A little oversight can lead to a lot of trouble. Employees who aren’t prepared to securely handle patients’ protected health information (PHI) can accidentally cause breaches and leak tens to millions of private records. Why does this happen? In many cases, managers fail to train their staff in HIPAA compliance.

HIPAA compliance training shouldn’t simply check the box and call it a day. Training must be ongoing, detailed, and tailored for each department. With regular training, managers can address risk areas as they arise, from a lack of breach preparedness to improper use of the nurse’s station white board. Detailed and focused training goes beyond the building blocks of HIPAA by bringing to light little-known rules or exceptions to the rules.

Below are some trouble areas managers should address in HIPAA training:

Disclosing PHI

The Release of Information Office is at high risk for disclosing patients’ PHI without the right authorization. HIPAA training should make sure employees understand the federal and state requirements for releasing PHI to requesters. How will they verify if a requester is authorized to receive PHI? When can they deny access to a requester? Ongoing HIPAA training should address how and when PHI may be released. You can use case studies to help train your staff on impermissible uses or disclosures of PHI.

Recognizing a Breach

When PHI is handled daily in all departments, a human or technical error can cause a breach at any time. Staff members should assume an impermissible disclosure of PHI is a breach until shown otherwise. However, some impermissible disclosures – by exception – are not breaches. Therefore, you should train your breach response team on these exceptions.

Using Professional Judgement

In some cases, employees may use professional judgement to do what is best for the patient. For example, a person acting on behalf of another may pick up that person’s prescriptions or X-rays. Doctors may also exercise judgement when a person needs treatment but is incapacitated. In this case, doctors may disclose PHI to family or friends so they can treat the person. Staff members should know in what cases they may use their judgement.

Using the Nurse’s Station White Board 

In their HIPAA training, nurses need to learn what they are allowed and not allowed to write on the nurse’s station white board. For example, HIPAA allows you to write a patient’s name, diagnosis, or other relevant information on the board. Furthermore, nurses should use shorthand to write the minimum necessary information they need. Although visitors or other patients may accidentally see the board, it is okay, as long as physical and administrative safeguards are in place.

Identifying Victims of Abuse, Neglect, or Domestic Violence

Signs of abuse, neglect, or domestic violence may be subtle. Doctors, nurses, and medical technicians must be able to not only spot the signs but also follow the proper protocol. They may need to give the patient’s information to a government authority, social service, or protective service. Therefore, you should train staff members to recognize the signs and report these cases to the proper authority.

Speaking to Law Enforcement

Additionally, you must train emergency room staff on how to talk to law enforcement officers. ER staff members may disclose PHI – such as name, address, date of birth, social security number, blood type, injury and treatment information, and physical characteristics – to help identify or locate a suspect, fugitive, witness, or missing person. However, they are not allowed to disclose someone’s DNA, DNA analysis, dental records, or body fluid/tissue analysis to law enforcement.

HIPAA training that goes beyond the basics gives your staff the knowledge they need to properly handle high-risk situations. However, ongoing and detailed HIPAA training is easier said than done. Everyone is busy with day-to-day operations, so who has the time to nail down the finer points of HIPAA?

The HIPAAtrek, Inc. software manages HIPAA policies and procedures and keeps track of each employee’s training tasks in a streamlined interface, making ongoing HIPAA training a customized ­– and automatic – process. HIPAAtrek, Inc. helps you reduce risk and increase compliance. Contact Sarah Badahman at sarah@hipaatrek.com to learn how you can simplify your HIPAA training.