The HIPAA Security Rule outlines detailed regulations for IT compliance, but it doesn’t specify exact methods for complying with the rule. The lack of step-by-step guidance can be a hurdle for health system physician managers seeking concrete ways to train personnel for compliance, especially when it comes to technology use.
Fortunately, ensuring your physicians comply with HIPAA may not be as hard as it seems. As long as your health system has adequate HIPAA safeguards in place, your physicians should only need to focus on the key HIPAA mistakes for which they could be responsible.
Making sure training focuses only on what physicians need to know saves trainers time, and it increases physician engagement. Physicians will pay attention more closely during training because every point facilitators make will relate directly to them and to their clinical work. More importantly, they will be more willing to participate because they recognize that training is using their time wisely.
Here are five key areas on which physician HIPAA security rule training sessions should focus:
#1: Remote Access to the EHR
Physicians often get bogged down in documentation during the workday, so they may be accessing the electronic health record (HER) from home to catch up on those responsibilities. If they are not accessing the EHR the right way, however, they could be setting your healthcare system up for a security breach. Provide guidance to physicians on how to appropriately access the EHR.
Here are a few more tips from the U.S. Department of Health and Human Services:
- Implement two-factor authentication for granting remote access, such as a password and a security question.
- Implement automatic session termination after a physician has signed in and has been inactive for some time.
- Install personal firewall software on all laptops that store or access electronic patient health information, or EPHI, or connect to networks on which EPHI is accessible.
- Prohibit physicians from remotely accessing the EHR, except in certain instances.
#2: Mobile Device Security and Controls
Lost or stolen devices, such as phones, laptops, and tablets, are one of the top sources of HIPAA security breaches. If physicians have patients’ protected health information on these devices, the device should be encrypted, password protected, and proper safeguards should be implemented, such as the ability to remotely wipe the device if necessary.
To drive the importance of mobile device security home to physicians, consider requiring them to sign a mobile device agreement that outlines the terms for appropriate use, and the consequences if a breach related to a physician’s mobile device arises. Also, make it clear to physicians that they must report lost or stolen devices immediately so that you can take steps (such as remote wipe) to decrease the likelihood that the data on the device will be inappropriately accessed.
#3: Appropriate EHR Access
Physicians are very aware of the privacy rules and their responsibilities regarding keeping patient information confidential. Part of that requires that physicians only access patients’ protected health information if they are directly involved in that patient’s care. But EHRs can make this more complicated because of the ease with which physicians can navigate the system.
Stress to physicians that they should only view records within the EHR of the patients they are involved in treating. To further ensure that no physicians or staff members are violating this rule, consider implementing user access controls that determine what areas of the EHR physicians and staff might be able to access. Also, make it clear to physicians that you will be auditing their EHR use to ensure that nothing is amiss.
#4: Texting and Email Guidance
Texting and email are so easy and convenient that some physicians may send a text or email that contains protected health information to a patient or physician colleague without a second thought. Your health system likely has (if not it should have) email security controls in place, as well as security controls on the mobile devices that physicians use for patient care. But it’s best to err on the side of caution during training.
Drive the message home to physicians that, whenever possible, they should avoid sharing protected health information via text or email. Point out safe alternative communication options, such as secure messaging through your health system’s patient portal.
#5: Social Media Guidance
The majority of physicians in your health system are likely involved in at least one social media network, and many may be on multiple channels, such as Facebook, LinkedIn, and Twitter. Make sure physicians know what is appropriate to share on social media, and what is not. Stress that physicians should keep their social media pages private.
For example, physicians should likely avoid any requests to “friend” patients. Also address rules regarding physician blogging, as some of your physicians may already be doing this. Make sure that physicians are using a blog appropriately, and not as an outlet to provide health guidance to patients. In essence, have a social media policy in place, and review it during training sessions. To view the AMA’s social media policy, visit www.ama-assn.org/ama/pub/news/news/social-media-policy.page.
Bottom Line
This is by no means an exhaustive list of items to cover during physician training sessions. Review the HIPAA Security Rule to identify the most critical training areas for your organization. Also, document any training sessions held, as well as who attended. In the event that a breach does occur, documentation of training may help demonstrate due diligence, and therefore, reduce the penalties your organization will experience as a result of the breach.
