patient or a coworker. Before you know it, the unauthorized user may have already gained access to your workstation or is downloading software behind the scenes that you are unaware of. Even worse, your whole IT network can be brought down (yes, this really does happen and more often than you think). Before you click on any link or provide information, ensure you are verifying that the email did come from a credible and reliable source. For example, call the
patient to see if he/she sent the email. It is very important to ensure that we are promoting “cyber-hygiene” within our organization.
Our updated 2019 training is now available in both onsite and remote video formats! Please consider scheduling your employees for HIPAA training in conjunction with your required annual OSHA training.
Do my employees have to take training every year?
Yes, your employees should take yearly training.
When should my employees take training?
Section 164.308(a)(5) indicates periodic training. Retraining is required any time there is an environmental change, a change in policies, upgraded or new software, or a change in the security rule. We recommend combining your yearly HIPAA training with your OSHA training that is required every 365 days. It’s up to you when the employees take the training, it can be anytime during the year.
What types of HIPAA training do you offer?
At Modern Practice Solutions, we provide the required HIPAA training either onsite or remotely via online video. We also offer a 6-hour Advanced HIPAA Course with CE. This is an in-depth training course geared for RDAs, RDHs, DDS, and Managers serving as Privacy Officer and/or Security Officer for their practice. Learn how to incorporate policies and procedures to comply with HIPAA’s requirements for administrative, physical, and technical safeguards. We will address key elements such as requirements for a Risk Assessment, staff training, internal forms, required posting, breach reporting, and how you can close the gap in your HIPAA compliance program.
Do doctors have to take training?
What if I hire someone after my staff has completed training?
You should have all new hires take training as part of your employee onboarding process prior to being released on the floor to work. It is advised that you do not let someone start working until they have completed training. Our initial and annual HIPAA packages include video
training for your new hires for 12 months. Simply reach out to us when you have a new hire, and we will send the instructions for accessing the video for your new hire with all of the required training rosters.
What if I have questions about training or don’t know where to begin?
Easy. Just contact us. Send an email to Heather Miller, our Project Coordinator, at firstname.lastname@example.org, or call (931) 232-7738. We are more than happy to assist you with your HIPAA compliance.