The Health Insurance Portability and Accountability Act, usually known as HIPAA, outlines patient privacy laws within the US healthcare system and requires that anyone accessing or managing healthcare information needs HIPAA training. As technology evolves, the law and its applicability are ever-changing. Even those employees that already have experience dealing with HIPAA may find that they are not up-to-date with current best practices.
That is where training comes in. A well-designed training course can save an organization time and money, as employees will make fewer mistakes that cost the organization. Human error remains one of the foremost threats to patient privacy – a threat that can easily be remedied through training.
HIPAA is complex and nuanced, and thus it is unreasonable to believe that any one regular employee will remember its every detail. However, no employee that deals with patient data – be they a doctor, accountant, actuary or nurse – should begin work without being acquainted with HIPAA policies and practices. As most of these employees will not have law degrees, training courses ensure that employees receive appropriate information without trying to interpret the document themselves. This is especially important given the broad nature of HIPAA; as it was written to apply to many different types of organizations and cover many different scenarios. There are also many requirements that are nuanced, which can lead to confusion. Interpreting the legislation should be left to those with proper training.
Despite the obvious need for training, the actual training guidelines stipulated by HIPAA are limited. Under the HIPAA Privacy Rule, training should be provided “as necessary and appropriate for members of the workforce to carry out their functions”, whilst the Security Rule requires organizations to “implement a security awareness and training program for all members of the workforce.” Aside from these two requirements, and the need to provide training when there is a change in technology, policies, or updates to the HIPAA Rules, no other information is provided about the content and frequency of training.
How can you be compliant without adequate information?
The lack of information in the HIPAA text leads to frustration amongst many employers. How can they ensure their employees are being HIPAA compliant if there are few instructions on how to comply? Though annoying, there is a deliberate purpose for this. Developments in technology are so rapid it is likely that instructions on security practices will become outdated within a year. Thus, by including terms such as “addressable requirements”, HIPAA does not need to be continually updated.
Additionally, the Office for Civil Rights – part of the Department of Health and Human Services – does not offer a training course. Instead, the HHS instructs each covered entity and business associate to train their own employees. Should any HIPAA covered entity or business associate fail to comply, the HHS can impose penalties for non-compliance. Should a HIPAA violation occur, a Covered Entity may have to pay a penalty that could cost several million dollars. If noncompliance amounts to criminal negligence, jail terms are also possible.
To decide what the “necessary” amount of training should be, it is advisable for Covered Entities to conduct a number of assessments and audits regularly throughout the year. These will help advise training staff on the roles of each employee, how they interact with patient data and to what extent training should be provided. It is unlikely that a single training course will be sufficient to cover all of these requirements, as it will undoubtedly be too long. Instead, it is best to organize a number of different courses and get staff to complete training modules throughout the year. A modular training course will also allow training to be tailored for each employee and their role in the organization.
Training and HIPAA Compliance: Top Tips
Here, we outline some of our top training tips designed to maximize knowledge retention, minimize cost and give the best likelihood of HIPAA compliance.
|Keep training sessions short and sweet. Your employees will thank you for it. Additionally, shorter sessions will improve retention of information.||Include an excess of information – Do employees in the accounts department really need to know an in-depth history of privacy regulation in the US?|
|Provide regular training throughout the year. This will help keep employees up-to-date, as well as keep HIPAA at the forefront of their minds.||Crowd too many different topics into one session. Focus each training class on one or two aspects of HIPAA.|
|Tailor training courses for different employee roles. Doctors do not need the same training as actuaries.||Forget to train BAs. CEs may be partially liable if their vendors are discovered to be noncompliant.|
|Seek help. There is no need to reinvent the wheel. Many companies offer HIPAA training courses that can be tailored to meet the needs of a healthcare organization or vendor.||Forget to assess the effectiveness of training to ensure that knowledge has been retained by employees.|
HIPAA Training for Employees
To meet the requirements for HIPAA training for employees referenced in both the HIPAA Privacy and Security Rules, training must be provided on HIPAA and cybersecurity. HIPAA training must be provided promptly when an employee joints the company or organization, ideally as part of the onboarding process or within days or weeks of commencing employment. An example of the elements that should be included in initial training are outlined in the next section.
In addition to initial HIPAA training, training must also be provided following any material change in policies or procedures, such as when HIPAA Rules are updated, changes are made to working practices, or new IT systems are introduced. In addition to initial training, HIPAA refresher training must be provided “periodically.” The best practice is to provide refresher training annually to ensure the requirements of HIPAA are not forgotten and to reduce the risk of HIPAA violations and privacy breaches.
HIPAA training for employees must include security awareness training, which should be provided soon after an employee joins the company and periodically thereafter. Healthcare employees must be taught good cyber hygiene, and be informed about threats to patient data and how to avoid them. It is especially important to train employees how to recognize phishing emails and other email threats and instructed what to do if a suspicious email is encountered. For Security Rule compliance, refresher training should be provided annually, although more frequent, shorter training sessions every quarter or 6 months will help to reduce the risk of data breaches.
Try to break up HIPAA training for employees into smaller chunks to improve knowledge retention. It is also wise to split security awareness and HIPAA training into separate sessions.
HIPAA Compliance – Sample Training Curriculum
To help Covered Entities with the task of designing a training curriculum, we have provided a sample set of HIPAA Compliance Training modules below. These can form the basis of a wide range of training courses, and be tailored as needed for different employee roles.
- Introducing HIPAA and HIPAA Compliance – It is usually best to start from a broad overview of the HIPAA legislation and when it is applied. Most employees will already be familiar with the Act, but any new employees coming from a different industry will benefit from the introduction.
- What is HIPAA? – We recommend starting from basics to ensure all employees have the same fundamental understanding of privacy regulation. To make it more relevant, you could also include recent news stories concerning HIPAA violations.
- Applicability of HIPAA – HIPAA applies to a wide range of organizations, from hospitals to healthcare clearinghouses and a huge variety of vendors. However, there are many exceptions. It is good to give employees a broad overview of such exceptions.
- “HIPAA Definitions” – HIPAA is a legal document. Thus, it is dense with terminology and abbreviations. Before beginning on any other training, give employees a chance to learn the most common phrases that they will use in their day-to-day work.
- Covered Entities and their Duties – Under HIPAA, a CE is any organization that creates, stores, transfers, or otherwise accesses private health data. As these will usually be at the frontline of dealing with patient data, it is essential their employees are trained in HIPAA compliance.
- What must a CE do? – Primarily, CEs must protect the confidentiality and integrity of all private health information (PHI) that they access, store, or transmit. They have other responsibilities, too, such as ensuring patients can access their data.
- Example CEs –Hospitals, medical practitioners, insurers and healthcare clearinghouses are the most common types of CEs. However, there are some unusual cases. If employers partake in an Employee Assistance Program, they are “hybrid entities” and must also be HIPAA-compliant.
- Business Associates – Business associates are charged with protecting patient data they receive or collect. Employees must be aware of what can be considered a BA, how to employ them in a HIPAA-compliant manner, and how to ensure they protect patient data.
- Business Associate Agreements – CE’s must ensure that when hiring a third party they sign a Business Associate Agreement. A BAA is mandatory under HIPAA and charges the BA with maintaining the confidentiality and integrity of PHI in the same way as the CE.
- Types of Associate –CE’s will usually hire a BA to carry out some – or all- data processing. Common BAs include IT managers, accountants, and consultants. If the third party will come across PHI, they are considered a BA.
- Protected Health Information – HIPAA’s Privacy Rule was the first piece of legislation to clarify what data is “protected”, meaning the information must remain private. PHI can only be accessed by authorized personnel, and certain measures must be in place to safeguard the data.
- What is PHI? – Protected Health Information includes, but is not limited to, names, addresses, gender, medical history, credit card information and social security numbers. If a cybercriminal accesses any of this information, patients are left vulnerable to identity theft. Thus, employees must be able to identify this information and protect it accordingly.
- HIPAA Rules – Since it was enacted, many “rules” have been added to the HIPAA legislation. Though these address specific aspects of privacy and security, much of the wording is quite vague. This is deliberate, as it allows the legislation to remain “timeless”.
- Privacy Rule – The Privacy Rule was the first part of HIPAA that defined PHI and instructed CEs and BAs on how to protect it. The Minimum Necessary Rule is also part of the Privacy Rule, and prevents an excess of information being given to different individuals. The Privacy Rule also gives individuals rights over their own healthcare information.
- Security Rule –With electronic PHI (ePHI) having increasing importance, HIPAA needed to address ways to protect it. The Security Rule outlines the minimum safeguards (physical, technical and administrative) needed to ensure the confidentiality, integrity, and availability of healthcare information.
- Breach Notification Rule –If a breach occurs, certain actions must be taken to protect patients. Thus, HIPAA lays out what actions must be taken by a CE or BA to prevent or limit harm. Employees must be informed about how and when to notify breach victims, OCR and the media.
- Enforcement Rule – All legislation needs to have some associated punishment. The consequences for HIPAA breaches are laid out in the Enforcement Rule, though the Department of Health and Human Services can alter punishments at their discretion, within limits.
- Omnibus Rule –The Omnibus Rule covers a wide range of privacy-related areas, from the length of time a patient’s records can be held to the encryption requirements for PHI. Nevertheless, employees should be given an overview of the rule and trained in specific areas as necessary.
- Password Policies – The wording of HIPAA’s Password Requirements leaves a lot to be desired. Passwords, and other safeguards such as encryption, are considered to be “addressable requirements”, meaning that some form of protection must be in place that is at least as effective as passwords.
- Changing passwords and password strength – Changing passwords is debated amongst tech specialists, as changing too frequently can lead them to be forgotten or written down. All agree that passwords should contain a mix of upper- and lower-case characters, special characters and numbers. Longer passwords are preferable, and tricks such as the phrase technique can help ensure the memorability of passwords.
- Two-factor Authentication – In addition to a password, each login attempt generates a unique passcode that the person logging must use to gain access to data. Understanding this technology can improve data security.
- Dealing with Children and Minors – Children and minors – those under the age of 18 – are treated as a “special case” under HIPAA legislation. As they will be the most common exception to the HIPAA rules, employees should have different procedures for dealing with children’s data.
- Legal guardians – In the vast majority of cases, medical decisions will be made by the minor’s legal guardians. They will also provide consent for others to access the minor’s data. However, there may be some instances in which a court decides the guardian is unable to make the decisions and appoint a new proxy guardian.
- Difficult cases – Unfortunately, those in the healthcare industry are often the first to notice cases of child neglect or abuse. If a CE believes this to be the case, there are a particular set of guidelines that should be followed to best protect the minor and their data.
- Patient Rights Under HIPAA – The HIPAA Privacy Rule gave patients new rights over their healthcare data, including the right to access and inspect their health records, and request errors be corrected.
- Copies of Patient Health Records – Healthcare employees should be made aware of patient rights, such as when patients can be provided with copies of their health data, what information cannot be provided, the exceptions, and the time frame for complying with requests. OCR is cracking down on noncompliance with patient rights and many fines have been imposed for noncompliance.
- Allowable PHI Disclosures – The HIPAA Privacy Rule severely restricts the uses and disclosures of protected health information to those necessary for treatment, payment, or healthcare operations. Other disclosures are only permitted if prior authorization is obtained from the patient.
- Allowable Disclosures – Healthcare employees must be instructed on when disclosures of PHI are permitted and the minimum necessary standard.
- Patient Authorizations – Healthcare employees must be aware when prior authorizations must be obtained from patients for uses and disclosures otherwise not permitted by the HIPAA Privacy Rule, and how those authorizations can be obtained.
- Health Information Technology for Economic and Clinical Health Act and the HIPAA Omnibus Rule – The primary objective of introducing the HITECH Act was to incentivize the healthcare industry to use digital records. The HITECH Act also introduced new requirements for patient privacy, which were added to HIPAA in the HIPAA Omnibus Rule. Employees that deal with digital systems should be trained on the HITECH Act requirements as well as HIPAA.
- HITECH and HIPAA – The HITECH Act and HIPAA both relate to patient data and patient privacy. The HITECH Act is seen as a reinforcement of HIPAA, with a special focus on digital health records and meaningful use of collected data.
- Threats to Patient Privacy – There are many threats – both internal and external – to the confidentiality and integrity of patient data. Employees should be made aware of these threats so that they can be identified and avoided.
- Hacking, Phishing and Cybercrime– Healthcare data is a common target for cybercriminals as the information has a high black-market value. Patient data can be targeted via phishing emails, malware or hacking. Employees should receive thorough training in how to identify suspect emails.
- Human error and common mistakes –All employees will make mistakes at some stage, but within the healthcare sector they can have dire consequences. Simple mistakes, such as leaving files on a desk, puts sensitive information at risk. Employees must be trained on how to apply appropriate safeguards and prevent mistakes from being made.
- Penalties for non-compliance – As outlined above in the Enforcement Rule, HIPAA non-compliance has severe penalties. These should be outlined to employees as a deterrent mechanism, highlighting the importance of compliance.
- Administrative and Personal Fines – There are two types of financial penalties: administrative or personal. The administrative fines range from $50,000 to $1.5 million and are levied against the negligent organization. By contrast, personal fines are for individuals who were HIPAA non-compliant. If it was deemed that there was malicious intent behind the non-compliance, individuals may face fines of up to $250,000.
- Judicial Remedies and jail sentences –The OCR retains the right to seek judicial remedies to HIPAA violations. This may result in a jail term of up to 10 years.
HIPAA Training – Conclusion
HIPAA has far-reaching consequences within the healthcare industry, governing how employees in hospitals, insurance companies, and other healthcare entities interact with patient data. However, employees that mishandle this data can leave patients at risk of fraud and identity theft. It is imperative, then, that all employees are properly trained. HIPAA and the OCR put the onus on CEs to train their employees – a tough task, given the extensive nature of the legislation and the consequences for non-compliance. Here we outlined some best-practice guidelines to ensure HIPAA compliance, as well as providing a training curriculum that can be altered to the needs of CEs and their employees to reduce the risk of HIPAA violations.
How soon should HIPAA training be provided to employees?
HIPAA does not specify how soon training must be provided after starting employment. You do not need to provide training before work duties are commenced, but you should try to ensure training is provided within the first 10 days of an employee commencing employment and no later than a month after a new hire.
What is the maximum penalty for a HIPAA training failure?
Fines of up to $1.5 million can be imposed by the HHS’ Office for Civil Rights for the failure to provide HIPAA and security awareness training. State Attorneys General can also impose fines of up to $25,000 for HIPAA violations in addition to any fines by the HHS’ Office for Civil Rights. The fines can then be multiplied by the number of years an organization is in violation of HIPAA.
Are there privacy training requirements other than HIPAA?
Yes. HIPAA covered entities and their business associates are also required to comply with state privacy and security laws, which may be stricter than HIPAA. In Texas for instance, training must be provided on Texas HB 300 within 60 days of commencing employment with refresher training provided at least every 2 years.
Do students need HIPAA training?
Yes. All individuals who may encounter PHI are required to be provided with HIPAA training. That includes students, interns, volunteers, admin and accounting staff, nurses, physicians, and even the cleaning staff. Training should be appropriate to each role. Training for students will be different to training for back office staff.
What HIPAA training documentation is required?
You must maintain an accurate training log that includes the names and job titles of all employees, the date when training was provided, what training was given, and the names of the trainers/training courses. The training log should be stored with your HIPAA documentation and a training record should be maintained in each employee’s HR file.