Effective Compliance with HIPAA Requires More Than Initial Training
By
David Barmak, JD CEO
Although your facility has a HIPAA Privacy training program, there are a number of reasons you should consider holding both a refresher course for those already trained, and sessions for staff hired after the original training program. Your budget may be tight this year, but money spent on training is assuredly less than the cost of questions raised as a result of the State Department of Health’s survey, which includes compliance with privacy items or a potential investigation if a complaint is made with the Department of Health and Human Services’ Office of Civil Rights.
If litigation were to arise as a result of a physical injury to a resident in a nursing home or residential care/assisted living community, there is also a potential breach of privacy claim to be made by the resident’s attorney based on how information was handled. In this hypothetical case, the expected baseline of compliance with privacy will be HIPAA rules and regulations. If the facility can’t prove that it met the minimum standards required by the federal HIPAA law, then a jury might find that the facility did not adequately protect the resident’s privacy. The jury will then have to decide if the breach of privacy is compensable. The most effective way to defend a facility would be to have the Privacy Officer get on the stand and say that the facility met the minimum guidelines required by HIPAA and perhaps more. HIPAA requires effective protection of resident privacy. Clearly, that requires on-going training. But if the Privacy Officer can attest to on-going training, updating policies and procedures, using an outside consultant/lawyer to ensure compliance through periodic (even annual) auditing, and monitoring by the staff on a periodic basis (in-between the annual audits), then it would be likely that a jury will, even if it finds there has been a breach of privacy, not find a reckless approach to protecting the resident’s privacy, but a concerted effort to protect privacy and that “mistakes happen.”
