The Health Insurance Portability and Accountability Act, usually known as HIPAA, outlines patient privacy laws within the US healthcare system and requires that anyone accessing or managing healthcare information needs HIPAA training. As technology evolves, the law and its applicability are ever-changing. Even those employees that already have experience dealing with HIPAA may find that they are not up-to-date with current best practice.
That is where training comes in. A well-designed training course can save an organisation time and money, as employees will make fewer mistakes that cost the organisation. Human error remains one of the foremost threats to patient security – a threat that can easily be remedied.
HIPAA is extremely complex, and thus it is unreasonable to believe that any one regular employee will remember its every detail. However, no employee that deals with patient data – be they a doctor, accountant, actuary or nurse – should begin work without being acquainted with HIPAA policies and practices. As most of these employees will not have law degrees, training courses ensure that employees can receive appropriate information without trying to interpret the document themselves. This is especially important given the broad nature of HIPAA; as it covers many different scenarios, there are many exceptions to the rule. How to deal with these situations can be confusing, and interpreting the legislation should be left to those with proper training.
Despite the obvious need for training, the actual training guidelines stipulated by HIPAA are vague. Under the HIPAA Privacy Rule, training should be provided “as necessary and appropriate for members of the workforce to carry out their functions”, whilst the security rule stipulates that “implement a security awareness and training program for all members of the workforce”. Aside from this, little information is given.
How can you be compliant without adequate guidelines?
The lack of guidelines provided by HIPAA leads to frustration amongst many employers. How can they ensure their employees are being HIPAA compliant if there are instructions on how to comply? Though annoying, there is a deliberate purpose for this. Developments in technology are so rapid it is likely that instructions on security practices will be outdated within a year. Thus, by including terms such as “addressable requirements”, HIPAA does not need to be continually updated.
Additionally, the Office for Civil Rights – part of the Department of Health and Human Services – does not offer training as it would cost millions to train every employee needed. It is much more cost-efficient for the government to instruct each employer to train their own employees – and collect the penalties for non-compliance. Should a breach occur, the Covered Entity will have to pay a sizeable sum, and in some cases face prison sentences.
To decide what the “necessary” degree of training should be, it is advisable that Covered Entities conduct a number of assessments and audits regularly throughout the year. These will help advise training staff on the roles of each employee, how they interact with patient data and to what extent training should be provided. It is unlikely that a single training course will be sufficient to cover all of these requirements, as it will undoubtedly be too long. Instead, it is best to organise a number of different courses and conduct them regularly throughout the year.
Training and HIPAA Compliance: Top Tips
Here, we outline some of our top training tips designed to maximise retention, minimise cost and give the best likelihood of HIPAA compliance.
|Keep training sessions short and sweet. Your employees will thank you for it. Additionally, shorter sessions will increase content retention.||Include an excess of information – do those in accounts really need to know an in-depth history of privacy regulation in the US?|
|Provide regular training throughout the year. This will help keep employees up-to-date, as well as keep HIPAA at the forefront of their minds.||Crowd too many different topics into one session. Focus each training class on one aspect of HIPAA.|
|Tailor training courses for different employee roles. Doctors do not need the same training as actuaries.||Forget to train BAs. CEs may be partially liable if found that their BAs are non-compliant.|
HIPAA Compliance – Training Curriculum
To help Covered Entities in the task of designing a training curriculum, we have provided a sample set of HIPAA Compliance Training modules. These can form the basis of a wide range of training courses, and combined as needed for different employee roles.
- Introducing HIPAA and HIPAA Compliance – It is usually best to start from a broad view of HIPAA legislation and when it is applied. Most employees will already be familiar with the Act, but any new employees coming in from a non-healthcare industry will benefit from the introduction.
- What is HIPAA? – We recommend starting from basics to ensure all employees have the same fundamental understanding of privacy regulation. To make it more relevant, you could also include recent news stories concerning HIPAA violations.
- Applicability of HIPAA – HIPAA applies to a wide range of healthcare settings, from hospitals to healthcare clearinghouses. However, there are many exceptions. It is good to give employees a broad overview of such exceptions.
- “HIPAA Dictionary” – HIPAA is a legal document. Thus, it is dense with terminology and abbreviations. Before beginning on any other training, give employees a chance to learn the most common phrases that they will use in their day-to-day work.
- Covered Entities and their Duties – Under HIPAA, a CE is any organisation that creates, stores, transfers, or otherwise accesses private health data. As these will usually be at the frontline of dealing with patient data, it is essential their employees are trained in HIPAA compliancy.
- What does a CE do? – Primarily, CEs must protect the integrity of all private health information (PHI) that they access. They have other responsibilities, too, such as ensuring patients can access their data.
- Example CEs –Hospitals, medical practitioners, insurers and healthcare clearing houses are the most common types of CEs. However, there are some unusual cases. If employers partake in an Employee Assistance Program, they are “hybrid entities”. Thus, they must be HIPAA-compliant.
- Business Associates – Business associates are charged with protecting patient data. Employees must be aware of what can be considered a BA, how to employee them in a HIPAA-compliant manner, and how to ensure they are also protecting patient data.
- Business Associate Agreements – CE’s must ensure that when hiring a third party they sign a Business Associate Agreement. A BAA is mandatory under HIPAA and charges the BA with maintaining the integrity of PHI in the same way as the CE.
- Types of Associate –CE’s will usually hire a BA to carry out some – or all- data processing. . Common BAs include IT managers, accountants, and consultants. If the third party will come across PHI, they are considered a BA.
- Protected Health Information – HIPAA’s Privacy Rule was the first piece of legislation to clarify what data is “protected”, meaning that it must remain private. PHI can only be accessed by authorised personnel, and certain measures must be in place to safeguard the data.
- What is PHI? – Protected Health Information includes, but is not limited to, names, addresses, gender, medical history, credit card information and social security numbers. If a cybercriminal accesses any of this information, patients are left vulnerable to identity theft. Thus, employees must be able to identify this information and treat it accordingly.
- HIPAA Rules – Since it was enacted, many “rules” have been added to HIPAA legislation. Though these address specific aspects of privacy legislation, much of the wording is quite vague. This is deliberate, as it allows the legislation to remain “timeless”.
- Privacy Rule – The Privacy Rule was the first part of HIPAA that defined PHI and instructed CEs and BAs on how to protect it. The Minimum Necessary Rule is also part of the Privacy Rule, as it prevents an excess of information being given to different individuals.
- Security Rule –With electronic PHI (ePHI) having increasing importance, HIPAA needed to address ways to protect it. The Security Rule outlines the minimum safeguards (physical, technical and administrative) needed.
- Breach Notification Rule –If a breach occurs, certain actions must be taken to protect patients. Thus, the HIPAA lays out what actions are to be taken by the CE to prevent such damage. Employees must be informed on how and when to notify the OCR and the media.
- Enforcement Rule – All legislation needs to have some associated punishment. The consequences for HIPAA breaches are laid out in the Enforcement Rule, though the OCR and Department of Health and Human Services can alter punishments at their discretion.
- Omnibus Rule –The Omnibus Rule covers a wide range of privacy-related areas, from the length of time a patient’s records can be held to the encryption requirements of PHI. Nevertheless, employees should be given an overview of the rule and trained in specific areas as necessary.
- Password Policies – The wording of HIPAA’s Password Requirements leaves a lot to be desired. Passwords, and other safeguards such as encryption, are considered to be “addressable requirements”, meaning that some form of protection must be in place that is at least as effective as passwords.
- Changing passwords and password strength – Changing passwords is debated amongst tech specialist, as changing too frequently can lead them to be forgotten or written down. All agree that passwords should contain a mix of upper- and lower-case characters, special characters and numbers. Longer passwords are preferable, and tricks such as the phrase technique can help ensure the memorability of passwords.
- Two-factor Authentication – Increasingly important, two-factor authentication is the main alternative to password technology. Each login attempt generates a unique passcode that only the person logging in can use. Understanding this technology can help employees choose the appropriate safeguards for PHI.
- Dealing with Children and Minors – Children and minors – those under the age of 18 – are treated as a “special case” under HIPAA legislation. As they will be the most common exception to the HIPAA rules, employees should be ready to deal with the different procedures for dealing with children’s data.
- Legal guardians – In the vast majority of cases, medical decisions will be made by the minor’s legal guardian. They will also provide consent for others to access the minor’s data. However, there may be some instances in which a court decides the guardian is unable to make the decisions and appoint a new proxy guardian.
- Difficult cases – Unfortunately, those in the healthcare industry are often the first to notice cases of child neglect or abuse. If a CE believes this to be the case, there are a particular set of guidelines that should be followed to best protect the minor and their data.
- Health Information Technology for Economic and Clinical Health Act – The primary objective of introducing HITECH was to incentivise the healthcare industry to use digital records. It does involve some legislation on patient privacy, and thus employees that deal with digital systems should be trained in HITECH as well as HIPAA.
- HITECH and HIPAA – HITECH and HIPAA both relate to patient data and patient privacy. HITECH is seen as a reinforcement of HIPAA, with a special focus on digital health records and meaningful use of collected data.
- Threats to Patient Privacy – There are many threats – both internal and external – to the integrity of patient data. Employees should be made aware of these threats so that they can be identified and addressed.
- Hacking, Phishing and Cybercrime– Healthcare data is a common target for cybercriminals as it can have a high black-market value. Patient data can be targeted via can be via phishing emails, malware or hacking. Employees should receive thorough training in how to identify suspect emails.
- Human error and common mistakes –All employees will make mistakes at some stage, but within the healthcare sector this can have dire consequences. Simple mistakes, such as leaving files on a desk, can leave patients at risk from fraud. Employees must be trained in how to enact appropriate safeguards and prevent mistakes from being made.
- Penalties for non-compliance – As outlined above in the Enforcement Rule, HIPAA non-compliance has severe penalties. These should be outlined to employees as a deterrent mechanism, highlighting the importance of compliance.
- Administrative and Personal Fines – There are two types of financial penalties: administrative or personal. The administrative fines range from $50,000 to $2.5 million and are levied against the negligent organisation. By contrast, personal fines are for individuals who were HIPAA non-compliant. If it was deemed that there was malicious intent behind the non-compliance, individuals may face fines of up to $250,000.
- Judicial Remedies and jail sentences –The OCR retains the right to seek judicial remedies to HIPAA violations. This may result in a jail term of up to 10 years.
HIPAA Training – Conclusion
HIPAA has far-reaching consequences within the healthcare industry, governing how employees in hospitals, insurance companies and healthcare billing agencies interact with patient data. However, employees that mishandle this data can leave patients at risk of fraud and identity theft. It is imperative, then, that all employees are properly trained. HIPAA and the OCR puts the onus on CEs to train their employees – a tough task, given the extensive nature of the legislation and the consequences for non-compliance. Here we provided some best-practice guidelines to ensure HIPAA compliance, as well as providing a training curriculum that can be altered to the needs of the CE and employee. Together, they should help minimise the risk of a HIPAA breach.