Even when provided with annual training, employees still fail their HIPAA assessments
A report from The HIPAA Journal, in collaboration with ComplianceJunction, indicate a significant shortfall in HIPAA compliance among health care staff. The data reveals that over 50% of employees in the health care sector failed their HIPAA assessments, highlighting a crucial knowledge gap in adhering to vital HIPAA regulations.
Notably, more than 80% of organizations provide HIPAA training only once a year or less, with the majority of staff (74%) receiving training annually—a practice considered "best practice." However, the high fail rates suggest the need for more frequent and comprehensive training sessions.
The top challenging areas for staff include HIPAA violation consequences (66% fail rate), HIPAA and social media (61% fail rate), computer safety rules (61% fail rate), and HIPAA in emergency situations (54% fail rate).
A survey of 245 health care sector employees revealed that one in 10 did not receive HIPAA training within their first three months of hire, a legal requirement. While 74% received annual training, 5% received training only once when starting their job. More than two-thirds (67%) of staff reported witnessing a suspected HIPAA violation within their workplace.
When asked about the main reasons behind HIPAA violations, participants cited lack of knowledge (35%), lack of care (31%), and lack of regular training (14%), as the top three factors, according to the report.
“It is the responsibility of the organization to ensure that their staff receive regular HIPAA training, so they feel confident in their knowledge and internal data breaches are minimized,” said Steve Alder, editor-in-chief of HIPAA Journal, in a statement. “Our findings paint a concerning picture of inadequate HIPAA training across the board from health care organizations, of which the consequences can be significant for staff, businesses and most importantly, patients.”
Alder pointed out that the majority of employees who work with PHI receive annual HIPAA training, and though that’s the minimum requirement, it may not be enough.
“Although there is no legal requirement to conduct training more often, it is strongly advised that organizations should run training as often as is necessary to mitigate the risk of a HIPAA violation or data breach,” Alder said.