“Hi, I am calling to provide you our correct health insurance information for my wife’s visit last month,” the dutiful husband told the medical office receptionist over the phone.

“I’m sorry, but HIPAA will not allow me to talk with you about that, your wife will have to call us,” the receptionist robotically responded.

Unfortunately, the above dialogue is still a common interchange in health care today nearly 17 years since the passage of the Health Insurance Portability and Accountability Act (HIPAA). Granted, the applicable privacy regulations of HIPAA did not come online until April 2003, but that was a decade ago. So what is the problem here?

In short, the answer seems to lie in two areas: (1) complexity of the law; and (2) poor training about the law.

There is not much that can be done about the complexity of the law, but it clearly is complex. HIPAA started out as a nice idea in 1996, that is, to streamline health care transactions such as claims processing with a standard set of transaction information. HIPAA also called for the efficient use of electronic medical information and tried to ensure both the privacy and security of that information. Detailed privacy regulations were put into law in 2003 and highly technical security regulations followed in 2005. In 2009, HIPAA was tampered with again in a part of the federal economic stimulus bill known as the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH turned HIPAA into a penalty-driven law that can impose steep fines on covered entities and business associates that trip up with compliance. And, now in 2013, another massive set of regulations interpreting HITECH also became law. Consequently, for a busy and already heavily regulated medical practice, the body of law that makes up HIPAA clearly is complex.

So, we turn to training. The robotically trained receptionist in the above example is really not to be blamed. The marching orders probably were to not discuss anything with anyone unless it is the patient or the health plan on the phone. To be clear, HIPAA always has permitted a medical office to talk with a spouse or caregiver of a patient, but you have to use some common sense thinking. If the husband started asking odd questions or inquired into the nature of the office visit without some acknowledgement that the wife was okay with that, well, that probably should be a red flag. The receptionist’s training, if anything substantive, may have been a standardized computer test or a quick lecture in the staff lounge that did not provide enough clear direction for applying HIPAA in real life. The training might even have been wrong.

Are there common sense training solutions that will not break the bank for smaller providers like medical offices? Sort of. The basic problem with most training is that it is passive in nature. A person reads something about HIPAA, and tries to absorb what was said. They may even take a quiz about what they read (and enough times until they get a passing score). All of that is fine, but it does little to get workforce members actually thinking about common sense privacy and security practices. The responses tend to be robotic and usually are more about not helping patients conveniently address issues with their very own medical information. There also is a tremendous amount of fear that some training creates because employees might be told over and over that they will lose their jobs if they mess up even once. The end result of passive training is that it likely creates a workforce of HIPAA robots much like the receptionist above.

Medical practices could do a couple of things to avoid the HIPAA robot syndrome.

First, they could look at their top ten or twenty HIPAA-related scenarios and develop a regular game or question of the week that rewards staff for coming up with solid common sense and helpful responses. For example, using the above scenario, a staff member might answer a question about such a scenario with:

“If the receptionist really did not know what to do, he could have politely taken the husband’s number and said the billing person is with a patient but will call you back in ten minutes. A quick check with the compliance officer, or even online with the information provided by the Office for Civil Rights (OCR) likely would confirm it was okay to call back and get insurance information from the husband.”

That seems to be a simple creative response and not a “no” answer to a customer of the medical practice.

The second thing a practice could do is look for newer training resources that try to make training more active rather than passive. For example, the Office of the National Coordinator for Health Information Technology (ONCHIT) recently tested a pilot HIPAA training project that set up a model medical clinic in a video game format. The player entered various areas of the clinic and was quizzed about realistic HIPAA scenarios. While the game was fairly rudimentary, the concept certainly was a step in the right direction of encouraging the use of far more active training techniques.

HIPAA has been around for a while now, yet the poorly trained receptionist scenario remains commonplace. Medical practices looking to alleviate the HIPAA robot syndrome should be looking for more active rather than passive training resources.