There has been a lot of talk about all the HIPAA breaches occurring and how these can be costly for the affected organizations as well as dangerous for the affected patients. It is so serious that there is even a HIPAA rule regarding it (HIPAA Breach Notification Rule), which says what organizations should and should not do after a healthcare data breach that compromises PHI (protected health information). There are mainly two types of breaches – external and internal. While organizations cannot prevent external breaches all the time, most of the internal ones can be prevented. Let’s look at some of the recent cases of breaches that happened from the inside and how HIPAA training for employees can reduce the occurrences.
Some recent internal incidents
Employee fired for inappropriately accessing patient records
Pennsylvania-based Geisinger Wyoming Valley Medical Center (GWVMC) detected that one of its employees had been inappropriately accessing patient records for quite a long time without any valid reason. GWVMC detected the breach on March 20th, 2020 and immediately started to analyze the incident. It found out that the employee was allowed to view patient records as part of their job responsibilities. However, they accessed over 800 patients’ records without any valid reason from July 2017 through March 2020 – almost 3 years! The PHI inappropriately accessed consisted of, but was not limited to, names, addresses, phone numbers, DOB, medical conditions, medications, and test results.
After conducting a thorough inspection, GWVMC found that there was no proof to suggest that the records were accessed for nefarious purposes. Nevertheless, the provider offered complimentary services to the affected patients in the form of credit monitoring and ID theft protection services. Needless to say, due to the negligence of the employee, they were terminated.
This case shows that even older employees need retraining regarding the dos and don’ts of accessing PHI. Training regarding the consequences of improperly accessing PHI (which includes termination) could have prevented the case. While there can always be exceptions, providing retraining can show that the organization went the extra mile to prevent such occurrences.
Employee forwarded PHI without authorization
On March 25th, 2020, Michigan-based PsyGenics detected this incident during a regular security check. An employee forwarded an email with a spreadsheet attachment that consisted of PHI to their account without any valid reason or authorization. Included in the spreadsheet were names, appointment schedules, and provider names, but it did not contain clinical information and treatment notes. While PsyGenics did not provide details regarding their efforts, they did confirm that they have notified the undisclosed number of patients as well as the necessary regulators.
It looks like providing training (and retraining) regarding PHI access should be a priority among organizations, and how misusing PHI can have serious consequences should be the highlight of them.
A breach affected 74,000 individuals
Arizona Endocrinology Center faced a unique case. A former physician, while leaving the organization for another one, took basic information of the patients by downloading it from the medical records – names, phone numbers, assigned doctors, all of this information was collected. Arizona Endocrinology Center found out about this when the patients complained about receiving texts that informed the patients that the physician moved to a new practice.
While this is a unique case, it is a breach nonetheless. After this incident, training should be provided to healthcare professionals of Arizona Endocrinology Center that conveys what is allowed and what is not, along with how this action, while unique, is unethical and considered a breach.
HIPAA training for employees – to sum it up
While these are not the first incidents showing internal breaches, they are not the last ones either. Internal breaches are as common as external ones and the former occur due to a variety of reasons. Employees snoop on patient records or inadvertently access them without authorization because they do not understand the gravity of the situation.
As mentioned, organizations can retrain their employees, if necessary, as to why inappropriately accessing patient records is punishable by law. Employees need to understand that they cannot misuse the authority given to them – after all, it costs them their jobs ultimately. HIPAA training for employees, ultimately, is quite crucial. But with the complications of HIPAA, how can organizations ensure compliance and prevent such incidents?
HIPAA training for employees made easier
HIPAA compliance itself is quite an arduous task. Organizations have to ensure that they are following the rules and regulations to the T. On top of that, these internal breaches can incur costs due to events such as investigations, notifying affected patients, terminating employees, hiring replacements, retraining everyone to show the importance of noncompliance.
However, HIPAA compliance can be made easier with HIPAAReady. It is a robust HIPAA compliance software that reduces administrative burden. You can easily report incidents and conduct internal audits to detect vulnerabilities and address them. Easily ensure training management and scheduling with HIPAAReady. Provide training regarding new changes in HIPAA rules as well as retraining regarding sensitive topics like the need to prevent internal data breaches, making HIPAA training for employees easier and more informative. Keep all your HIPAA information in a centralized location so that everyone can stay on the same page. Try HIPAAReady now and learn how it can simplify HIPAA compliance and remove the administrative burden.