Why HIPAA Compliance Training is Important
HIPAA Compliance is an ongoing process and one of the most important aspects of it is making sure that your staff members participate in compliance training and awareness program regularly. All covered entity under HIPAA, are required by law to provide training resources for all members of their workforce. The importance of ongoing compliance training program is crucial not only in order to ensure compliance and protect the PHI of your patients, but also to protect your practice from potential fines and penalties for HIPAA & HITECH violations.
Incidents happen to covered entities of all sizes, this is simply a fact. As a law, HIPAA is designed with provisions to address these unfortunate situations. The reality is that no organization is 100% protected from data breaches, theft, loss of devices and actions of untrained employees that can trigger an audit by the Department of Health and Human Services (HHS). We hope this will never happen to you, however, we would like to explain why this part of compliance plan cannot be overlooked to make sure your management team and compliance officers understand the importance of ongoing documented training program.
One of the most important factors when it comes to determining the level of culpability by HHS and other law enforcement agencies is whether or not the incident was a result of negligence on behalf of management, or if it was simply an event that took place that was beyond control or knowledge of anyone in the organization. Further, it is considered if the management has taken the necessary steps in the past to prevent the incident that took place, or if the cause of an incident was lack of systems and safeguards in place. The entire new tiered penalty system of the Final OMNIBUS Security Rule enacted in September of 2013 is structured around these factors.
We have already mentioned that all covered entities are required by law to provide training resources for all members of staff. In addition, the law requires all training sessions to be documented. This requirement is often overlooked by compliance officers, however, it is designed specifically for the purpose of determining the level of culpability in the event of an audit. Let us explain why this is important.
In the event of a data breach or other incident triggering an audit, if a covered entity cannot produce training logs and other documents that HHS considers to be the core of compliance documentation, it becomes very difficult to convince the law enforcement authorities that the incident was not a result of lack of proper training and safeguards in place.
Lack of training logs and other required documents can turn what could have been a simple request from HHS to make changes within 30 days necessary to avoid such incidents in the future, into an incident that took place as a result of violation committed due to negligence. Penalties for such violations are severe, up to 1.5 million per violation per calendar year. In addition, if proved that management was aware of the issue, or involved to an extent, this can result in possible criminal penalties and even imprisonment.
Make sure you have the resources for your staff to help them succeed, and help you protect your practice and the information of your patients. Take a look at some programs we offer. Some of our annual plans cost as much as most spend on a family dinner, and include $100,000 protection against data breach related violations.