Archive for HIPAA Staff Training
Remember the mistakes that cost Rite Aid Corporation and CVS Caremark Corp. millions for HIPAA violations? Disposing pill bottles in public trash containers without shredding them?
They could have been avoided by simply enforcing HIPAA policies and procedures and providing ongoing staff training, experts say.
There is a right way to avoid a HIPAA violation here – and we show you the way in our new HIPAA/HITECH video.
HCPro, Inc.’s Privacy, Security and You: Protecting Patient Confidentiality Under HIPAA and HITECH, Second Edition is the updated version of our best-selling HIPAA training video that covers both privacy and security training.
Check out this clip about pill bottles, one of several case examples included in the video.
The DVD video also covers important HIPAA compliance matters such as:
- Laptop security
- Identity theft
- Discussing PHI in hallways
- E-mail encryption
- Misdirected faxes
- Family-member inquiries on PHI
If you want more information, go to the video’s page on our marketplace.
Thanks!
Dom Nicastro
Senior managing editor
HIPAA Update
dnicastro@hcpro.com
Cignet Health’s failure to cooperate with the government’s HIPAA privacy and security enforcer just cost the Maryland hospital system $3 million.
It cost the system another $1.3 million when it failed to provide patients copies of medical records within 30 (and no later than 60) days.
The message can’t be any clearer: when the Office for Civil Rights (OCR) knocks, answer the door.
About 48 hours after the Cignet news broke, OCR announced a $1 million settlement against Massachusetts General Hospital in Boston for an incident involving the loss of 192 patient records belonging to Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS.
One security officer who “got it” before Cignet’s landmark fine and settlement were announced is Greg Young.
Young, the information security officer at Mammoth Hospital in Mammoth Lakes, CA, has worked with OCR on about a handful of investigations.
“I never had the sense they were going to let me get away with anything,” Young says. “They were pretty demanding and yet always professional. At one point they reminded me that they have the last word. Though I thought I was cooperating, they wanted more details. I’m amazed that Cignet got away with as much as they did for as long as they did.”
One investigation involved a former employee of the hospital who claimed his medical records were accessed inappropriately. OCR’s investigation took about five to six months. Federal officials resolved that there was no such inappropriate access.
During the investigation, Young retained all his hospital’s communications between the former employee and OCR in an electronic file. And he kept the audit access logs on the employee’s medical records, for which OCR asked for copies.
“It was reasonable, and I shared everything with them,” Young says. “We documented the incident report and the e-mail exchanges. I created an electronic folder and put copies of emails, phone calls and notes, into it and had an investigative log in there that has the timeline of all related events. They wanted me to produce audits of the complainant’s record, and they ended up agreeing with us.”
Another OCR investigation with Mammoth involved a patient who claimed a co-worker should not have been allowed in the treatment room; though it could not be corroborated the patient ever expressed that during the stay, Young says.
The end result came when OCR asked Mammoth to change its policies and procedures and be more proactive to ensure patients know they can refuse certain folks’ presence in their hospital room.
“OCR wants to see you are taking these things seriously,” Young says. “If you don’t, they don’t hesitate to inform you there are really going to be consequences.”
Today, Young is as proactive as ever about training. One big part is issuing commendations. In fact, he awards folks for good privacy and security practices by distributing one-page commendations to individual employees, their managers and human resources.
It’s little things like this that help employee morale – and help when OCR or state auditors come knocking.
“It’s great for the employees,” Young says. “And now, maybe they see that Greg is not just looking for the bad guys, he’s looking for the good guys, too. And we’re using the commendations as a tool for any regulatory agency that wants to audit us. It shows historically we encourage people to report things and then proactively respond by immediately addressing the risk before it becomes something reportable.”
First things first. I am not sending this clip to Hollywood in hopes that my acting talents as a laptop thief are noticed in time for the making of the Departed 2.
My day job will remain my day job – and that’s to write for HCPro, Inc. and HIPAA Update some HIPAA compliance news, tidbits, tips and now, the latest, a HIPAA training DVD video.
So along with my acting debut, I proudly unveil HCPro, Inc.’s Privacy, Security and You: Protecting Patient Confidentiality Under HIPAA and HITECH, Second Edition. It is the updated version of our best-selling HIPAA training video that covers both privacy and security training.
One of the best ways to train staff is to show them the right and wrong way to do their job. And that’s what our DVD video does.
Check out this clip to see what I mean.
If you want more information, go to the video’s page on our marketplace.
Thanks!
Dom Nicastro
Senior managing editor
HIPAA Update
dnicastro@hcpro.com
Editor’s note: This is the fifth in a series of tips to help keep your staff HIPAA compliant.
The smartest route to compliance is for staff to know where to get the information they need, says Brandon Ho, CIPP, HIPAA compliance specialist for the Pacific Regional Medical Command based at Tripler Medical Center in Honolulu. Ho makes sure staff members know he is available to answer their questions about everything, from possible breaches to best practices to prevent HIPAA violations.
As compliance officer, Ho provides in-service training, classroom sessions, and continuing education. He says simple methods, such as sending weekly HIPAA tips via e-mail or walking through work areas to look for problems, can also increase the effectiveness of training.
Editor’s note: This is the first in a series of tips on training your staff to be HIPAA compliant.
Develop policies that address training requirements. Organizations must develop policies and procedures that address security awareness training as required by the HIPAA Security Rule. In its 2009 audits, CMS recommended covered entities develop and formally document policies for the development, administration, and monitoring of initial and annual refresher training courses. CMS stated that these policies should do the following:
- Require that all newly hired employees complete initial training prior to having access to ePHI. The requirement should apply to employees and temporary workers, as well as contractors and vendors.
- Require any individual with access to ePHI to complete refresher training at least annually
- Require that management review and revise both the initial and refresher training courses at least annually to ensure that the courses are current
- Incorporate into training potential threats that the organization identifies as new risks through its assessment process
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!
Click here