As noted by Vogt (2005), The Health Insurance Portability and Accountability Act (HIPAA) privacy rule can be complex and somewhat confusing for some employees. Training employees is a requirement under the HIPAA privacy rule, but some employees do not retain all the components of the training. A useful approach is to develop specialized guidelines and tools. Training employees is a requirement under the HIPAA privacy rule, but some employees do not retain all the components of the training. It is especially difficult, if not impossible, for employees to remember complex rules regarding when written authorization is required, unless they frequently exercise those rules in the course of performing their job duties.
As noted by Vogt (2005), a useful approach to teach staff of these laws is to develop specialized guidelines and tools. These can be made widely available on the organization's Intranet site; a special HIPAA or privacy Web site is a great distribution and storage method for these types of tools. When staff are faced with a non-routine issue, these tools can be very valuable in helping them identify the compliant method for handling the situation.
There are a lot of ways in which patients information can be spread and potentially violated. There are many medical professionals that come in to contact with this information that need to be aware of how to handle patients information with compliance.
A flowchart can make the navigation of these rules much simpler than a long, complicated policy statement. A similar flowchart defining the authority for minors' records can also be valuable (Vogt, 2005). I think also a simple flowchart can be used as a decision guide to help guide staff understand these requirements would be helpful to understand the main points of the rules of HIPAA.
A guidelines document in the form of questions and answers for varying circumstances can be very useful in increasing staff confidence in exercising those allowances (Vogt, 2005) This could also be presented in a video where certain scenarios are acted out, this might be a good way for employees to have a better understanding of the guidelines of HIPAA and its intricate details. As noted by Vogt (2005), questions directed to the privacy officer can be a wonderful source of continuing education for other staff. If it is possible to develop intranet functionality to allow staff to post questions, and to allow the privacy officer to respond, the encounter may be posted for all staff to view in the future as needed. It is important to be able to categorize the questions, so that staff can easily peruse the advice that is already available before posting a new question. If the web-based functionality is a constraint, posting a weekly spreadsheet that can be searched may also be an effective option. Include a link to the Office for Civil Rights FAQ. website.
Through effective training of employees through various methods, including documents, videos of trainings, and opportunities for questions and answers, confidentiality can be obtained. Although HIPAA and state privacy laws can be complex but by making decisional and educational tools widely available to staff, an organization will improve compliance with these regulations and will increase the comfort level of staff when performing their assigned job duties. This approach is a win for patients, employees, and health care organizations (Vogt, 2005).
And the importance of HIPAA
HIPAA Laws and Patient Privacy
The Office for Civil Rights enforces the
HIPAA Privacy Rule, which protects the
privacy of individually identifiable health
information; the HIPAA Security Rule,
which sets national standards for the
security of electronic protected health
Protection of patients
The Privacy Rule protects individually
identifiable health information from uses
and disclosures that unnecessarily
compromise the privacy of an individual.
The Rule is carefully designed to protect
the privacy of health information, while
allowing important health care
communications to occur.
Patients Profile and personal
Don’t talk to anyone about patients personal
information even though you may have a
relationship with that patient, their information
is private and you have a responsibility to
protect that information
Protect passwords, charts, and any
paperwork or electronic record that might
expose any personal information to any
Lock any unused computer for password
safety and confidentiality when unused
Q & A
Q: I work in a department that does not directly treat patients. Does HIPAA
apply to me? A: Yes, in that the University is a covered entity under HIPAA.
The extent to which HIPAA applies to your daily activities will vary depending
on the function of your department. If your students or residents treat patients
through affiliated hospitals and clinics, you need to ensure that they are
educated on how HIPAA affects them. If you have any health information
under your control that identifies a patient, it must be maintained according
to HIPAA, even if it is not original health information, such as when used for
education or research. If you do not have any type of patient information
anywhere in your department and are not exposed to it in any way (e.g.,
animal research, statistical analysis), then HIPAA will probably not affect
operations in your department.
Q: We refer our patients to various agencies in the city. How do I know if
another agency is covered by HIPAA? A: If they are a healthcare provider
that receives payment for services, and bills electronically for any portion of
payment, they are a covered entity and will need to comply with all HIPAA
regulations. If they don't meet the definition of a covered entity, they still need
to know about HIPAA because they will probably be dealing with
organizations like ours that are covered entities, which impacts how
information passes between the two organizations.
U.S. Department of Health and Human
Services. 2013. Health Information Privacy.
Vogt, N. (2005). Simplifying HIPAA for staff is
one way to ensure good decisions are made
about patient privacy. Journal of Health Care
Compliance, 7(5), 75-76. Retrieved from