Protected health information
After reading this article, you will be able to:
- Identify why HIPAA training is best individualized for different groups of staff members
- Discuss best practices for training staff members on HIPAA requirements
Training staff members on HIPAA is tough because two things are certain: You have to train nearly every staff member within your organization at least once annually, and you know they will hate every minute of it.
HIPAA may not be fun to teach, learn, or execute because of its complexity, but it needn’t be boring. It can be tolerable, and, if you’re good at your job, interesting and thought-provoking as well.
This requires some creativity on your part and investment by your organization, says Brandon Ho, HIPAA compliance specialist at Pacific Regional Medical Command and Tripler Army Medical Center, part of the Military Health System, in Honolulu.
“It essentially comes down to this: You can take care of things beforehand or you can spend your time mitigating a complaint, dealing with an HHS audit, or deal with attorneys and lawsuits,” Ho says. “You’re going to pay one way or the other.”
Custom training, not classic training
Tripler first contracted with Ho for his services when he was working for Bearing Point, Inc., in 2004. His first task was helping Tripler decipher the HIPAA security rule.
However, one year later, the increased weight of federal regulations, such as the privacy rule, convinced the Army that it needed Ho to serve as its full-time HIPAA specialist for the Pacific Region.
Ho now works primarily at Tripler, but he also oversees compliance operations at the 121st Medical Group in Korea and Camp Zama in Japan.
He took the job knowing that his ultimate challenge would be managing the training of more than 6,000 staff members without lulling them to sleep. He also wanted to buck the trend of training simplification (i.e., across-the-board training for all departments) because he knew it wasn’t the most effective way to educate staff members.
“People want a one-stop shop for all training, but I believe that is the biggest problem with training today,” Ho says. “The exact same booklet training or video training or classroom training shouldn’t be given to everyone. People have all different HIPAA concerns, and because of that, you need more focused training.”
That’s not easy when hospitals are cutting costs by not investing in training. But Ho sees firsthand how an alternative approach can make all the difference.
In most healthcare environments, the HIPAA specialist has other responsibilities and doesn’t have time to adequately train staff members. “People [pass HIPAA compliance training] over to others with other responsibilities all the time,” says Ho. However, Tripler’s investment in its compliance program means that Ho can focus on HIPAA compliance. “It allows me the ability to reach out and affect everyone,” he says. “For that, I’m very fortunate.”
So is Tripler.
HIPAA training that’s made to order
Many organizations are required to conduct HIPAA training annually, and some do so only during orientation. The material, sometimes updated with developments, often remains unchanged from one audience to the next.
Ho’s approach at Tripler is different. He has developed HIPAA training material specific to the approximately 30 departments within the post.
For example, Ho’s materials for nutrition specialists and psychologists don’t look or sound the same. “I ensure that the classes are germane to the students,” he says. “You don’t need to tell housekeepers about computer security.”
Ho waits for department heads to request specific training for staff members and is always ready to respond on short notice. He estimates that he conducts several hour-long training sessions each month.
Ho updates training materials whenever a regulation changes, and he maintains a running dialogue with department heads so he can incorporate solutions into specific training modules. “The funny thing about HIPAA is that people thought it would make things easier, but instead, it’s getting more challenging,” he says.
Department-specific training also provides staff members an opportunity to engage with the HIPAA expert in an intimate, unintimidating classroom environment.
“I leave plenty of time for questions because I know people will have them,” Ho says.
Training doesn’t stop when class ends
Because he focuses on HIPAA, Ho has time to devote to the subject beyond his classroom. He conducts routine audits and inspections to determine whether staff members are compliant. “We need to live compliance,” according to Ho.
Ho also offers weekly inservice training sessions. The session content is general, but it gives staff members an opportunity to take a HIPAA 101 refresher course.
Approximately 100 people attend each training session. This is an indication that people heed HIPAA’s importance—even if it’s more to avoid the Military Health System’s culture of punitive measures than to embrace the culture of compliance, Ho says. The punitive measures are real, and the Military Health System enforces the rules when people don’t take the rules seriously, he says.
HIPAA compliance is ripe with the potential for fines and jail time, says Patrice M. Jackson, RHIT, CHP, CCS, director of HIM and privacy officer at Tripler.
Staff members must attend at least one training session annually and the army tracks attendance with an online system. “And we do chase them down if we need to,” says Ho.
But that rarely happens. The army will not grant leave to staff members who don’t comply with the annual training requirement. “Plus, I send constant e-mail reminders that seem to irritate them,” says Ho. “When the Military Health System gives me responsibility, they also give me the authority to make sure it’s carried out.”
In addition to hour-long classroom sessions and inservice training, Ho employs another subtle approach— e-mail education blasts he calls HIPAA tips.
“He’s able to take a topic and train the reader in bite-size portion e-mails,” says Jackson.
Entertaining the masses
Ho was previously a history teacher at a parochial school in Hawaii. “His background was education and healthcare, and that’s where he’s made inroads,” says Jackson.
“I have experience taking material that’s boring and highlighting the interesting parts,” says Ho. He considers this a significant qualification for his current position, and he tries to inject a bit of comedy into his training sessions.
“I’m always trying to entertain them,” says Ho, adding that pop culture references have proven to be a successful way of doing so. “People always like to hear the lascivious details. So I talk about what happened to Britney Spears and Farrah Fawcett and the Octomom [Nadya Suleman], because whenever you talk about money and fame, people get interested.”
‘The HIPAA guy’
Staff members’ recognition of him as “the HIPAA guy” is the only validation Ho needs. “I know they know who to call when they need help,” he says. “That tells me that we’re not likely going to make the mistakes that will attract the [Office of Civil Rights}. That means everyone is doing their job.”
Jackson sees a change in culture and largely credits Ho for the success. “He is really the face of HIPAA,” she says. “He is relatable, and employees and patients alike are comfortable … speaking with him. As we all know, one of the keys to any compliance program is to solve issues at the lowest level possible, and Brandon is great at problem solving, too.”
Ho doesn’t confine his leadership role to the 40-hour work week. He ensures that everyone knows he’s accessible 24/7, because privacy doesn’t punch in and punch out on the clock.
Everyone has Ho’s office number, and his voice mail greeting includes his cell phone number. Rather than feeling annoyed by late-night telephone calls from staff members, Ho feels assured that their willingness to call him at any time is proof that protecting personal health information (PHI) is important to them. It’s all about being visible within the organization, he says.
“I honestly believe that management should take patient confidentiality and the protection of PHI serious enough that they’d consider an approach like this,” Ho says. “It has grown to more than just a medical records or IT issue; it’s part of the overall care for our patients.”
Adapted from Briefings on HIPAA, August 2009, HCPro, Inc.