Achieving Compliance: Updating Your Plan & Training Your Staff

Join Jason Karn of Total HIPAA Compliance and Dan Brown of Taylor English as they discuss the steps for updating your compliance plan and training your staff in this informative webinar. 

The first webinar in this series discussed How to Prepare for a HIPAA Audit while future topics will cover Electronic Devices in Your Practice, tips for Preventing a Security Breach, and How to Respond to a Security Breach if one occurs.


Download the Slide Deck


HIPAA Resources



Q: Does a Business Associate Agreement need to be updated? If so, how often?

A: The short answer is yes. A Business Associate agreement, like your compliance plan, should be reviewed and updated any time there is a change in how PHI is being handled or accessed. For example, if your Business Associate begins contracting work to a subcontractor, this subcontractor and his or her responsibilities and access to PHI needs to be addressed in your Business Associate Agreement. If there are no major changes to your working relationship, we recommend simply reviewing your agreements each year to ensure all of your bases are covered.

Q: If the physician brings his laptop home for work purposes, what does he need to do to comply with HIPAA?

A: All electronic devices that are used to access PHI, whether on-site or from a remote location like a home office, must be cataloged and a record of check-in/check-out should be kept to track where the device is at any given time. Electronic devices should also be protected with a strong alphanumeric password as this is your first line of defense should your device get lost or stolen.




Dan Brown: First little housekeeping issue, we're having our program today as an informational only education program, it's not intended to provide any legal advice. We will discuss some general legal concepts but you shouldn't take any of those as being legal advice to you by our firm or any of the other participants in the program. If you do have questions however there is a question protocol and if you follow that, we can get to questions at the end of the program.​


Omnibus 2013

Dan Brown: Okay, let's go right into it. Today's topic has to do with the Omnibus Rule of 2013. Now, what exactly is that? Well, you remember way back in 2002, the final HIPAA Privacy and Security Rules were promulgated. As you may recall, if you were in industry then, it was just a big HIPAA freak out. Everyone went around and said, "My gosh. What do we need to do now in order to be compliant with this new law?" There's lots of things you need to do to be compliant, many of which continue on through this day, but after 10 years of HIPAA, in 2010, 2011, 2012, and 2013, it was decided that the initial pass at the Privacy and Securities Rules needed a little tweaking.​

In 2013, a whole new omnibus, or big bolus of new regulations that tweaked and added to the original HIPAA rules came about, and all of a sudden, we were faced with a second wave of HIPAA freak out activity, and we're still in the process of that as we try to digest these rules. We're going to talk about what those rules are and what's happened. The key points of the Omnibus 2013 were to give new rights to individuals in the protection of their protected health information, and also, important for us, it strengthened the government's ability to after folks who fail to live up to their HIPAA obligations.


Business Associates

Dan Brown: Let's talk now a bit about business associates. Business associates is a key concept in maintaining HIPAA compliance and let's just talk a bit. What is a business associate? A business associate is really any entity that performs an activity for the covered entity. Now remember, a covered entity is a healthcare provider, or a health insurance plan, or a healthcare information clearinghouse. If one of those three covered entities wants to hire an outside person, not part of their own workforce, but an outside person to perform an activity of the covered entity and that business associate has access to the covered entity's protected health information, HIPAA requires that the covered entity is required to maintain the confidentiality of the information it shares to the business associate.

How do we do that? The covered entity must take reasonable steps to be sure that the business associate treats the protect health information just like the covered entity. What's the definition of one? We have usually the billers, they're people who bill, people who do the transcription, all those people are like business associates. They do things for the covered entity. What do the HIPAA rules do? The omnibus rules do in 2013? Among the biggest things that the 2013 omnibus did was to layer on all the responsibility and liability that a covered entity has with regard to protected health information onto the business associate. Poof. In 2013, before the rules, the business associate had no liability itself for its own failure to have a HIPAA compliance plan or to have information leak out of its system.

After 2013, the business associate had the exact same liability for securing and protecting the privacy of protected health information that the covered entity did. It was a very large expansion of liability to the business associate and not only does the business associate have primary liability under the HIPAA Privacy and Security rules, any subcontractor of the business associate is likewise required to maintain the confidentiality of, in this case, the covered entity's information via a subcontract. The business associates have to have its own business associate with a subcontractor.

Here's an example: A covered entity's doctor's office hires a billing company, a business associate, to do billing for the doctor's office. The billing company in turn hires some outside contractor to look at some of the codes and in doing so, the outside contractor uses the covered entity's protected health information. Poof. That subcontractor is a business associate doing things on behalf of the business associate, on behalf of the covered entity, and we have to have, in that case, two business associate agreements and we will continue that downstream activity all the way to the very end of the last person who has the information.

That's a key aspect of the new omnibus rules. If we think a little bit more about what's a business associate, the new omnibus rules make clear that for the very first time cloud providers are HIPAA business associates of the covered entity. What does that mean? Let's say you have an electronic health record system and all the records live in the cloud. It used to be that it was unlikely that the cloud provider would be a business associate, but after 2013 the cloud provider, or any service if you will, where those records are at rest and can be easily accessed, the entity or individuals who control that service or cloud is a business associate of the covered entity and it will be necessary, and is necessary, to have a business associate agreement with the cloud provider.

There are some exceptions. For example, the Conduit Exception still exists. You put paper or a disc in the mail. You don't have to have a business associate agreement with the U.S. mail or FedEx, but you would with the cloud provider or some other server that held the data at rest and it would be sure to have a business associate agreement with them. Obviously, the cloud provider now has liability to the full extent of the covered entity.


Fines & Penalties

Dan Brown: We will talk a little bit now about some of the fines and penalties that are accepted. One change that drove the omnibus was the fairly lacks enforcement of HIPAA overall. There is no private right of action under HIPAA. Basically that means if someone who feels like they're health information has been improperly disclosed by the hospital, that person calls me up and say, "I want to engage you, Mr. Karn to be my lawyer to go after the hospital for spilling the beans." I will have to tell that individual that I am sorry, HIPAA does not permit you to go after the hospital through me. I can't sue the hospital for HIPAA violation.

The only way you can go after the hospital for HIPAA violation would be to report it to the government. To the Office of Civil Rights of the Department of Health and Human Services, and they will, or will not investigate and for the first ten years of HIPAA they probably didn't investigate too much at all. It was very rare to have any type of investigation. I am the person thought to change that by expanding the ability of the government to go against violators, and they did that by first expanding the ability to go after providers or violators by giving State Attorney General's the right to bring actions for HIPAA violations.

Now, not that too many state AG's who have this in their budget, so that has not been that effective, but by the same token the statue changed the rule to say that if the secretary gets wind of a willful violation of HIPAA, then the secretary must, absolutely must, they can't just stick it in a file saying we will get to it later, they are required by law to actually fully investigate. What does it mean if you have a willful violation? Well, I suppose if you know that your laptops are being taken home, and there is no policy for protecting them, or if you know that there has been some type of breach, or if you know that you don't have a compliance plan in place, arguably that willfully disregard of the rules.

If someone causes the government to complain, someone goes to complain to the government and they find out it's a willful violation, they must investigate. There are civil monetary penalties involved, and they are a sliding scale. If you didn't know about the violation, it could be about a hundred dollars per violation, or up to fifty thousand. If you had reasonable cause to know about the violation, that is about a thousand dollars to fifty thousand per violation. If there was willful neglect, but you corrected it on your own, it's ten thousand to five hundred thousand per violation, and if there is willful neglect, you knew the things were leaking out the door and you did nothing about it, that is up to fifty thousand per violation, maybe per day, up to 1.5 million dollars per year.

It's really not 1.5 million per violation as per the slide, that's an annual calendar year maximum, not per event maximum. Here is an example of a violation that we just found out about today and this is among the largest settlement that I have ever seen. It is a 1.55 million dollar settlement that was publicized just today where the government assessed this amount and they agreed to pay. It's North Memorial Health Care of Minnesota and basically they did back in 2011, a laptop was left in someone's car and it was stolen, and there was almost ninety four hundred protective health information records were set forth into the universe in an unencrypted password protected laptop, and during an investigation the government found that the hospital ...

Firstly they hadn't done a risk assessment to figure out where all the risk were. Then they didn't have a policy to say what happens with lose laptops, but they also failed to, and this is amazing, they also failed to enter into a business associated agreement with one of their computer system providers who had access to all these medical records, and because of the failure to enter into a business associate agreement, and because he didn't do a risk analysis, the government held them liable and they ended up settling today for 1.55 million dollars. These are very real issues nowadays and we can thank the 2013 rules for making that possible.


Common Agency Provision

Dan Brown: Let me move now to another issue where we can try to protect ourselves against some of these types of violations. I remember if you're a covered entity or if you're a business associate you have primary liability for violation of HIPAA. What is your business associate agreement say, I mean, if you're a covered entity you say, "Hey, business associate, I want you to keep the information safe and sound. You're not going to let it slip out, you're only going to use it for the sole purposes for which you're going to be using it billing our services." I say that's what it is. What happens if the business associate bunkles and lets a laptop out and all of a sudden there's this large liability.

If I'm the doctor I'm going to say, "Hey, wait a minute. It's the business associate's fault. They're the ones who screwed up and let the laptop out in the barn," and it used to be before these new rules so that's exactly right. Yeah, that's right, the covered entity didn't control the business associate. There was no agency relationship, principal and agent. Yeah, the doctor's office would not be liable for the bad acts of the business associate. In 2013 with the omnibus, all that changed in that the rules now specifically say that if the business associate is acting as an agent of the covered entity then under agency law which basically says the principal is liable for the acts of the agent.

Under agency law the covered entity is liable just as much as the business associate even though it's the business associate own fault. How can we help mitigate that risk that you as a doctor's office is going to be considered to be liable for the business associate? The best way to do that is deny that there ever was an agency relationship to begin with. Now this is a very fact specific exercise, we can put in the business associate agreement that I'm the doctor's office, I'm the principal, you're the business associate, you're the agent, and you're not an agent. You're just doing your own thing as an independent contractor, you screw up, it's on your dime.

Just putting that language in the agreement is not going to save you. There needs to be a clear exercise of the business associate's activity outside the control of the covered entity and that's kind of hard in a business associate agreement because under the business associate agreement, if the business associate has knowledge that there are some screw up with something or rather, or I put this way. If the business associate has to amend one of the records at the direction of the covered entity which is a common business associate agreement clause. That itself shows that the covered entity can direct the business associate to make the amendment within 30 days for the contract and that direction alone and instruction alone could be sufficient to create an agency relationship which means the liability flows back to the principal.

It's kind of a gray area and it's really fact in these circumstances analysis but keep those things in mind as you draft your business associate agreement to try to keep yourself from taking on the liability of the business associate. We talk a bit about what the enforcement provisions are, some of the business associate provisions how those been expanded and I'm going to turn it now to Jason who's going to talk a bit about what rights are available for individuals under the new law.


New Rights for Individuals

Jason Karn: Yes, there are many new rights for individuals. These are with the Omnibus ruling, we have to be very cognizant with what's happening here. A lot of these things have changed for you as a provider, and it's important that you know these items.

The first thing is, the patient can request the copy of their medical records in electronic form. It used to be that they would maybe request information from you and you could then print it off, and say, "Here is your printed medical information." You can still charge for those copies. It's a minimal charge, usually that's about 10 to 25 cents per copy, it's not something that you're going to make a profit off, but something you can charge for that cost. Now, if the patient asks for those medical records in electronic format, you have to then give them to them in electronic formats. You have to give it to him in the format that they requested it.

Next big one and this is a complicated one, but this is really quite important. If a patient pays in cash, and they pay fully in cash, at the time and ask the provider not to share the treatment with the healthcare plan, the provider has to follow that request. Again, they have to pay fully in cash at the time. If they pay only partially, or they pay and it's a canceled check, then they lose that protection. This isn't as important this day. It's interesting that this law was passed because with Affordable Care Act, there is no underwriting of healthcare plans. There's really not a reason to withhold information from your healthcare plan, like there was before. It used to be if you're diagnosed say with diabetes or cancer, or something like that, and you wanted to keep that off your healthcare plan, so you didn't have a preexisting condition, but now would be a reason that a patient might keep that off their record.

Some try to keep things of their records, for things like STDs just for embarrassment. What it comes down to is if they pay fully in cash for a procedure, and ask you not to file that with the healthcare plan, then you have to honor that. This does not include any mandatory reporting of any infectious diseases, this includes any hemorrhagic fevers, anything that is required to be reported to the CDC. That would also be certain STDs, that includes things like zika virus now. Those things still have to be reported, it doesn't matter what the patient wants to withhold at that point because that is part of the common good.

Any treatment payment operation disclosures that you need to have, so that means if they're diagnosed with something that does become part of their health record. It may not go to the healthcare provider, but again, it's part of their health records, so that you make sure you're treating the person properly. If there are any payment issues, then you're allowed to file that with the insurance company. Any of the operations discloses that you need to make sure that things are running smoothly.

Reporting suspected abuse and neglect, this includes child abuse, spousal abuse, elder abuse, any of those things, you do have to report those to agencies. It doesn't matter what the patient requests, you are required to report those. Also any workplace medical surveillance. It is important to note that if you do have to release any information as far as workplace medical surveillance, you do need to give a written notification to the individual that you're disclosing that information. That's important to note.

Also there are two other items that you need to be careful of is also disclosures ... Actually one of the items, disclosures related to FDA products and activity. If a patient is paying for something off the book, don't want to report anywhere, but they're maybe some issues with medication that need to be or the FDA is asking for senses material with that medication, or that procedure, then you do have to report that also. It's important to know those things.

There's also new limits on usability of patient data. This prohibits any sale of information without permission. This is restrictions are marketing and fundraising purposes, so it's important that you're very careful about what you're using that information for. Actually Dan and I had a really interesting discussion right before this about what's considered marketing and what's not considered marketing. You have things where if you are dealing with treatment, saying you need to come back in for your physical, or say you are a pharmacist and you're distributing drugs, you can send drug notifications to the patient, those are not considered marketing releases. Then also if you say you're a hospital and you have a new MRI clinic or you have some new clinic or new doctor joining, that's very general, that's not direct marketing.

Direct marketing would be, "Hey you have some disease and here we have a new treatment for it." Talking about that outside of an actual sitting appointment with a patient, or maybe sending that material to them. You'd be very careful with that. Any time you're doing any fundraising and doing marketing make sure you have signed disclosures before you start to do those. Last week we were talking about there was a group that was fined for putting up patients' testimonials on their websites with names, and identifying information. They were fined 50,000 dollars for those violations. You want to be very careful about what information you're putting up on websites, how you're marketing information, how you're marketing to your patients.

I'm going to pass back to Dan here, he's going to talk a little about the new Genetic Information Nondiscrimination Act provision that was added.


Genetic Information Nondiscrimination Act of 2008 (GINA)

Dan Brown: Thanks, Jason. Just talk a bit about genetics. Clearly as medicine is moving and biomedicine is moving into the world of being able to look at individual's genetic makeup and their predisposition for significant diseases, is that information that's highly sensitive and how was HIPAA going to treat that? The federal government I think in 2008 came out with a genetic information non-discrimination act and it kind of let it sit around for many years. We don't really know how this going to work out but we want to protect that person's genetic makeup for being use in the marketplace for employers or health insurers, so after a few years they said, "Hey, here's what we'll do, we'll have the HIPAA rules kind of generate the rules for how this new GINA Act is going to work," and that's just what happens.

In 2013 with the new omnibus rules, HIPAA rules came out then all of a sudden now we have an understanding of how this GINA is going to work. GINA works along 2 different tracks, one is an employer employee track and one is the health plan track. The employment component basically says that employers may not request or require or use genetic information in their hiring decisions or for other discriminatory purposes. Obviously I suppose if an employer wants you to take a urine test before your employment in order to determine drug or alcohol problems, they can also ask for some genetic test to see if you're predisposed to contract cancer in 3 years and therefore they won't hire you so that's illegal.

The other side of the GINA law is the health insurance component which basically prohibits insurers from using your genetic information in setting premiums or underwriting or determining eligibility. Now again the Affordable Care Act kind of did a number on the preexisting condition requirement and let's face it, an insurance company back then could use your genetic information or theoretically they could use your genetic information or that of you parents or even up to your great, great grandparents up to the 4th degree of blood. They could use that information to determine whether or not you would be a good risk for their underwriting pool and not let you come in and being an insured party.

Fortunately, the Obamacare doesn't permit those types of discrimination anymore but we still should be aware of what exactly the GINA rules do. Basically, they say that our healthcare plan other than very interestingly a long term care plan but not a nursing home care plan but we have a long term healthcare plan argue they can use genetic information to determine underwriting or predisposition but other than that insurers may not use genetic information in determining the appropriateness of either a treatment or say you're seeking benefits.

Let's say the doctor says, "Well, let's have a stamp for your heart," and the insurance company can't say, "Well, we've seen by their genetic disposition they're going to die of X in 6 months. Anyway, so we're going to deny coverage for the stamp." I mean, that's illegal. That can't happen under these new rules. There are definitions of what a genetic information whether derived from a test or whether it's manifested. For example, it's not illegal for me to say, my great grandmother, my grandmother and my mother all died of breast cancer and that in the know itself is not genetic information as long as the physician is looking at me and assuming we're female and we're susceptible to breast cancer they couldn't, if they look at me and have that knowledge in the back of their mind and they make their own determination whether or not that family predisposition is there.

That's not genetic information that's impermissible for using under the law but if my position only looked at my, for example, my blood work and made that determination or my DNA work more specifically and determined that I I had the marker for predisposition for breast cancer and they didn't look at me at all, or the patient at all, well that is genetic information not withstanding the family history they've got behind them. That's kind of the general rule, you to just know that there is a protection against using your genetic disposition and your genetic family history from employment decisions and in treatment and insurance coverage decisions.


Updating Your Compliance Plan

Dan Brown: I know we want to talk a bit now about, we've got all these rules kind of in our head. How can we take action to make sure that we're complying with dual rules and we want to address your compliance plans next. You know before, arguably, when HIPAA first came along ten years ago everybody said, what do we do, what do we do and we created a compliance plan and a notice of privacy practices and a business associate agreement. After the 2013 law we are now required to look at those three things and say, do we need to make any updates to our compliance plan? Do we need to make any updates to our business associate agreement? Do you need to make any updates to our notice of privacy practices and the answer is yes. We are required now under this new HIPAA omnibus to go back, dust off this stuff and make it up to date.

That's really I think the gist of our presentation today is, that if you've got a HIPAA compliance plan and all these compliance issues and documents hanging around your office. Well if you haven't updated them consistent with the 2013 omnibus you need to. What's involved? One thing we might want to look at, we need to consider a change in compliance officials, I mean do you have a compliance, I'm sorry, a privacy officer or a security officer in place. You know, make sure that you do. Do we need to change the computer operating systems? Let's say you've got a new, Windows 10, is that something that's going to have to require a security analysis to determine if your protected health information going through this new operating system is consistent. What about your IT vendors? Well we want to take a look at those and see whether or not, we've had some change, if so do we have a business associate agreement with them. Are there changes in the law? Obviously, we need to consider. For example, there's some new provisions in your business associate agreements should have contained by I think the end of 2014.

We're kind of two years late on that and you know, notice of privacy practices needed to be updated and tweaked. Are there any disclosures related to privacy or security breaches? That's pretty important, privacy and security breaches and I think we'll talk more about that in another program because that has some very significant issues. I mean just think about Target, when their consumer payment system got hacked and the liability that they had. Well what happens if we lose a laptop or our electronic health record system gets hacked? What are our obligations and what are the cost and the medial actions we have to take? Keep that in that back of your mind, just think about what you need to do in order to keep your HIPAA issues up to date and consistent with the new law and Jason I think you'll talk a bit about some training issues.


Training Your Staff

Jason Karn: Training your staff. We've seen this as very important aspect of your plan. It's important to not only have the plan and making sure that's up to date but if your staff doesn't know anything about your plan or understanding the specifics of what you do then it's almost as if you don't have a plan. There is a really interesting report that came out in 2016 from Experian and they have 2015 to be the year of the healthcare hack and the reason is healthcare information they determine is more important and more valuable to a hacker than any other information. Credit card information, that's good for maybe $100, you can shut down a credit card really fast.

There are rules in place that say, "Hey, you know, I'm not responsible for that information," but the problem comes as how do you turn off your health information. That includes, social security number, a lot of times it has where you're located and it just has a wealth of information that somebody can use not only to mimic you and go out and get healthcare for themselves or we've seen people using to apply for micro loans or, also using it for tax time, using it to file IRS returns and to get that money back, so we've seen lots of that. It's really important because you need it in part upon your staff how important this is and that really a lot of these breaches come from problems that staff members create and it's not malicious.

It's almost like a complacency so you really need to educate them about how valuable this information is not only financially to hackers and to other people outside of your practice but how important that is to also keeping your practice going. I've said this before, you guys are in the realm of trust. I think that's one of your biggest items that you have is that your patients return to you because they trust you and if you have a hack and you have that conversation with, "Hey, I'm really sorry we had this hack, this is what we're doing." That's a very expensive prospect for a practice not only to try to remedy that breach but then also the attrition that you would have.

I saw a report that said that somewhere around 50% of people under the age of 40 would leave a provider if they were notified of a breach so I mean, that's a pretty significant amount of people that would seize to use your services and that's hard to recover from. What is required? You're required to train your staff not only on the law, now when I talk about staff I want to also let you know how important it is for IT staff, front desk staff, any volunteers are important, they have to be trained because they come in contact with PHI, that's important to remember. They also need to know about your policies and procedures. Generally they need to know what the law is and they have to understand so there's two parts to that.


Methods of Training

Jason Karn: You have multiple training choices. What is the best thing to choose? I'm going to talk about three different options that you have for training. You can do it yourself. You can use the office manager or somebody on your staff who has a great understanding of HIPAA. At that point, it can be very cost effective. It's really easy to incorporate new staff because you have staff member doing the training and they familiarity with the policies and procedures. I would recommend if you go that route to have somebody who is, either the security officer or the privacy officer or for your practice, it is the privacy. It could be the same person being both privacy and security officer. Some of the weaknesses that you might come up against is does your staff member really know the ins and outs of HIPAA.

Are they really an expert on it? Did they go see a weekend seminar on this or they actually have been studying up, following what's going on with the law. Things have been changing. You've seen some changes and seen some updates and I think we're going to see a lot more updates in the next probably 6 months with the new audits coming down that we're going to see more clarifications that are going to be happening. You have to keep those records on sight. We want to make sure that whoever is doing the training is very well organized, making sure they're keeping those training records. They know who's been trained and when they were last trained.

It's difficult to keep up. Sometimes it is difficult to get scheduling together with people coming on especially with really busy practices. You're limited in the amount of time that you can grab nurses and front desk staff and get everybody together. As we said, on going training development can be really difficult in keeping on top of that. Your next option is bringing somebody in. A lot of times that could be a lawyer, that could be a HIPAA expert that you could bring in for a half day or a day. The nice thing about that is you have an expert who is well-versed on what's going on with the law, knows the ins and the outs. You have increased staff engagement because of the person in there.

You may have been saying for weeks, months, years, items that you need your staff to be careful about. They may tune you out. It's nice to have somebody come in who is outside resource and say, "All right. This is what we need to do." They say it, maybe in a little bit different way. That can really, have really strength in that training. Some of the weaknesses with that is how do you incorporate new staff. If you have a lot of arbitration, a lot of turnover in your practice, it can be difficult to get people up to speed and make sure that you get somebody in the training because you want to get people trained before they start dealing directly with patients because they need to understand what their responsibilities are.

HIPAA is very important and very important to your practice. Finding time to train everybody together and it can be very expensive. Half day with a lawyer is, with prep time, starts at about $2600. You have to think it's $2600 and up. It could be somewhere $5000 range. That's just one time. Depending on the size of your staff is that really a cost effective use of your resources. That's something to think about also. That's also you'll be spending that money and wouldn't necessarily have a, depending on if you can work at a deal about getting a plan with that also. That can be a very expensive way to go about it. Then, there's online training. That is very cost effective. It's easy to get staff incorporated.

You can normally either buy a license or get your license activated depending on what your online train provider does, how they work. We give you groups of licenses. Some do it one offs. It just depends on the company that you work with. It's really easy to get in and said new staff can get in really quickly. Staff can do training at their convenience. Usually what you do is set a 2-week, 3-week time limit. You say we need you trained by this point. Either they bring you a certificate or with our training you can actually look online and see that your entire staff has been trained. It's important that you keep on top of that and you monitor that. The online training can be good for that.

Now, it's important to make sure that those online training that you're using is actually up to date. Sometimes people put those up. We've seen some that aren't up to date or might use old language as it comes up. You still do have to train your staff on specifics of your plan. That would be things like what your password lengths are, how complex your passwords, how they're supposed to text with people. Texting can be really complicated. We're going to talk about that with electronic devices in the next webinar. How you're e-mailing, what e-mail encryption programs you're supposed to be using, what sort of appropriate communication method with patients. Those are important things to think about.

This can be really cost effective. If you get the whole plan and training love together, I know for smaller practices, we start at $75 a month and that includes training license up to 5 and compliance documents. It's a really nice plan that you can get into. It's very cost effective. I know there are a lot of other providers out there. One of the things that I would warn you about as you get into some of the online training, is a lot of the providers that we look at, go with the debt by PowerPoints where they read you the PowerPoint and those are difficult sometimes your staff to follow along with. I would definitely audit your training beforehand most.

If not, all providers will let you have one license and go through and take the training and see how that works for you. See if you stay engaged because the last thing you want is a staff member going through something and fall into sleep and not retaining that information.


Key Items to Cover in Training

Jason Karn: What kinds of things should you be covering in training? As we've talked about, you really need to have a good general understanding of the HIPAA regulations. This is knowing about things like GINA, knowing that that information is also protected as protected health information. Knowing that if a patient pays in full, that they then don't ... You can request not to have that information sent to their insurance company. Those ideas about what a breach looks like, how you're going to respond on your breach, so those are things you need to understand with HIPAA.

How do you use computers to access PHI? What's the appropriate way for that staff member to access the PHI? Using their username, password, how often that needs to be changed. What the security requirements are? Those have changed significantly since 2013, as we were talking about earlier so making sure that staff understands that. How to recognize a hack? That's if screens look different, you're seeing login screens that you've never seen before, as saw with the hospital out in LA. Actually, their computers were taken over by ransomware so if they're locked out, they may have been able to stop that earlier if people had noticed changes before then. It's having your staff feel comfortable to say to IT, "Hey, something's not right here. I'm not sure what's going on," and knowing that that's okay.

How to use encryption? Encryption would be making sure total disk encryption is enacted on all your mobile devices and also e-mail and texts. Texts is really important, I know a lot of people like to use texts. Using text that's on your iPhone or Android phone is not acceptable. As I said, we'll talk more about that in the next webinar about electronic devices. Your password policy, that's very important. That is probably, if not the most important thing for your staff members to know and to follow ... Actually, I'm going to retract that. It is the most important thing. That is usually the weakest link for any sort of security program.

Then understanding what those sanction policies are, knowing that if they make the mistake that there are consequences for those mistakes. It could be that that person through a retraining, it could be, if it's happened multiple times, that person is suspended, or even terminated as an employee. I know that's not a fun thing to talk about but it's very important and it is required under HIPAA to have those policies in place and to train your staff that they know and understand that those policies exist.


How Often Should You Retrain Staff

Jason Karn: And so how often do you need to retrain staff? Well at a minimum you should always retrain annually. We all forget things. I wish I could say I remember everything that was taught to me even last week or things I read last week. We forget things, it's easy to do. So at least annually, quarterly updates I think are a great idea just to remind people of hey this is how we use the fax machine, make sure you're using cover sheets. It could take 15-20 minutes in a staff meeting just to sort of refresh people with what's going on in security and what's going on in compliance. And any changes you may have had in your plan in that point. Also anytime there's a breach. Anytime you have any sort of security issue on site, you want to make sure you go back and retrain staff.

90% of the time it's going to be that there was a staff issue. Somebody made a mistake. If your systems are up to date, you've been pushing your security updates, chances of a hack coming from a security standpoint are on the lower side. I'm not going to say it's impossible but it is a lower possibility. Normally where we're seeing issues is staff complacency. People not realizing that they can't send documents certain ways or talking about things outside of work loudly, those kinds of issues we're seeing a lot more of. So it's very important to keep those under wraps.


We appreciate your interest and know that maintaining compliance with HIPAA can be a big task. If you're still a bit behind schedule, our partners at Total HIPAA Compliance and Taylor English are available to provide expert HIPAA compliance training and consultation.