Why Staff Are Your Biggest HIPAA Vulnerability

Editor's note: This is the third blog in a series of articles on HIPAA compliance and is produced in partnership with Total HIPAA Compliance. The second blog in this series discussed HIPAA training for your staff and can be viewed here.

While 2015 was accurately dubbed “The Year of the Healthcare Hack”, according to Experian’s 2016 Data Breach Report, 2016’s largest threat hits much closer to home – it’s your own staff.

The Experian report states, “While large breaches may be compromising millions of people’s records in one fell swoop, smaller incidents caused by staff negligence will also continue to compromise millions of records each year.” Experian predicts that these staff driven breaches will actually cause more damage.

These smaller incidents collectively put you at a risk for an OCR audit, which in addition to being a distraction from your practice can also lead to fines and penalties. Even if there are none, a minor breach can add up in legal fees, patient notices and above all the cost of patient retention communication.

In most cases these are not malicious staff actions. The majority will be caused by lack of understanding and complacency. The first is very easy to address, you train and test your staff on your HIPAA Policies and Procedures, as required by HIPAA, so they understand the role they play in protecting health information they touch.

Complacency can be a little more difficult to remedy. Once you have trained your staff on your Policies and Procedures, they go back to their daily routine. Initially, they are more aware of HIPAA and protecting important data, but after a short while they let down their guard. After all, they know their job; they know your patients and a breach has never happened before so they begin to feel immune to the potential dangers. Fortunately, there are two steps you can take to keep your staff sharp:

  1. Educate them about the Value of Healthcare Data – It can be difficult for staff to understand why anyone would go to great lengths to get this health information. Helping them see what that data is worth in the wrong hands will give them more of an appreciation for the Policies and Procedures you’ve put in place to protect it.
  2. Remind them regularly – To maintain your HIPAA compliance, all of your staff should be trained annually, but it is unrealistic to expect them to keep that information at the top of their minds long term. Brief monthly trainings or reminders that touch on just one piece of your Policies and Procedures can be enough to make HIPAA a priority all year long.

Staff breaches may be the biggest threat to healthcare data this year, but it doesn’t have to affect you. The Experian Report points out that, “Organizations that implement regular security training with staff and a culture of security committed to safeguarding data will be better positioned for success.”

To learn more about protecting yourself from a breach and how to choose the best HIPAA training for your practice, be sure to check out the recording from our free webinar, "Updating Your Plan & Training Your Staff".

Jason Karn's picture

Jason Karn


Jason Karn is the Director of IT at Total HIPAA Compliance and has been active in HIPAA training since the inception of the 2013 HIPAA Rules. He is a co-author of all Total HIPAA 2.0 training for Agents and Brokers, Employers, BA/Subcontractors, Medical Providers and Dental Providers. He is a regular speaker, blogger and a significant Twitter influencer on all things HIPAA. Jason is also an accomplished opera singer and has performed across the US and Europe. Follow Jason on Twitter @TotalHIPAA.

comments powered by Disqus