Security experts and research confirms staff members are your practice's biggest weakness against HIPAA compliance. It doesn't have to be that way though.
Brand Barney consults organizations on HIPAA compliance all over the world. He says there is a universal truth regarding healthcare organizations when trying to keep patient data secure.
"Your staff members are your biggest weakness," says Barney, a security analyst at Orem, Utah-based SecurityMetrics, which provides HIPAA compliance solutions to practices and other healthcare organizations. While HIPAA is an American law, Barney explains that his company does data security training for international companies in contact with protected health information (PHI) from patients in the U.S. He says organizations of all sizes across the world suffer from this problem.
A recent survey from the Ponemon Institute backs up Barney's assertion. Nearly 70 percent of healthcare organizations polled by the research firm say that employee negligence is their biggest concern in securing sensitive patient data. Another research effort from Identity Theft Resource Center (ITRC) and CyberScout similarly found that one of the top causes of healthcare data breaches was employee error.
"I don't think staff members are trying to be malicious…what I see most often is they're trying to do their job. They're trying to increase revenue, increase patient satisfaction, and by proxy, they start to screw it up. And then we start to see vulnerabilities and threats acted upon. It becomes a sizable problem," Barney says.
Essentially, he says, physicians are focused on the patient experience and hand data security functions off to staff members, who are overburdened in their own right and thus, place data security on the backburner. This is especially true in small practices, Barney adds. Kyle Haubrich, counsel with St. Louis-based Sandberg Phoenix & von Gontard P.C., a healthcare law firm, agrees with that sentiment.
"Physicians went to school to be physicians, not to make sure they are complying with every single government regulation on healthcare. So they hand it off to the office manager to handle HIPAA compliance…and so the office manager is already overwhelmed trying to manage the office and then having to do HIPAA work," Haubrich says.
Often, Barney says, healthcare organizations will try to solve the problem by buying software that promises to solve all its data security problems. However, Barney says these technologies ignore the human aspect of HIPAA compliance and the fact there are no simple methods or silver bullets that can create a culture that is entirely data secure.
Bad Training Days
Perhaps the most pertinent factor that has led to employees being the top cause of data breaches, is inadequate HIPAA compliance training, experts say. Rachel Rose, a Houston-based attorney that focuses on various healthcare regulatory compliance issues, says HIPAA training often comes in the form of ineffective and incomplete PowerPoint slides or a boring third-party presentation. Servio Medina, chief operations officer for the cybersecurity policy branch at the Defense Health Agency, the health system that oversees 400 military hospitals and clinics, agrees and says often poor training comes down to a lack of passion.
"If we're not passionate and we're relying on a policy and a poster on the wall….we're going to fail because people aren't hearing [what you're trying to train them on] or it just doesn't resonate and they're not recalling it when they need it," says Medina.
There are ways that practices can make HIPAA training more effective, including making training sessions interactive and engaging. Medina says some methods include using contrasting color schemes (such as a black background with white font) and including personal anecdotes in presentations . Haubrich's training sessions include mock scenarios presented to staff members, rather than quizzes.
For her part, Rose says, "I find including cartoons or asking them for specific examples is very helpful [and] makes it more relevant for them verses just talking at them."
That latter aspect, making training relevant for healthcare professionals, rings true for Barney. He says that practices should try to find training tools and resources that can speak to specific roles in the practice. Using a catch-all HIPAA training security presentation, as many do, won't work because for instance, nurse practitioners will interact with PHI in different ways than front-desk workers. Moreover, a HIPAA training program geared towards large practices and hospitals won't work for small practices, Barney says.
One method to ensuring people are more engaged is to "outline people's [HIPAA security] responsibilities," he says, "instead of throwing the Bible at them. These people didn't go into healthcare for security. Figure out what's reasonable for each staff member."
One common failure in this realm, experts say, is practices trying to do HIPAA training in one-fell swoop. Haubrich says if you try to "jam it all into one training" the information will go over the employees' heads.
In fact, how often practices should undergo training is a minor point of debate. Haubrich suggests quarterly training or every other month, while Rose advocates for ongoing compliance efforts. "If there is a change in the law, either on a state or federal level, or the company has implemented a new policy on HIPAA, then that's something that needs to be disseminated to the staff before the next training regardless," she says.
Either way, the experts agree the "all or nothing approach," as Barney calls it, is never going to work in helping a practice become more HIPAA-compliant. Things have to be done in "bite-sized chunks," he says. He likens it to losing weight. "I lost 70 pounds. I didn't do it in a month, I did it over 18 months. If you had told me at the beginning that I was going to lose 70 pounds and here's how, I [wouldn’t have believe you]," Barney says. When people only look at the end result, it seems too hard to achieve, he says. This leads healthcare organizations to go for the silver bullet software solution rather than doing what actually has to be done to create a culture of compliance.
Another strategy to improving HIPAA compliance among staff members is an effective awareness campaign. Medina says using screen savers, and changing up the information on them from time to time, will help keep staff informed on the proper HIPAA-related procedures. He also recommends moving around different HIPAA compliance posters that are posted at the practice.
More than that though, Medina says engaging and impassioning staff members in the campaign will get the rest of the practice to pay attention, especially if it comes from leadership. "If you don't have people that are passionate or are at least demonstrating mild interest, you are already losing. It doesn't matter what's being said, people won't hear it," he says. The goal, he says, should be to create a culture where people are comfortable calling out others for a blatant mishandling of PHI.
A Culture of Woe
Not properly training staff on HIPAA compliance can lead to embarrassing and potentially costly breaches, according to experts. Barney says he went to a practice that thought it was faxing patient data to another physician's office, but they had the wrong number. They were actually faxing a tire company, who had to notify the practice about the mishap. Another organization he worked with created a Gmail account that staff members used to send PHI. The organization used one username and password for everyone to share and never changed it, even when people left the practice.
The emergence of hackers infiltrating health data presents an even starker problem than thoughtless mishaps. Haubrich says he's seen examples where hackers are calling up business associates, pretending to be a doctor, and gaining illegal access to the EHR. In these cases, the practice has done everything right and yet will still face a fine. And as noted, there is a high cost to a breach (Haubrich cites a report that says it's $402 per affected individual), not to mention the damage in reputation a practice will suffer.
The worst aspect result, though, comes to the people who your practice is trying to help in the first place. "If you put yourself in the patient's shoes, what if you had a breach of your information. What if you had to go through the hassle of canceling all of your credit cards and getting an identity theft check? Things of that nature are time consuming, painful, and could have been avoided," Rose says.
She fears the problem will only get worse for patients since PHI is becoming more valuable to hackers. "That's something to bear in mind, treat a patient's record like your own."