Ensuring HIPAA Compliance in the Workplace: An HR Perspective

Understanding HIPAA Compliance

Defining HIPAA Compliance

The Health Insurance Portability and Accountability Act, or “HIPAA”, sets standards to protect sensitive and individually identifiable Protected Health Information (PHI) from disclosure. Under HIPAA, any company or individual that comes into contact with PHI must implement appropriate protective policies and procedures. And implementing and following those procedures is a big part of what HIPAA compliance is all about.

Importance of Ensuring HIPAA Compliance in HR

HIPAA is enforced by the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR). The OCR also interprets HIPAA provisions and says what HIPAA means.

Under HIPAA, even unintentional violations can lead to big problems, including:

• Financial Penalties. HIPAA violations can result in penalties for both the organizations and individuals involved. And they can result in expenses for hiring investigative IT professionals, offering credit monitoring help to victims and costs related to rehabilitating an organization’s tarnished reputation.
• Criminal penalties. For severe misconduct, particularly involving malicious intent or personal gain, HIPAA violations can lead to criminal charges and sentences of up to ten years.
• Operational disruption. Addressing HIPAA violations can lead to distraction and operational disruptions and to more frequent audits and assessments from regulatory bodies.
• Reputational damage. HIPAA violations and subsequent penalties can result in significant non-monetary losses, including damage to reputation and eroded public trust.

Navigating HIPAA Training

What HIPAA Training Is and When It’s Required

HIPAA makes training employees a central part of compliance with HIPAA.

• The Privacy Rule training standard requires covered entities to give HIPAA compliance training to their workforce about PHI-related policies and procedures and reporting HIPAA breaches.
• The Security Rule training standard requires covered entities and their business associates to give HIPAA compliance training to all employees on security awareness.

For new hires, HIPAA training must be provided “within a reasonable period of time” of their start dates. Employees must also be given refresher training within a reasonable time of a “material change in policies and procedures”.

And if that isn’t enough, HIPAA training must also be given “as necessary and appropriate” – often in response to complaints and incidents.

Components of Effective HIPAA Training

There’s no single recipe for a good HIPAA training course or how to train for HIPAA compliance in general. And HIPAA trainings can be tricky.

On one hand, employees need enough information to understand and apply your HIPAA policies, exercise good judgment and to know when to ask for help. On the other, they can’t be overwhelmed with detail and minutiae.

A good HIPAA course should demystify key concepts, explain requirements and cover subjects like:

• HIPAA Overview: The objectives of HIPAA, what HIPAA means, who the Act applies to, what the Act applies to, HIPAA definitions and how it’s enforced.
• Key Concepts: including PHI, the Minimum Necessary Rule, the Privacy Rule and the Security Rule.
• HIPAA Privacy Rule Basics: The importance, rationale and functioning of the Privacy Rule, and what constitutes for the permitted uses and disclosures of PHI.
• HIPAA Security Rule Basics: Including an introduction to electronic PHI, and the importance of keeping electronics secure and using encryption.
• PHI security and the link between HIPAA and your organization’s other cybersecurity policies and procedures.
• HIPAA Minimum Necessary Rule: Including the limitations on using PHI even when it is otherwise appropriately accessed.
• HIPAA Patient Rights: Including the rights individuals have to control what happens to their PHI.
• HIPAA Disclosure Rules: The circumstances where workers may have to use their judgment to determine whether PHI can be disclosed to family members or other third parties.
• Preventing HIPAA Violations: Including common HIPAA violation examples and how to avoid them.
• HIPAA Violation Consequences: Including consequences for both organizations and individuals.

HIPAA Compliance and How to Report HIPAA Violations

Notifying the Government and Media

HIPAA also imposes significant reporting requirements when a breach of unsecured PHI occurs.

With respect to the government, a covered entity must notify the HHS Secretary if it discovers a breach of unsecured PHI.

Breaches affecting 500 or more people. If a breach of unsecured PHI affects 500 or more individuals, a covered entity must notify the Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. Prominent media outlets must also be notified.

Breaches affecting fewer than 500 people. If a breach of unsecured PHI affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered.

Notifying the Individuals Involved

Covered entities must notify the affected people whose PHI was disclosed without unreasonable delay and not later than 60 days following the breach.

This notification must include a toll-free phone number for at least 90 days where individuals can learn if their information was involved in the breach and:

• A brief description of the breach,
• The steps affected individuals should take to protect themselves from potential harm,
• A brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, and
• Contact information.

Examples and Case Studies

Common HIPAA Compliance Violations

HIPAA compliance involves a lot of moving parts. In part, that’s because compliance with HIPAA often involves different parts of the organization.

But it’s also because workers access an increasingly broad range of information just doing their jobs – creating more opportunities for mistakes and misconduct. Common HIPAA violations involve:

• Unauthorized access: Looking up protected information without proper consent or authorization.
• Improper disclosure: Sharing protected information with someone who doesn’t have permission to see it.
• Inadequate security measures: Failing to implement adequate security measures, like encryption and password protection or using simple or repeated passwords.
• Improper disposal: Disposing of paper records containing PHI in trash cans.
• Improper storage of digital data: Storing PHI on portable devices like USB drives or network drives without encryption.
• Email violations: Emailing unencrypted emails that contain protected information.
• Lack of HIPAA training for employees: Not providing employees with comprehensive training on the Privacy and Security Rules.
• Lack of HIPAA compliant policies: Not having a clear process for disclosing PHI when required by law or requested by authorized individuals.
• Failing to monitor: Not regularly monitoring who is accessing PHI.

Real-life Examples of HIPAA Compliance Violations by Employees

Many times HIPAA violations involve behavior that isn’t particularly surprising. Things like hacking attacks or lost laptops. But some HIPAA violations catch organizations by surprise.

Access Failures. Many enforcement actions don’t involve data breaches or disclosures to third parties. They involve covered entities that failed to provide individuals with their own PHI in violation of HIPAA rules.

In one case, two patients requested their PHI – but had to wait 5-6 months to receive their medical records. While you might write off the delay to busy workers or simple mistakes, settling the complaints cost the covered entity $200,000.

Responding to Social Media. Recent cases also involve covered entities that disclosed PHI when responding to negative social media attacks.

In one, four different patients gave their health care provider negative reviews online. In trying to rebut the criticism, the health care provider referred to the patients’ diagnoses and treatments – violating HIPAA.

Lack of Training and Process. In many cases, the problem is less the breach, than the investigation that follows.

For example, in one case, a hacker illegally obtained the access credentials of an orthopedic clinic’s vendor and then used the credentials to access the clinic’s patient information.

The problem wasn’t just the data breach. It was that, when the OCR investigated, it found the clinic had virtually no process in place to insure HIPAA compliance and made no effort to provide HIPAA compliance training. The clinic ended up paying $1.5 million in settlement costs.

HIPAA Violation Penalties for Employees

The OCR puts HIPAA violations into one of four categories. The categories – and size of the penalties – generally correspond to what the OCR considers blameworthiness.

• Reasonable Effort. The organization was not aware of the HIPAA violation and had taken reasonable steps to ensure HIPAA compliance.
  Penalty range: $137 to $34,464 per violation.
  Maximum Annual Penalty: $34,464
• Lack of Oversight. The organization had reasonable cause to know about the violation or should have known about it by exercising reasonable diligence.
  Penalty range: $1,379 to $68,928
  Maximum Annual Penalty: $137,886
• Willful Neglect – Corrected. The violation of HIPAA rules was corrected within 30 days of discovery despite being due to willful neglect.
  Penalty Range per Violation: $13,785 to $68,928
  Maximum Annual Penalty: $344,638
• Willful Neglect – Not Corrected. The organization’s actions constituted willful neglect of its duties under HIPAA and did not take corrective action within 30 days of discovering the violation.
  Penalty: $68,928
  Maximum Annual Penalty: $2,067,813

The good news is that most HIPAA compliance investigations are addressed through voluntary compliance and technical aid. But that doesn’t mean HIPAA violations are painless.

Resolving a HIPAA violation often involves a mandatory Corrective Action Plan. These plans can be costly – typically requiring things like training, regular monitoring and/or audits. And failing to follow a CAP can result in a separate set of penalties

The Biggest Challenge of HIPAA Compliance

It’s easy to reduce HIPAA to a long set of rules and procedures. And that is in part what HIPAA is about. But fundamentally, HIPAA compliance is about getting people to understand why PHI is important and why your organization does all that it does to keep it secure. If you start there, compliance follows.

Resources and Further Reading

Official HHS HIPAA Information

Instruction for Professionals
Advice on Compliance and Enforcement
Direction on the Privacy Rule
Guidance on the Security Rule
HIPAA Basics for Providers: Privacy, Security, & Breach Notification Rules

Related or Related Privacy Laws

HIPAA isn’t the only legislation addressing privacy rights. Many states have privacy laws regarding or related to health information.
Texas Medical Privacy Act
Information other HIPAA-related state laws
California Consumer Privacy Act and related regulations