We all know that we must train our employees in HIPAA compliance, but this training is boring. How can we make the training interesting so that it is more effective?

This initial training provides basic HIPAA principles—the building blocks for privacy and security. Training can be done by way of seminars, web-based, slide shows, etc.  Regardless of the method used, HIPAA requires staff to be trained soon after starting their job. Should this just be a one time training or should staff be trained on a periodic basis?

The privacy rule is not specific about recurrent HIPAA privacy training, but most organizations provide some form of periodic training. Find a clear objective that targets specific issues and risk areas for repeat training. Let’s look a few examples:

Release of Information Office:

Impermissible disclosures are the highest risk area for this department. Not only does your staff need to know the basic steps, they also must understand all the federal and state requirements around release of PHI. What are the formats for providing copies? What are the time frames for responding to an access request or an authorization to disclose?  What does HHS/OCR consider a patient barrier to obtaining PHI?  When can staff deny access to the requester? How much may they charge for copies? How will they verify if the requester is authorized to receive the PHI? Since unauthorized disclosures are such a major risk, it is important that your staff is trained beyond the HIPAA basics. To make training meaningful to this department, you must ensure they are trained on all the little things that could add up to big trouble if not handled properly.

Victims of abuse, neglect, or domestic violence:

These types of cases are not found only in an emergency room. Sometimes, patients arrive to their primary care provider with evidence of abuse, neglect, or signs of domestic violence. Train doctors, nurses, and medical technicians on the proper protocol when they suspect this is occurring with a patient. They may disclose this information to a government authority, social service, or protective services authorized by law to receive these reports. Train them in advance and have the number to local protective services available so they will be prepared should they encounter such an event.

Breach Notification Rule:

Breaches affect everyone in your organization. As such, the breach notification rule also affects everyone. A breach can occur anywhere so it is important to train staff to recognize a potential breach and to whom to report them when it occurs. Remember, every impermissible use or disclosure is presumed to be a breach unless a risk assessment indicates otherwise. There are some exceptions to a breach that your response team should be aware of as well. The entire staff team should understand what an impermissible use or disclosure is and how to recognize them. Case studies can help train your staff on recognizing what HHS/OCR considers impermissible.

Pharmacy and X-ray Department:

The privacy rule allows the organization to use professional judgement to determine what is in the best interest for the patient. This includes allowing a person acting on behalf of another individual to pick up their prescriptions or their x-rays. Train your pharmacy and X-ray staff members on this provision in the rule.


Train staff that an authorization is no longer required to disclose immunization results to a school that requires proof of immunization before admitting the student. Only an agreement from the parent, guardian, or other person acting in loco parentis of the minor is required.  The agreement may be made verbally. Afterwards, make a notation of the agreement in the patient’s medical record.

Disclosing to Family and Friends:

HHS/OCR has reminded us that a health care provider can disclose PHI to family or friends without the individual’s opportunity to object, if it is in the best interest of the individual as determined by the provider. This is especially important when a patient who is under the influence of opioids and is not able to communicate because the patient is incapacitated. Time is usually of the essence and staff may disclose to that family member or friend in order to facilitate immediate treatment to the individual. Ensure your staff understand this provision in the rule.

Nurse’s Station White Board:

There continues to be confusion regarding what is allowed on the nurse’s station’s white board. The HIPAA rule does allow you to write a patient’s name and diagnosis, and other pertinent information on the board. You should annotate the minimum necessary on the board,  but not so little that it causes confusion or can lead to a patient safety issue. If a visitor or another patient sees information on the board, this is viewed as an incidental disclosure and acceptable as long as administrative and physical safeguards are otherwise in place. You may see these white boards in surgery and recovery rooms, or pain centers as well.

Law Enforcement in Your ER:

Law enforcement is a tricky issue in your ER. Most of your staff will want to help law enforcement, however, there are a few special considerations that you should be training your ER staff on. Your ER staff should know they are allowed to disclose PHI to law enforcement to assist them in identifying or locating a suspect, fugitive, material witness, or missing person.  Having a checklist or operating guidelines handy will help the staff when this event occurs. The PHI that staff can disclosed include:

  • Name
  • Address
  • Date and place of birth
  • Social security number
  • ABO blood type and Rh factor
  • Type of injury
  • Date and time of treatment
  • Date and time of death if applicable
  • Description of distinguishing physical characteristics such as height, weight, gender, race, hair and eye color, facial hair, scars, or tattoos
  • You may NOT disclose the individual’s DNA or DNA analysis, dental records, or analysis of body fluids or tissue

These are just a few examples of training topics beyond the basics where you can provide your staff with real world scenarios and arm them with the proper steps to take. Consider this approach and look for other specific subject issues and risk areas when you provide periodic training.