Generally, HIPAA compliance for nurses is considered to mean adhering to policies and procedures developed by an organization’s HIPAA Privacy Officer and applying the best practices of security awareness training provided by an organization’s HIPAA Security Officer. However, sometimes it is necessary to do more than provide basic training to help nurses work compliantly.
Under the Administrative Requirements of the HIPAA Privacy Rule, Covered Entities are required to implement policies and procedures with respect to Protected Health Information that are designed to meet the requirements, standards, and implementation specifications of the HIPAA Privacy and Breach Notification Rules. Thereafter, Covered Entities are required to train all members of the workforce on the policies and procedures “as necessary and appropriate for the members of the workforce to carry out their functions with the Covered Entity”. The training should include details of the sanctions that apply when a nurse violates HIPAA.
Additionally, under the Administrative Safeguards of the HIPAA Security Rule, all members of the workforce must participate in a security awareness and training program. Both Covered Entities and Business Associates are required to provide this training, plus send members of the workforce periodic security reminders.
So, should nurses have to worry about HIPAA compliance as long as they adhere to their organization’s policies and procedures and apply the best practices of security awareness training? Unfortunately, yes, because it is not always possible for organizations to train nurses on everything they need to know to work in compliance with HIPAA.
The Primary Issue with HIPAA Training for Nurses
The primary issue with HIPAA training for nurses is that there is a lot for nurses to learn. As well as understanding what Protected Health Information (PHI) is nurses have to be aware of when PHI can be used or disclosed in a manner permitted by the HIPAA Privacy Rule, when a patient should be given an opportunity to agree or object to a disclosure, and when a patient authorization is required.
Additionally, nurses have to know what the Minimum Necessary Standard consists of, what to do in the event of an incidental disclosure of PHI, and the policies and procedures for patients who wish to exercise their access rights to PHI or request an accounting of disclosures. Then there are policies and procedures for reporting a HIPAA violation or impermissible disclosure of unsecured PHI. Absorbing and applying all this information – not to mention the information included in security awareness training – is asking a lot of nurses, especially as they may also have to undergo Medicare training, FDA training, OSHA training, emergency preparedness training, discipline-specific training, and/or training on state and local laws that preempt HIPAA or other federal regulations.
What exacerbates this issue is that Covered Entities are only required to provide HIPAA training for nurses when a nurse first joins the workforce or when there is a material change to policies and procedures. If there are no material changes to policies or procedures, a nurse could work for years in a healthcare facility without ever receiving HIPAA refresher training.
Why HIPAA Compliance for Nurses can be a Problem
In addition to the volume of information nurses have to absorb, and the lack of mandated refresher training, the pressures of work can affect how well nurses are able to comply with HIPAA policies. Patients’ behaviors – or those of emotionally evocative family members and friends – can influence how nurses respond in stressful situations, including those covered by HIPAA.
In such situations, it is understandable that a harassed, busy, or upset nurse may disclose more than the minimum necessary PHI or fail to “exercise professional judgment [if] a disclosure is determined to be in the best interests of the individual.” Although these situations are more likely to occur in emergency care, they can happen in any healthcare setting.
It can also be the case that the pressures of work result in shortcuts being taken “to get the job done”. These could be shortcuts as seemingly innocuous as sharing login credentials to an EHR or using a personal mobile device to communicate PHI. Still, these are HIPAA violations that could cause harm, and – if allowed to continue – non-compliance can deteriorate into a cultural norm.
These stressors – and nurses’ responses to them – are events that take place every day in healthcare facilities across the country, but it is not sufficient to accept they happen and allow them to go unaddressed. Failings in HIPAA compliance for nurses can damage patient trust and undo some of the provable benefits of HIPAA compliance in healthcare facilities.
How to Overcome the Problem of HIPAA Compliance for Nurses
The way the HIPAA compliance problem for nurses can be overcome is for Covered Entities to provide online HIPAA refresher training for nurses, who can take the training when time allows. Many online HIPAA training courses come in small, easy-to-digest modules so the volume of information provided per training session is not overwhelming. Providing HIPAA training for nurses in this format not only has the advantage of keeping HIPAA compliance for nurses “front of mind”, but also demonstrates a good faith effort by a Covered Entity to run a compliant operation if the organization is investigated for a HIPAA violation or a breach of unsecured PHI by HHS´ Office for Civil Rights.
The post HIPAA Compliance for Nurses appeared first on HIPAA Journal.