Although it has almost been around for 30 years, healthcare organizations have always had a hard time satisfying all of HIPAA’s requirements.

We saw 29 million healthcare records breached in 2020 alone. Just one of the breaches from that year affected 10 million records alone.

Of course, there are multiple reasons why the healthcare industry is in a constant battle with staying HIPAA compliant. 

First and foremost, it’s a complicated law. Just to give you an example, AAPC Physician Services Compliant and Profitable Practices created a checklist for the HIPAA Security and HITECH rules and it’s 19 pages long.

Second, it’s constantly changing. There were 17 proposed changes to the law in 2021.

Third, hackers continue to target healthcare organizations to get their hands on protected health information (PHI). Cybersecurity experts state that the price tag for PHI records on the dark web is around $250.

Fourth, your organization’s are your biggest HIPAA risk. Less than half of healthcare organizations use a Learning Management System (LMS) to train their employees. In other words, they’re relying on an outdated and oftentimes boring training experience.

Given all of those reasons why HIPAA is such a difficult task for healthcare organizations, I could take this blog in a million different directions.

However, the last point I made might be one of the most important aspects of the entire HIPAA compliance ecosystem. You simply cannot afford to trust that your employees know all they need to about working within HIPAA’s requirements. If you do, you’re setting your organization up to face an unintentional HIPAA violation.

Yet, setting up an annual, in-person training session in an attempt to cover your bases isn’t enough. You need to ensure that the material that you’re covering isn’t boring. In other words, you can’t create a poorly-designed PowerPoint presentation, cover each topic in a monotone voice and expect your employees to stay engaged.

Instead, you need to create training material that’s engaging while using active learning techniques.

Using the word “engaging” with the phrase “active learning” is a little redundant. In a nutshell, active learning techniques involve engaging students in their coursework through discussions, problem-solving, case studies, role plays, and other methods.

To put it more simply, if your HIPAA training uses active learning, your employees will understand and comprehend the material. That last sentence should be enough to win you over as a compliance manager or owner of a healthcare organization.

Of course, saying active learning techniques are important is one thing, implementing it into your HIPAA training course is another.

Luckily, this blog post exists to provide you with a comprehensive HIPAA quiz that uses active learning principles.

• Problem-Solving HIPAA Quiz Questions

• Case Study HIPAA Quiz Questions

• Role-Play HIPAA Quiz Questions

• Conclusion

Of course, I have to start with the no-brainer style of questions you need to include in your HIPAA quiz. Problem-solving questions are one of the most basic types of questions out there and our teachers pummeled us with them throughout our grade schooling years.

Not that that was a bad thing. Problem-solving questions are a vital part of childhood development. They helped us learn how to: identify problems, brainstorm solutions, test appropriate solutions and analyze results.

No, I’m not inferring that these HIPAA-related questions are easy by breaking down how important their type was to our development. Instead, I’m trying to point to their importance.

If problem-solving questions are such a vital part of education, it means that they’re effective in teaching concepts.

In other words, you need to pose this type of question to your employees. It’s almost a guarantee that your team will be better off after trying to answer the following questions because of how they’re constructed.

1. Your best friend works at a hospital. One day, she comes home and says, “You’ll never guess who came in for emergency surgery today. It’s the starting quarterback for your favorite football team.” Your friend is clearly excited about the detailed gossip she’s about to tell you. Is she committing a HIPAA violation? Why or why not?

2. You’re a medical biller who’s trying to collect from a list of patients who have overdue balances. The first patient you call doesn’t answer their phone. What type of information should you avoid saying on the voicemail you’re about to record?

3. You’re an office administrator at a dentist’s office coming in for a routine check-up. While signing into the office, you notice that the sign-in sheet is a whiteboard. Why is this a good practice to avoid HIPAA violations?

4. When visiting your aunt in the ICU, you notice that the staff talks quietly while visiting the patient that’s sharing the same room. How does this practice help safeguard PHI?

5. Before allowing you to purchase your prescription, the pharmacist asks you a series of questions to identify your information. Why are these questions necessary as a safeguard?

Think of two teachers you’ve had in the past. The first teacher I want you to think of is your favorite. The second teacher you should have in your mind is your least favorite. Think about what learning a lesson looked like. What did you like and dislike?

I imagine the lesson for the teacher you didn’t like was bland. They didn’t challenge you much. Instead, they walked up to their chalkboard, wrote their notes on the board and you had to remember them verbatim.

For the teacher you did like, however, the lesson probably looked much different. They were probably much more engaging, invited discussion and used real-world examples that tied in with their lessons.

Both of those teachers used different teaching styles.

Your least favorite used deductive teaching. In other words, they used a more teacher-centered approach where they explained new concepts and expected the students to practice using them.

On the other hand, your favorite teacher used what’s called inductive teaching. Inductive teaching is a more student-centric approach where the teacher presents examples showing instances reflected in the real world so that the student notices how the concept works. To put it more simply, inductive teaching is learning by doing.

The point I’m trying to make with all of this is that most people learn better through inductive concepts. Thus, including questions in your HIPAA quiz that incorporate real-world examples of violations is a must.

1. In 2019, the Office of Civil Rights (OCR) started the HIPAA Right of Access Initiative. Since it started, the OCR has been cracking down on organizations that don’t provide individuals with access to their medical records in a timely period. What kind of message does this send to covered entities about the importance of HIPAA compliance?

2. In 2019, Elite Dental Associates received a fine of $10,000 from the OCR for disclosing PHI on Yelp. The dental office received a poor review from a patient, to which they responded with the patient’s PHI including name, treatment details and insurance information. How should a covered entity approach social media to avoid a HIPAA violation?

3. In 2017, a behavioral health analyst downloaded 300 PHI files after termination. The FBI launched an investigation on the stolen data and found that the instance wasn’t the first time the employee downloaded sensitive patient information. What could have the organization that experienced the breach have implemented to stop this bad actor?

4. In 2020, a dentist from Anchorage, Alaska recorded a video of himself riding a hoverboard while performing a tooth extraction. Once he finished the procedure, he sent the video to an undisclosed number of people. The patient later found out about the video and stated that she never gave consent for the distribution of the video. Although this instance was a HIPAA violation, what should’ve happened to avoid it while still releasing the video?

5. Business associates were responsible for exposing over 31 million patient records in 2017 alone. What can covered entities do to protect themselves from their vendors leaking their data?

If incorporating case study questions into the test you distribute to your employees provides them the opportunity to “notice” what you’re trying to teach them, role-play questions give them away to apply actual concepts.

Harvard pins role-play as one of the best tools suited for modern college students over more traditional methods.

To be more specific, role-play helps students: apply their knowledge to a problem, reflect on issues and views of others, illustrate theoretical ideas by placing them in a real-world context, and helps illustrate what goes into decision-making.

1. You’re an office administrator for a healthcare practice and you receive a phone call. The person on the other end of the line tells you that they need the medical records for one of the patients you saw recently. What should you do in this instance before you send anything in order to protect the patient?

2. You’re about to fax a patient’s file to another practice because they switched their doctors. What should you include on top of the faxed documents to ensure reasonable safeguards are in place?

3. You’re about to send an email that contains sensitive information to a business associate. Before you send the email, what do you need to ensure that the email you’re sending is encrypted?

4. You’re a compliance officer and want to make sure that you’re protecting the PHI your organization deals with. You’re planning to remedy a scenario in which one of your employees sends an email to the wrong email address. What HIPAA best practice should you incorporate into your organization's email?

5. You’re trying to collect on overdue medical accounts. The first patient you call says that they never received their statement, to begin with. You check your system and notice that you mailed their statement to the wrong address because of a typo. Although this is a HIPAA violation, how do you ensure that this doesn’t happen again in the future?

Whether you’re a covered entity or a business associate, it’s a requirement to train your employees on HIPAA. It’s a best practice to satisfy that requirement on an annual basis, regardless of how long a member has been a part of your team.

In other words, odds are that you have a HIPAA training program in place.

However, if your training program isn’t constructed using effective teaching concepts, you’re not any better off than the organizations that don’t train their employees.

One of the most effective ways to understand where your risks are within your organization is by testing your employee’s knowledge on HIPAA. Thus, you need to construct a quiz that reinforces what you’re training them on.

Incorporate the questions provided within this blog post and see for yourself how much your employee-associated risk decreases.