In 2003, the Office of Civil Rights (OCR) began enforcing the HIPAA Privacy Rule. In 2009, OCR began enforcing the HIPAA Security Rule. Every year, there is a steady increase in the number of complaints received and investigated by the OCR. Since 2003, the OCR has received over 186,453 HIPAA complaints, initiated over 905 compliance reviews and resolved 96% of these cases. As a result of these HIPAA complaints, OCR has imposed civil monetary penalties on violators totaling $79 million.
Hospitals, private practices and outpatient facilities have been the most common types of covered entities required to take corrective action.
The compliance issues OCR most often investigates are:
- Impermissible use and disclosure of protected health information (PHI)
- Lack of safeguards of PHI
- Lack of patient access to PHI
- Lack of administrative safeguards of electronic PHI
- Use or disclosure of more than the minimum necessary PHI
Workforce training is the key to HIPAA compliance and risk mitigation. Both the HIPAA Privacy Rule and Security Rule have workforce training requirements.
Privacy Rule Training
Covered entities are responsible for ensuring that every member of its workforce (both new and existing employees) receives training in HIPAA privacy policies and procedures. If your organization has contract employees who come in contact with PHI and work routinely on the premises, these contract employees should also receive HIPAA training. The Privacy Rule requires that your organization maintain documentation that the training has taken place.
Although the Privacy Rule does not specifically require annual training or a specified length of time for training, annual training is recommended because of the increasing risks of a privacy or security violation and the heightened liability associated with a violation.
Security Rule Training
The Security Rule requires security awareness training for your workforce as employees generally create the most significant risk to your organization’s security. This training should be periodically updated to include any changes to the Security Rule and when your organization has new or upgraded hardware or software that impact security.
Find out more about what should be included in training and some more action items to ensure compliance.