How to Make Your Employees Advocates of HIPAA Compliance
_{September 19, 2018}

Aside from hefty fines and imprisonment, damage to reputation and possible social and psychological effects result as a consequence when employees impermissibly use their access to protected health information for malicious self-gains. The threat to patient privacy is not only from the outside like those caused by ransomware criminals and hackers but also those that roots from the inside.

Remember the case of Lane Miller, a nurse at the Mercy Health Love County Hospital and Clinic in Marietta, Oklahoma? In conspiracy with Robert Bond, Miller pleaded guilty to stealing medical records and committing aggravated identity theft. This case of Miller was punishable by up to two years imprisonment and a $250,000 penalty. Bond, on the other hand, faces 20 years or more in imprisonment. Then there is Shaniece Borney, ex-employee of NHC Health Care who pleaded guilty as well for a credit card fraud using her access at the nursing home to steal credit card information which she later used to purchase items for herself and her family. She now faces 10 years of imprisonment and a $250,000 fine.

Insider threats could take several forms and initiated for a variety of reasons. We can group these threats as:

1. Malicious Threats which refers to the deliberate or intentional attempt by an insider e.g. employee to access and potentially harm an organization’s data, systems, or IT infrastructure; and
2. Accidental Threats which refer to situations in which damage or data loss occur as a result of an insider who has no malicious intent. Poor or inadequate awareness or training could lead to this kind of threat especially when we speak of your facility’s or your practice’s employees or the workforce.

Needless to say, it is essential that your organization cultivate a culture of integrity, trust, and compliance amongst the members of your workforce and organization as a whole. But how exactly do we turn HIPAA compliance passive employees to an active one? We thought of these basic methods on how to achieve this culture of compliance within the organization.

1. Comprehensive & In-depth Applicant Screening and Evaluation Process

Part of human resource’s hiring process is screening the potential team members of the organization. The screening process should involve background checking (character/criminal, employment, and credit history), psychological tests and in-depth assessment through job interviews (one-on-one, panel, video).

Even before you let someone work in your organization, it is vital that you fully and thoroughly assess not only their capacity to perform the role but also the work ethic and work attitude as well as mental state of the potential candidate in assuming the role and working as part of the organization.

But this is not a full-proof method as you can hire an ‘ideal’ candidate but once they are inside already, working in the organization, changes take place and the threat is still there – tempting them to do what they are not supposed to do. Thus, you need to further your initiatives on creating that culture of compliance.

2. Employee Recognition

Your workforce should feel appreciated and respected every day at work. For every initiatives and effort they show on complying not only on HIPAA regulations but also with the whole organization’s policies and procedures, they should be rewarded even in simplest ways. Thank you notes go a long way of saying that you value those efforts. Give away ‘certifications’ and recognition for being a “HIPAA Champion” or “HIPAA Heroes”. Have a look at these amazing certificates you can easily download and print for your employees who exhibited exemplary actions towards HIPAA compliance.

Then during team meetings, introduce the HIPAA Heroes of the month and share with the rest of the department how this effort is well-appreciated by your organization.

3. Employee Empowerment

Ensure that your employees receive adequate orientation and awareness on privacy and security standards and rules being implemented in your facility or practice in compliance with HIPAA laws and other federal mandates. Ensure that in the contracts of your employees, these training are mandatory and should be attended as well as completed in time. Make these training dynamic, progressive and regular.

Ensure that every workforce understands the repercussions of violating these mandates especially if done deliberately. Not only that they could get imprisoned and fined huge amounts of money, involvement in these violations could hamper future employment, damage their reputation and cause emotional, physical and psychological stress as well.

HR or team managers could conduct surprise or scheduled talks with their team members and have either a formal or a casual discussion about how they feel about these privacy and security policies and procedures, how they think they can take an active role in maintaining the implementation of those policies and procedures, what they think would be the best methods the department or organization can do to ensure everyone is aligned with the goals set by the company in relation to the compliance of these rules and standards. In short, brainstorm and get the views of your teammates about all of these. You will definitely get some insights on what your employees would be able to share during these small talks that can help in strengthening everyone’s drive to full HIPAA compliance.

Ensure that aside from these privacy and security awareness training, technical know-how and some basic knowledge on cyber-crime and data breaches prevention, detection, and reporting training must also be provided to your facility’s workforce.

Everyone should be made aware that ignorance of the law excuses no one. It is everyone’s responsibility and it is but ethical to learn, know and follow HIPAA rules and protect patient’s health and medical information privacy and security.