I worked in insurance for over five years (at a Fortune 500 company). I had annual HIPAA training. I was in claims, so I'm not sure how pertinent this will be to your needs, but here is some stuff I remember:
1. HIPAA has a minimum necessary standard of disclosure, which means give only however much info you must give to accomplish the task in question.
2. You need at least three pieces of identifying info to positively ID an account, such as name, address and account number. (Other possibilities include: Social security number; date of birth; phone number.)
3. When disposing of papers or other media containing covered information, it must be destroyed, not merely thrown out. This means papers, floppy disks, etc must be shredded.
4. If you're printing a lot of papers with HIPAA covered info, you should have a locked trash can for any papers you are discarding. Presumably, this is merely a holding bin until it gets shredded.
5. Papers with pertinent info should be turned face down if anyone comes to your cubicle to talk, even a coworker. Ditto for papers coming off the printer containing covered info.
6. You need an annual HIPAA training program to remind everyone of a lot of the above (and likely other things I'm not covering).
7. Computers should be password protected when you walk away from your computer.
I guess the short version is: When in doubt, err on the side of making sure the information cannot be accessed by anyone who isn't using it to accomplish the purpose it is intended to serve. Also, you can't go flipping through covered info for funsies. Although you have authorized access, it's only authorized for a specific purpose.
> 6. You need an annual HIPAA training program to remind everyone of a lot of the above
When you say 'need' do you mean 'legally required to' ? I wonder if that could work to the advantage of the poster, in that if they left because they became aware that things are not being done correctly and they have never had any such training, the legal responsibility would reflect back on the employers who had not provided such training to an obviously inexperienced employee and the CEO in particular who is the person who should have known to do that.
I am not in the USA and I think the UK has slightly better employee protections and lines of legal responsibility, at least in some areas (such as Health & Safety) but who knows..
HIPAA requires organizations to provide training for all employees, new workforce members, and periodic refresher training. The definition of “periodic” is not defined and can be left open to interpretation. However, most organizations train all employees on HIPAA annually. This is considered to be a best practice.
1. HIPAA has a minimum necessary standard of disclosure, which means give only however much info you must give to accomplish the task in question.
2. You need at least three pieces of identifying info to positively ID an account, such as name, address and account number. (Other possibilities include: Social security number; date of birth; phone number.)
3. When disposing of papers or other media containing covered information, it must be destroyed, not merely thrown out. This means papers, floppy disks, etc must be shredded.
4. If you're printing a lot of papers with HIPAA covered info, you should have a locked trash can for any papers you are discarding. Presumably, this is merely a holding bin until it gets shredded.
5. Papers with pertinent info should be turned face down if anyone comes to your cubicle to talk, even a coworker. Ditto for papers coming off the printer containing covered info.
6. You need an annual HIPAA training program to remind everyone of a lot of the above (and likely other things I'm not covering).
7. Computers should be password protected when you walk away from your computer.
I guess the short version is: When in doubt, err on the side of making sure the information cannot be accessed by anyone who isn't using it to accomplish the purpose it is intended to serve. Also, you can't go flipping through covered info for funsies. Although you have authorized access, it's only authorized for a specific purpose.