Almost 80% of healthcare employees show a lack of preparedness with common HIPAA privacy and security threat scenarios.

That’s an alarming statistic. How can the industry that millions rely on to protect their most sensitive and personal information be one of the least prepared?

If you work within healthcare, you know that you have a lot on your daily to-do list of responsibilities. Above all, you want to ensure that the care your patients receive is the best you have to offer them.

That’s the type of mentality patients want in their doctors, but caring for them now stretches beyond their visit to your office. Protecting the patient health information (PHI) you handle on a daily basis is just as important as the care you administer.

PHI is some of the most sensitive data on the planet. If that information gets in the hands of a hacker, they can do some serious damage to your patients. First, they could sell it on the dark web for a pretty penny. Second, they could use the information to commit medical identity theft where they…

• Could go to the doctor under your name

• Go to the pharmacy to receive drugs

• Use your health insurance benefits

• Receive medical aid from the government

Although either case I listed is illegal and could lead to some serious jail time for the fraudster, you’re not off the hook if your practice was their source. In other words, you’ll receive a fine from the Department of Health and Human Services (HHS) if you expose your clients’ PHI.

Of course, the fine you face is dependant upon how many records you expose. However, recent HIPAA fines reached upwards of $3 million. That’s a massive penalty that would force a lot of smaller practices to close their doors.

OK, chances are that you already knew a lot of this before you started reading this blog post. You knew that it’s your duty to protect your patients’ sensitive data and that there are penalties for not doing so.

You also know that human error is one of the leading causes of this law’s violations.

What you don’t know, and why you came here in the first place, is that you want to make your employees more aware of the intricacies involved with this rule.

So when should you promote HIPAA awareness and what are the best ways to go about it?

• The Best Time to Promote HIPAA Awareness

• How to Promote HIPAA Awareness

  • Conduct Annual Re-Training

  • Add Visual Aids Around The Office

  • Run Test Scenarios on Your Employees

• Conclusion

Since HIPAA is such a comprehensive and information-dense regulation, it spells everything out, right? Actually, there is a lot of grey area within the law.

In order to understand what’s required, we need to look at how the HHS determines its penalties for this law. The good news is that the law understands the modern healthcare world and doesn’t have an outdated structure.

What I mean by this is that it’s written in a way that lines up with the mentality many cybersecurity experts believe, “It’s not if but when.”

The HHS understands that the information you’re dealing with on a daily basis is highly sought after. They also know that a breach could happen to your practice even if you’re abiding by every section. Proof comes from the Minimum Necessary Standard within the Privacy Rule.

That section of the Privacy Rule requires that healthcare companies and their partners take reasonable steps to limit using, disclosing, and requesting PHI to only what’s necessary.

The keyword within that rule is reasonable.

The law repeats that word throughout its entirety to keep the law flexible.

Another example of the use of this word happens within the Privacy Rule’s Administrative requirements safeguard, specifically when it discusses employee training requirements. This section states that employees within a healthcare organization must receive some form of HIPAA training. 

However, it doesn’t state when they should or how often to repeat it. Instead, it says to give an employee training within a reasonable amount of time after hiring.

So, what’s my point after all of this?

Well, if you base your efforts toward promoting awareness off of what’s generally recommended for training, you’d do it on an annual basis. Although that’s a great and training helps the endeavor, there’s more you can do to go above and beyond.

That’s because promoting awareness isn’t as involved as hosting a 4-hour training session. What I mean by that is, you can promote your employees’ appreciation for HIPAA, either indirectly or directly throughout the entirety of the workday.

So, when should you promote HIPAA awareness? The answer is around the clock.

Unless you’re a massive healthcare organization that treats millions of patients every week, you simply can’t afford a fine from this regulation. In other words, you need to do as much as you can in order to avoid that scenario.

The only problem is that you’re super busy. How can you promote awareness when you hardly have any time on your hands?

As I hinted at in the section above, there are many ways to promote HIPAA awareness to your employees.

There’s no one perfect way to broadcast the importance of this regulation to your employees. Your workforce is different than the practice up the street.

But, in order for this law to resonate with your team, you’ll need to use a mixture of different things.

The first and most direct way to promote HIPAA awareness at your practice is something I hinted at in the introduction. People are forgetful, especially when it comes to complex rules and regulations. So in order to combat that, you’ll need to conduct annual re-training sessions.

If you already re-train your employees on their knowledge of this law, great. However, conducting the training session(s) is only one aspect. What’s more important is how you do it and whether or not it’s interesting.

If your re-training sessions are a low-quality, ten-year-old video of you going over the law, you’re not doing yourself a favor.

We’ve all been to classes that were boring at some point leading up to our professional career. You’d find yourself wandering off within the first few minutes, thinking about your next meal or what you’re going to do once the bell rang. If your training sessions are similar, your employees are going to feel the exact same way.

So host re-training sessions annually but ensure that each of them are interesting and fun.

That way you’re continuing to spread awareness while keeping your employees engaged to the material.

One of the most effective, modern styles of training employees comes from the Lean Methodology. In a nutshell, it strips down effective training methodology to two beliefs…

1. Continuous improvement

2. Respect for everyone

One of the most basic teachings of Lean is to include small, visual cues built into or by employees’ workstations. They act as reminders of their job’s most important aspects.

One of my favorite reflections on the importance of this concept comes from Teach Lean Incorporated’s Co-Owner, Tracey Richardson. She spent decades working for Toyota learning from their trailblazing lean practices.

Tracey wrote a blog post entitled The Difference a Visual Cue Makes. In it, she describes how driving a car changed so much over the course of time.

She points out that driving a modern car means receiving constant feedback. There are…

• Visual symbols on the dashboard that point out when something is wrong

• Audio alerts when seatbelts aren’t buckled

• Dashboard alerts about temperature changes and traffic

Each visual and audio cue work together in providing a seamless driving experience that keeps you apprised of everything going on inside and outside of your vehicle. To put it simply, we’re kept in a constant state of awareness while we drive.

OK, but working at a healthcare practice isn’t even close to driving a car. You’re not wrong.

The point I’m trying to make with all of this is that adding visual cues related to HIPAA can have a similar effect on your employees. Adding signs, posters, and other visuals at and around your employees’ workstations will keep them in a constant state of awareness.

You could even get signs that indirectly empower your employees. For example, hanging a sign on an entryway to a restrictive area that says something like, “HIPAA CERTIFIED EMPLOYEES ONLY” would…

1. Act as a constant reminder about HIPAA

2. Empower your employees since it’s an exclusive area they have access to because of their training

Visual aids can have a lasting impact on your employees’ overall awareness of HIPAA and the best part is that they don’t have to be complecated.

I do have a word of caution for you before you buy that bundle of compliance posters, though. Make sure that the concepts and content they cover aren’t insultingly obvious. The last thing you want is to nail a poster into your wall and then your employees make jokes about it. If this happens, they’ll end up turning the entire regulation into a joke around the office.

Let’s say you’ve set up an engaging re-training session and hung visual cues about HIPAA throughout your office. What’s next?

You can think your employees are well prepared all you want, but you’ll never truly know who they’ll react to a compromising situation until it happens. Luckily there are services that exist that allow you to run a test scenario on your employees.

Remember throughout our schooling we used to have fire drills? Their goal was to train both the teachers and the students on what to do during a disaster scenario.

Now, a fire at your practice isn’t a good thing. However, a phishing attempt or attack that targets your employees in order to retrieve your patients’ PHI is nothing short of cataclysmic either. 

In other words, running test attack scenarios on your employees is one of the best ways to know where they stand.

There are plenty of phishing testing services out there that will create fake emails, send them to your employees, and report back to you with results on how your team did.

Running these types of “drills” helps you get a grasp on where your employees stand when it comes to HIPAA awareness. These tests also give firsthand experience without any of the associated risks.

Of course, before you run any sort of scenario you’ll want to notify your team of what’s coming. You don’t have to tell them the exact date you plan on running it, just give them a heads up.

Leading up to the event, host a quick phishing awareness training session. The last thing you want to do is send out the test without telling your team as some sort of “gotcha!” to your employees. That creates distrust and makes them feel incompetent. 

Your employees have a lot of their minds. Like you, they have a massive to-do list to get through on a daily basis.

Expecting your team to go through their daily activities while keeping all of the intricacies of HIPAA in mind isn’t realistic, especially if you only host one training session per year. Teaching awareness about the complex regulations surrounding healthcare is a dynamic process. What I mean by that is it requires constant nurturing and improvements.

Although annually training your employees is one aspect, it’s not the only solution. There are other direct and indirect ways you’ll need to implement in order to see the most success and harbor a compliant environment.