HIPAA Training: A New Approach

A Case Study on Cloud-Based Training
HIPAA Training: A New Approach
Brenda Brown

HIPAA compliance training can play a critical role in preventing data breaches.

See Also: Take Inventory of Your Medical Device Security Risks

"I believe at least 50 percent of all breaches could have been prevented if the folks who were the cause of the breaches had been given effective training, in addition to ongoing awareness reminders," says security specialist Rebecca Herold, partner at the Compliance Helper and CEO of The Privacy Professor consulting firm.

But finding a cost-effective training approach that yields good results can prove challenging.

MedData Inc., a medical billing company that was using a costly in-person approach to training that was proving ineffective, turned to a cloud-based approach that's saving money while improving compliance.

The Brecksville, Ohio-based company, which has thousands of employees scattered across the United States as well as other nations, including India, is using an online training platform from Mindflash.

The billing company developed its own training content - which includes modules on compliance, and HIPAA security and privacy - that's managed by the Mindflash system. "We have a HIPAA compliance plan that gets dumped into Mindflash, which turned a manual process into an automated process that can be updated and tailored," says Brenda Brown, director of compliance audits and education at MedData. The material includes slides, surveys and tests, she says.

"Previously, I'd have to go out to all our different sites and do the training, and we'd still be unsure if people understood the material and whether they'd execute it based on the training," she says.

Now employees at all locations are able to log into the training courses at their convenience, including from home. And the company can better track their understanding of the material, Brown says.

Early Training

New employees now take the online training before they even begin their jobs at the company, Brown says. Meanwhile, current employees - from call center workers to department directors and even the president of the company - take the HIPAA training yearly to stay fresh on HIPAA compliance, including issues that might come up infrequently. "We don't want them to lose their knowledge," she says.

The training is a requirement for all workers, regardless of whether they are full-time, part-time, interns or seasonal workers, she says.

Before implementing the cloud-based training, MedData workers had a 5 percent error rate, meaning an average of about 5 percent of employees were making HIPAA-related mistakes, Brown says. Now, those mistakes are rare and there have been no breaches since implementing the system, Brown says. "This is a risk management issue," she says.

The company has seen a drastic reduction in security incidents, such as employees sending unencrypted PHI in e-mailed reports, she says.

Common Problems

Indeed, breaches involving workers sending unencrypted sensitive data via e-mail have been a problem for many other organizations, including MNsure, the state health insurance exchange in Minnesota.

In a September incident that happened before the insurance exchange even launched for open enrollment under the Affordable Care Act, a MNsure worker mistakenly attached a document containing private information on 2,400 brokers and agents to an unencrypted e-mail sent to two individuals who were not authorized to view the information (see: Exchange Breach Triggers State Review).

Minnesota's legislative auditor, who investigated the incident, pinpointed a lack of sufficient worker training (see Auditor Analyzes Minn. Exchange Breach).

Insufficient HIPAA training has also been cited by the Department of Health and Human Services' Office for Civil Rights in a few HIPAA breach investigations and resolution agreements. That includes a $1.7 million resolution agreement with the Alaska Department of Health and Social Services in June 2012 which, among other things, cited incomplete security training for department workers (see: Alaska HIPAA Penalty: $1.7 Million).

Training Mandate

"HIPAA training is a federal requirement; we want to know our employees are abiding by HIPAA's rules," Brown says.

To help with HIPAA Omnibus Rule compliance, Brown sent an e-mail blast via Mindflash to the entire workforce to alert them that they needed to go into a module for an update on HIPAA practices. "I can share this information instantly," she says.

The system also provides accountability that employees aren't skipping through the training material. Benchmarks have been set for how long it usually takes to view a set of slides. So if someone spends 10 minutes viewing a set of slides, when the average time for a newcomer is 30 minutes, then Brown can follow up with the worker. A test at the end of each module determines how well the employee understands the material.

The training also helps employees better understand how HIPAA fits into their role at the organization and their workflow, she says.

Analysis of the testing can also show Brown if there are areas of the training that need to be improved or better explained. For instance, if certain sections of the training result in much lower test scores, the company can work to improve the content, she says.

Besides allowing the training and testing to be documented in employees' HR files, the system allows Brown to create "clean charts and pie graphs" for weekly operational meetings to discuss compliance issues, including outcome of training. "If someone walked in and asked me how many people took training, and how they did, I can provide that information," she says.

Customized Content

The training content can also be modified to accommodate privacy regulations that differ from state to state.

While employees are using the training modules, they can also submit questions to Brown via e-mail about content they don't understand. "I can also keep track of how many times a similar question is asked so that we can improve the product," she says.

MedData expects to substantially cut its training costs by using the cloud-based approach. For example, it's eliminated many travel expenses for Brown, who formerly conducted the in-person training, as well as lost productivity of workers who had to go to live training sessions. The billing company plans to use the cloud platform for other training, including ICD-10 coding, next year.

But organizations that use online training need to make sure the quality of the content is up to par, Herold stresses. "Make sure whatever online training method you use actually will result in increased learning of the participants."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing omnibus.healthcareinfosecurity.com, you agree to our use of cookies.