Training, Training, Training—The First Line of Defense When it Comes to HIPAA Compliance

Training, Training, Training—The First Line of Defense When it Comes to HIPAA Compliance

By: Kelli Carpenter Fleming with Burr Forman

When it comes to HIPAA compliance efforts, the first line of defense in ensuring that protected health information is secured appropriately and compliantly is training your practice’s employees. More often than not, when an inappropriate use or disclosure of protected health information occurs, it is because an employee made a mistake. For example, the employee may have faxed the information to the wrong patient, or released records before confirming that an authorization was on file, or clicked a link in an e-mail opening the door for bad actors to gain access to the system. One way to prevent these mistakes is to train your employees on HIPAA compliance efforts, as well as easy, practical steps they can take to prevent such mistakes. However, a lot of physician practices, especially smaller ones, do not routinely train their employees on HIPAA compliance efforts. 

HIPAA training should not occur in a silo. While employees should always be trained upon hire, they should also be trained periodically thereafter. I recommend that clients conduct routine, formal HIPAA training at least once a year. I also recommend implementing less formal monthly HIPAA reminders to ensure that HIPAA remains on the forefront of everyone’s minds. In addition, if an unauthorized use or disclosure occurs, the practice should conduct training related to that incident, at a minimum for the employees involved. If a policy or procedure is changed, training should also be conducted on the revised policy or procedure. 

Whenever training is conducted, whether internally or externally, the training must be documented. The documentation should include the date the training was conducted, the employees that were trained, the topics discussed, and a copy of any training materials that were utilized. This documentation becomes extremely important if there is a breach incident or an investigation by OCR.

All physician practices should strengthen their first line of defense when it comes to HIPAA compliance by ensuring that their employees are properly and periodically trained. 

Kelli Fleming is a Partner at Burr & Forman LLP and practices exclusively in the firm’s Healthcare Practice Group. Kelli may be reached at (205) 458-5429 or

Posted in: HIPAA, Legal Watch, MVP

Leave a Comment (0) ↓