How-to Promote HIPAA Compliance in a Medical Office

All employees who work around medical records are required to receive training regarding compliance with the Health Insurance Portability and Accountability Act (HIPAA). Many healthcare organizations wonder how employees can be encouraged to follow HIPAA regulations. Others wonder how to promote HIPPA awareness and compliance in the workplace. There are certain things these organizations can do to make this happen.


Regulations regarding HIPAA do not list how frequently training should take place. It is up to the covered entity to determine this for their employees. There are requirements for training to regularly occur. Some believe the best way to hold retraining is on an annual basis. Additional training is required to be offered any time there is a change to HIPAA rules. This is also required to happen if there is an introduction of new technology, an update to existing guidelines or a release of new guidelines and more.

HIPAA Awareness

There are no established rules pertaining to how a healthcare organization can promote awareness of HIPAA in their workplace. In addition to regular formal training sessions, it is also possible for healthcare organizations to provide their employees with email bulletins, newsletters as well as fun quizzes and more to increase awareness of HIPAA rules and regulations.

Culture Of Security

Promoting HIPAA compliance can also involve a healthcare organization working on developing a culture of security. This could include sessions of staff sharing their knowledge and experience with HIPAA in addition to regular training. Research has shown when this is done, the level of risk associated with staff errors causing data to be leaked or stolen significantly decreases. It is also recommended healthcare organizations have their workers sign a declaration stating they comprehend the HIPAA rules and policies. It should also state they are aware of the penalties associated with any noncompliance.

Physical Compliance

There are also physical requirements to be in compliance with HIPAA. A healthcare facility needs to have limited access and the ability to provide authorized access to paper medical records. Proper restrictions need to be in place for re-using any type of electronic media as well as removing, transferring and disposing of it. A healthcare organization should also have emergency access procedures as well as encryption and decryption methods in place.

Mobile Devices

Staff training must also involve the dangers of using mobile devices. There have been mistakes that have occurred with social media as well as text messaging. Sensitive information has been shared in non-secure environments between clinicians who did not realize they were doing anything wrong. All staff must be made aware of the serious risks associated with using their mobile devices. It should be emphasized that sensitive health information can only be exchanged using secure HIPAA applications that have been pre-approved


It is suggested healthcare organizations have their employees receive security awareness training two times a year. They should also provide security updates each month. This will make employees aware of the most current cybersecurity threats. This will provide the staff with the knowledge of how to react to any specific threat.

ID Credentials

A healthcare organization should never permit employees to share their ID credentials. Each employee should have their own computer login ID and password. Employees have shared ID credentials in the past because of convenience, but it resulted in HIPAA non-compliance issues.

Automatic Logouts

It is important for the computers and other devices utilized by a healthcare organization to have automatic logouts. They should also be password protected. A computer not used for as long as five minutes can be made to automatically log off. In areas where there is high traffic, such as a reception area, the time should be two minutes or less.

Monitor System Logs

Someone is a healthcare organization should be assigned to review system logs daily. They need to look for any type of suspicious activity, errors or anomalies that do not comply with the healthcare organization’s security practices. Doing this will help determine if there has been an attack on their computer system as well as stop the occurrence of a data breach.

Many healthcare organizations find complying with all aspects of HIPAA to be a serious challenge. This can be made easier when staff is regularly trained and works together. With investment in the right tools and regular promotion, a healthcare organization has a good chance of always being in compliance with HIPAA.

Follow Us