HIPAA privacy education: Start with defining policy

Strategies lead to sound education practices

HIPAA may sound like a made-up children’s word, but this funny-sounding acronym has serious implications for heath care organizations. Proposed revisions to the Health Insurance Portability and Accountability Act of 1996 were published in the Federal Register on March 27 of this year, and the new regulations regarding privacy standards become effective on April 14, 2003.

Violations of HIPAA are a major concern and can come with a stiff punishment. The criminal penalty for disclosing patient information without malicious intent is up to $50,000 plus one year in prison.

With the compliance deadline now less than a year away, many facilities are scrambling to put together some kind of HIPAA training program.

"When you read through [the regulations], so much of the information is buried in legal talk, and it’s hard to figure out what’s what and then design something that you then teach to different groups of staff," says a staff education director for a large urban hospital.

The challenge of preparing for HIPAA is that there are so many different aspects — privacy, security, transaction standards, code sets — that it’s difficult to know where to begin. For most, patient privacy and information security issues will the biggest task to tackle.

"In terms of education, it really is quite broad," says Debbie Mikels, corporate manager, confidentiality, for Boston-based Partners Health Care System. Partners has more than 30,000 employees in its network, which includes Brigham and Women’s Hospital and Massachusetts General Hospital, its founding members, and Dana-Farber/Partners CancerCare and Harvard Medical School.

Network members adapt centralized processes

With an organization the size of Partners, education is not something that is left until the last minute, Mikels says. To meet the challenge of establishing education protocols for all the affiliates in the Partners network, Mikels and her team have worked to design centralized processes and procedures that different members of the network can adapt to best suit the needs of their own facility. This is a challenge, because the facilities have very different cultures, she says.

Mikels has designed core training slides outlining what every employee needs to know. This training includes such topics as:

  • What is HIPAA?
  • Why is privacy important?
  • How HIPAA impacts patient rights and impacts employee responsibility
  • What to do in case of a breach

Then she breaks down training depending on the needs of each department, such as finance, medical staff, research, nursing and patient care services, and admitting.

Partners also has conducted privacy awareness campaigns at its different entities. To make access to the information easier, much of the information is included on an intranet site. Partners Health also has a corporate privacy officer who outlines privacy policy for the company and its entities, which also have privacy officers.

"The key is to first identify what your policies and procedures are and begin educating around that," Mikels says. "Hospitals have been conducting confidentiality training for years." Attitudes toward privacy are pretty well ingrained at most facilities, she says. But HIPAA goes a step further.

"When you tell people they have to keep patient information private, of course people are going to say yeah, yeah, yeah,’" says Mikels. "But if you go out and observe, you’ll start to see breaches. And that can happen even in the best facility. There’s always an opportunity to increase awareness and change people’s behavior." She stresses that clinical staff need education to increase awareness, and that changing the culture of a facility takes time.

"Policy needs to come before education," says Chris Wierz, RN, MBA, vice president of HIPAA services for Houston-based Healthlink, a health care consulting firm. "The problem is that people try to teach before they define what their organization’s policy and procedures are. The biggest challenge is trying to educate a work force that thinks it knows everything about privacy to begin with."

But Wierz says this is a different level of privacy. She advises telling people not to think information is being taken away, but just to think of it as a better way of protecting patient information. "It’s just another level of security that eventually will become second nature."

"Everyone needs to know the basics. But someone who works on the janitorial staff doesn’t need to know about code sets. They do need to know that if they find a piece of paper with personal information in it, they should put it in one of the containers of paper to be shredded."

Computer-based training is important, especially when dealing with such volume. Mikels says people need to be able to have convenient access to the information. "Physicians and nurses like on-line education," she says. "Physicians don’t have time at work, and very often want to work on their own from home."

In a recent presentation, Mikels outlined some of the privacy training need-to-knows. Some of the myths about privacy training include:

  • Every employee must receive one hour of privacy training annually.
  • Employees must complete a certification following privacy training.
  • The facility must require employees to certify training every three years.
  • Business associates and agents must be trained.

Content, frequency of training not specified

According to HIPAA, every employee must be trained with regard to protected health information "as necessary and appropriate for the members of the work force to carry out their function within the covered entity." But the content and frequency of the required training are not specified; nor is the nature of the training. This leaves the method of training and format pretty flexible. As long as each employee is trained no later than April 14 and new employees receive training in a reasonable period of time, the facility is covered. Retraining only is required in the case of a material or policy change by the health care organization.

"[HHS] didn’t want to be that prescriptive," she says. "HIPAA is all about reasonableness."

The health care facility must document that the required training has been provided. In her presentation, Mikels suggested that information provided in the documentation include names and titles of attendees, presenter, time, date, and topic addressed. She also suggested some sort of employee acknowledgement of the education.

Part of the proposed revision to HIPAA requires facilities to give patients a written notice of their privacy practices that explains how the health care facility is permitted to use the patient’s medical information. The notice also explains the patient’s medical privacy rights. Facilities will be required to have patients verify in writing that they received the notice.

"Go back and look at similar types of programs you’ve had to implement, and use that as a model for HIPAA regulations," Wierz says. "Use real- life examples. Be realistic and don’t panic. It’s an issue of reasonableness, which needs to be part of education."

Need More Information?
  • Debbie Mikels, Corporate Manager, Confidentiality, Partners Healthcare System, Boston. E-mail: dmikels@partners.org.
  • Chris Wierz, RN, MBA, Vice President of HIPAA Services, Healthlink Inc., Houston. Web site: www.healthlinkinc.com.

HIPAA Education Resources

For more information on proposed HIPAA changes and educational resources, visit:

  • www.hhs.gov/ocr/hipaa/ — This government site outlines the original HIPAA regs as well as the proposed changes, background, general information, and additional administrative sites.
  • www.ahima.org — The web site for the American Health Information Management Association.
  • www.hipaadvisory.com — An on-line resource sponsored by Phoenix Health Systems that offers the latest HIPAA news, regulation information, and education opportunities
  • www.mahealthdata.org — The web site for the Massachusetts Health Data Consortium, an organization created "for the purpose of developing, collecting, analyzing and disseminating health care information to improve the health and health care of the region." This is a good source of general HIPAA-related information.

Audio conference tackles HIPAA privacy concerns

The recently released final privacy rule under the Health Insurance Portability and Accountability Act (HIPAA) makes significant changes to the existing regulations.

To help you and your staff prepare, American Health Consultants offers HIPAA’s Final Privacy Regulations: What You Must Know to Comply, an hour-long audio conference on Dec. 4, 2002, from 2:30-3:30 p.m., Eastern time. You'll learn detailed information on changes to the privacy rule, as well as practical methods to implement new procedures within your facility. Also learn how to successfully manage privacy issues with business associates, and how to spot and avoid costly HIPAA violations. Do you know what your enforcement priorities are? Do you need real-world examples? Our expert speakers, Debra Mikels and Chris Wierz, BSN, MBA, will help you understand your responsibilities and identify potential liabilities.

The cost of the conference is $299, which includes free CE or CME for your entire staff, program handouts, and additional reading, a convenient 48-hour replay, and a conference CD. Don’t miss out. Educate your entire facility for one low price.