Keep it Simple: How to Explain HIPAA to Employees

ExplainHIPAA_620.jpg

So you’re an organization that works in an industry outside of healthcare. Whether you’re starting to expand your services into the medical space or just landed a doctor’s office as a new client, you’ll need to familiarize yourself with the Health Insurance Portability and Accountability Act (HIPAA).

When you do business with a healthcare entity, you’re what the Department of Health and Human Services (HHS) refers to as a business associate. Your new client is a covered entity.

By now, you’ve probably reviewed the law itself. Hopefully, you didn’t skim it over because you’re about to take on a lot of risk when working with a healthcare entity. While going through the different sections, I’m sure you soon realized that the law is not only verbose, but also rather vague. 

ExplainHIPAA_1_420.png

It’s great that all of the content spreads out into different sections and within those are different safeguards with specific rules. However, there’s so much grey area in some of the most important areas of the law that even the best tutorials on Google and Youtube won’t help you.

Lawmakers used vague language on purpose to make rulings more flexible and so the regulation doesn’t get outdated. 

That’s great for the HHS. But how are you, an organization that already isn’t as familiar with the inner-workings of the medical space, supposed to understand the law enough to provide your services legally?

Well, to be honest, you have no choice but to comply if you want to provide any service to the healthcare industry.

Although compliance starts at the top with upper-management, your employees are the individuals handling the day-to-day responsibilities.

In other words, it’s imperative that you harbor a HIPAA compliant environment with your workforce.

If you don’t, you’ll soon face a breach that could lead to massive fines or even jail time.

So how can you explain HIPAA to your employees?

Table of Contents

Use The "KISS" Method

Before we touch on specific materials and activities to keep in mind, we need to go over the concept to guide your efforts.

One of the most effective ideologies when it comes to training is the Keep It Simple Stupid (KISS) method.

This approach came out of the U.S. Navy in the 1960s where it originally stood for, “Keep it Short and Simple.” Although the acronym got a little blunter over the years, its theory hasn’t changed.

ExplainHIPAA_2_420.png

In a perfect world, every employee at an organization would have their Six Sigma black belt certification. But in reality, going through that coursework could take as long as 90 days to complete. That’s time most employees don’t have readily available.

It’s similar to other popular ideologies like Six Sigma, but doesn’t require months of training. Instead, all you need to do is embody the definition when you’re explaining the intricacies of HIPAA to your employees.

Implement Consistent Training Sessions

Without training, you can’t expect your staff to take the time to learn and understand everything while working through their daily responsibilities.

Let’s say you went this route.

You’re about to have your first healthcare client and want to integrate them into your services as soon as possible so that you can boost this year’s budget. So instead of holding in-depth training sessions with your employees, you send out an email with a link to the HHS’ 115 page HIPAA Administrative Simplification Regulations PDF. With a deadline for them to have their reading done.

Sure, this process sounds streamlined and simple. The problem with it, though, stems from how most people read and absorb content in the modern world. According to a study conducted by Nielson Norman Group, the average person only reads about 20% of text per page.

ExplainHIPAA_3_420.png

So, with that statistic in mind, let’s look back at the abridged HIPAA document to help me emphasize my point. After copying and pasting the document into a word counter, I found it has 67,211 words exactly.

Twenty percent of that many words is roughly 13,442.

Do you think anyone could read only 13,000 words about a complex law like HIPAA and understand it enough? Of course not.

That’s why you need to consistently train them on the law.

Go out of your way to hold group sessions with your employees so that you have control over the material that they’re responsible for knowing. You get bonus points if your trainings include engaging content and fun games to keep your team engaged.

However, there’s a more creative way to hold trainings as a business associate.

Since your main industry isn’t within the healthcare space, you don’t want to have your employees spend an inordinate amount of time prepping for just one client. If you did, you’d end up evaluating whether or not it’s worth preparing for healthcare clients at all.

Before I move any further, understand that training sets you up for more revenues in the future. Specifically, companies that place an emphasis on training their employees receive a 24% higher profit margin versus organizations that don’t.

Here’s the idea. Your new healthcare client or prospect already holds annual HIPAA trainings with their employees. They’ve had to do this ever since the introduction of the law in 1996.

So why not ask them if your team can tag along to their session? It sounds a little abstract but hear me out.

First, they’ve had 24 years to perfect their annual training for their employees. In that time they’ve tested different techniques, honed in on what’s most effective, and know how to make the material resonate with their employees.

ExplainHIPAA_4_420.png

Second, by bringing both of your teams together to participate in fun training exercises you’re further enhancing your partnership with each other. You’re introducing your entire team to theirs, thus they’ll be able to put a name to the faces they’ve spoken too during introductory calls.

Consistent trainings also helps garner an enviroment of awareness.

Use Analogies to Paint a Picture

HIPAA is technical by nature. In fact, its Security Rule delves into how to manage, maintain, and handle sensitive data that you’ll soon deal with on a daily basis. Due to that aspect, its possible that some of your team members won’t understand the specialized language.

In other words, not everyone understands the terminology for the hardware used to store protected health information (PHI) in an electronic form. The law references a lot of potentially difficult terms, which can be overwhelming.

As a way to further combat any comprehension speed bumps during your HIPAA explanation, use analogies.

Academic researches constantly test the validity and effectiveness of using analogies while teaching complex subjects.

One study conducted in June of 2008 by Ataturk University compared traditional teaching methods to analogical methods when teaching physics to high school students. They found that using “systematic” analogies to explain complex concepts was much more effective than traditional teaching methods.

A more recent study from the University of South Florida in 2017 looked at whether or not visual analogies helped with student comprehension of statistical concepts. They concluded that analogies that were not only relevant but were also illustrated are powerful teaching tools.

ExplainHIPAA_5_420.png

So we’ve now looked at two examples of how analogies help students learn complex scientific and mathematical concepts more effectively. The subjects used in both studies are arguably much more complicated than HIPAA by nature.

The point I’m trying to make after all of this is that using analogies when explaining HIPAA to your employees will work, there’s no question about that. They’ll be able to better understand and visualize each section of the law, regardless of their technical background.

The only thing you’re responsible for is coming up with the comparisons. Believe it or not, this is a big responsibility. You want to make sure that the analogies you come up with are relevant and understandable by all of your team.

They don’t have to be complicated either. As an example, you could say that phishing attacks are like fishing in real life. The hacker puts their bait in the water in the form of a threatening email sent and then trys to land thier victim.

If you used ineffective or irrelevant analogies, your team may end up being more confused about HIPAA than they were without any training.

Be Welcoming, Not Condescending

OK, maybe you’re a business owner who’s had some experience within the healthcare industry over the course of your career journey. So maybe you already know about the intricacies of HIPAA in some capacity.

Everyone should know that PHI needs protective restrictions placed on it since they’ve all been to the doctor before, right?

The sentence above is purposefully written in a condescending way to validate the point of this section. If you’re a business owner on the other side of that statement and don’t know anything about PHI other than you the forms you fill in at the doctor’s office, you shouldn’t get chastised for it. After all, you’re only just now branching out into the healthcare space.

That’s the same mentality you should use when explaining HIPAA to your employees. By being their instructor, you’ll know more about the law than they will at first. They’ll look to you for answers to their questions and guidance.

The last thing you’ll want to do is squash their sense of curiosity by being condescending. Instead, welcome it.

ExplainHIPAA_6_620.png

Don’t end your discussion with, “Does anybody have any questions?” Although you’ve had teachers and professors in the past ask this question, it’s actually condescending by nature. It dissuades those who have questions because it makes them feel singled out. It’s hard to “break the ice” as they may wonder why no one else is raising their hands.

Instead, use language that encourages questions without too much effort from the listeners. Say a statement like, “I can go into further explanation about this topic if you’d like.” All that’s required from the listeners is a simple “yes” or “no” response. They don’t need to raise their hand or wait for their turn in order to ask for more help.

Some of the most successful companies on the planet got to where they are today because they encourage people to ask questions. One of my favorite quotes about this comes from Eric Schmidt, the former CEO of Google, “We run this company on questions, not answers.”

Intimidation is bound to happen when going over the different safeguards, penalties, and rules associated with HIPAA. But if you create a safe environment that harbors curiosity, everything will go much smoother.

Read The Crowd

A tough crowd isn’t something that only affects stand-up comedians.

Maybe the organization you’re running has about 50 employees. In this case, explaining HIPAA to them as one giant group isn’t effective. You’d end up losing your voice midway through it from having to yell. Instead, you’d break out your employees into groups, most likely by their department.

Each department has different personalities. For example, your sales team is most likely a bit more talkative than your accounting department. Talking is a large part of your sales team’s job. Of course, that’s not the case for every company but it’s a safe assumption.

So, like stand-up comedians do for their shows, you need to read your audience. Not every joke will land for different groups of people. That also holds true for when you’re explaining HIPAA to the different teams within your organization.

When comedians tour across the country, they’ll make minor adjustments to their jokes based on where they’re headed to next. The overall theme, concept and core material of the tour stays the same. But punchlines and delivery might change a little bit to cater to the audience they’re performing for in a certain location.

So before each department session, think about the individuals in each group. Ask yourself questions like…

  • What do they like?

  • What do they dislike?

  • How can I make the material resonate with them?

By asking yourself reflective questions based on your audience, you’re making your explanation better. As a result, your organization will have a better understanding of HIPAA.

Conclusion

HIPAA is complex by nature, it has to be. If it didn’t cover all aspects regarding handling PHI, malicious hackers and attackers would gain access to some of the most sensitive information that exists.

Of course, that also means that it makes it harder for organizations outside of healthcare to explain its intricacies to their employees. However, it’s far from impossible to do so and by reading this blog post, you’re already headed on the right track.

Like anything else, learning something new is intimidating. It might start out rocky, even when you’re explaining it. But as you become more familiar with the subject matter, your explanation will improve. If you stick with it, your organization will grow as you’ll feel more comfortable with taking on more healthcare clients.