Mutual Matters

HIPAA Enforcement, Training Requirements, Tips, and Resources

Posted by Becky Lowman, MBA, RD, LD, CPHRM, CPPS on Dec 13, 2018 2:19:32 PM

r_medicalfiles-2In 2003, the Office of Civil Rights (OCR) began enforcing the HIPAA Privacy Rule. In 2009, OCR began enforcing the HIPAA Security Rule. Every year, there is a steady increase in the number of complaints received and investigated by the OCR. Since 2003, the OCR has received over 186,453 HIPAA complaints, initiated over 905 compliance reviews and resolved 96% of these cases. As a result of these HIPAA complaints, OCR has imposed civil monetary penalties on violators totaling $79 million.[1]

Hospitals, private practices and outpatient facilities have been the most common types of covered entities required to take corrective action.

The compliance issues OCR most often investigates are:

  • Impermissible use and disclosure of protected health information (PHI)
  • Lack of safeguards of PHI
  • Lack of patient access to PHI
  • Lack of administrative safeguards of electronic PHI
  • Use or disclosure of more than the minimum necessary PHI

Workforce Training

Workforce training is the key to HIPAA compliance and risk mitigation. Both the HIPAA Privacy Rule and Security Rule have workforce training requirements.[2]

Privacy Rule Training

Covered entities are responsible for ensuring that every member of its workforce (both new and existing employees) receives training in HIPAA privacy policies and procedures. If your organization has contract employees who come in contact with PHI and work routinely on the premises, these contract employees should also receive HIPAA training. The Privacy Rule requires that your organization maintain documentation that the training has taken place.[3]

Although the Privacy Rule does not specifically require annual training or a specified length of time for training, annual training is recommended because of the increasing risks of a privacy or security violation and the heightened liability associated with a violation. 

Security Rule Training

The Security Rule requires security awareness training for your workforce as employees generally create the most significant risk to your organization’s security. This training should be periodically updated to include any changes to the Security Rule and when your organization has new or upgraded hardware or software that impact security.

Find out more about what should be included in training and some more action items to ensure compliance. 

Find out more

Topics: HIPAA and Cybersecurity

Subscribe to Email Updates

What other resources would you like us to provide?

Sharing Insight on Mutual Matters

As one of the leading mutual providers of Medical Professional Liability insurance, we're here to help all healthcare professionals with the challenges they face on a daily basis. The topics we cover include: 

  • Healthcare legislation updates
  • Patient safety guidance
  • Practice and hospital management advice
  • and more. 

Recent Posts