Make Sure Your HR Policies Discourage HIPAA Violations

July 20, 2016

We often think of IT departments when we think of meeting HIPAA regulations, but the heart of compliance is in human resources.

If you want to make sure your practice is HIPAA compliant-and stays HIPAA compliant-you have to follow all regulations and stay on top of documentation. This may seem self-evident, but according to Steven Waldren, physician and director of the AAFP's Alliance for eHealth Innovation, when doctors are audited, it is common to find that they haven't kept their documents up to date. Just one example: make sure your designated chief security officer is on file. If this person has changed, make sure your documentation reflects that. Among the countless details a human resources department has to deal with each day, this may seem like small beer, but when the auditors come calling, you'll realize that it isn't.

Train Your Own

Thorough staff training is another area that sounds easier than it is. The basics, of course, are to make sure that all of your employees have been HIPAA trained. But if you really want to reduce your risk of HIPAA violations and of breaches of PHI, then you need to do more than the basics. "Make sure employees are thoroughly trained on your [EHR] system. Train all employees on HIPAA before they touch PHI the first time," said Ron Sterling, president of Sterling Solutions, a healthcare information technology consulting firm in Silver Spring, Md. Sterling also pointed out that you should re-train all new employees (again, before they ever touch PHI), even if they come from another protected entity.

Waldren also recommended that you educate staff on good computer security practices, making sure that they are aware of and understand how phishing scams work and know to be very suspicious of potentially dangerous emails that may contain malware. Have a specific and detailed protocol for downloading files, and make sure all employees are familiar with it.

Set a High Standard

Rules and policies don't do much good if there are no consequences for violating them. Your practice will be held accountable for HIPAA violations, and you should hold your employees accountable for actions that put you at risk for these. "Make sure your policies specify the potential repercussions of violations-and then follow through," said Sterling.

Being lax about HIPAA regulations is, Sterling said, "a substantive risk to your business." He pointed out that it's not just a matter of paying a fine and it's over. "When you think about the repercussions of a breach, you realize how important this is; there could be long term damage to your practice and reputation." It's not just about you and the feds. After a breach of data, your healthcare partners as well as your patients will have less confidence in you. But if you make sure your HR policies and practices are clear and up to date, and you respond promptly to any behaviors that might lead to a breach, protecting privacy, and maintaining HIPAA compliance will be just another routine.