It is common for covered entities and business associates to train employees at hire and (at least) annually. What’s not as common is including other parties in the organization’s HIPAA training program. Contracted staff, temp/agency staff, volunteers, board members, and students can be considered part of an organization’s workforce – meaning, they need to be trained on HIPAA. And, during the pandemic, many providers have expanded the types of individuals that are part of their team.
Students shared PHI on senior project Zoom
In July, the Delaware Division of Developmental Disabilities Services (DDDS) experienced a breach when four University of Delaware students shared the PHI for 250 DDDS clients as part of a senior project. The project used geomapping to find service gaps for DDDS recipients. The students were given demographic and geographic data for DDDS recipients, plus disability status - but the information was not de-identified. DDDS learned of the breach when the students shared the PHI during a Zoom presentation about the data.
What you can do
- Routinely evaluate who is working on your behalf and determine who needs training. Don’t forget students, volunteers, contractors, and the Board. Provide all of these individuals with HIPAA training relative to the job they are doing for you.
- Make sure your training teaches your workforce how to recognize breaches, how to report them internally, and who to report them to.
- Don’t forget training on appropriate social media use (this is especially important during a national emergency).
- Think beyond your workforce. Who has access to PHI? Have you done your part to help them understand HIPAA? We might think someone else (like a university, contractor, or staffing agency) might be responsible for HIPAA training. And sometimes that is the case – but if you have a breach, you will be held responsible. It is often in providers’ best interests to provide this training as well.
MPA can help