Despite its importance, the training requirements detailed in the HIPAA text lack specifics. This can lead to a lot of confusion, as it places the responsibility on the CE or BA to determine how training is conducted, what must be covered in training sessions, and who should be involved in the courses. Training is, however, mandatory: the HIPAA Privacy Rule stipulates it as part of its Administrative Requirements, whilst the HIPAA Security Rule lists it as an Administrative Safeguard. Yet in both cases the wording is unspecific: training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule) and that CEs and BAs should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule).
The broad wording is, in part, to accommodate for changes in privacy technology. For example, if HIPAA specified that all employees should be trained on password protection, and a new, better technology came along, the HIPAA text would need to be updated. This is neither efficient nor economical, so it is better to have some in-built flexibility. Additionally, the training requirements of each BA and CE will different, as will the requirements for training for different types of employees within each company and organization. Thus, it is impossible to have a one-size-fits-all training course.
The Office for Civil Rights (OCR), which oversees HIPAA enforcement, places a huge emphasis on HIPAA training. If they conduct a HIPAA compliance audit and find no formal training program is in place, they will order corrective action and may issue fines. To avoid such fines, and other associated HIPAA sanctions, a formal training program must be implemented.
Objectives of HIPAA Training
The uncertainty surrounding the wording of these stipulations undoubtedly complicates HIPAA compliance. Nevertheless, if HIPAA is violated and subsequent investigations determined it was at least in part due to a lack of training, the covered entity (CE) or business associate (BA) would be deemed negligent. Thus, they could be fined by the Office for Civil Rights (OCR).
The main objectives of HIPAA training are to ensure employees are made aware of the requirements of HIPAA and the importance of compliance. They must be told how HIPAA affects the work they do, be made aware of common HIPAA violations that must be avoided and be informed about the sanctions policy should HIPAA Rules be violated and the consequences of inappropriate uses and disclosures of PHI.
The HIPAA Security Rule requirements for security awareness training are intended to reduce the risk of data breaches. Given the extent to which hackers target healthcare data and conduct campaigns targeting healthcare employees – through phishing attacks for example – security awareness training is essential. And will help to prevent unauthorized accessing and theft of PHI.
HIPAA Training for Employees
To help ensure HIPAA compliance, CEs and BAs must conduct comprehensive risk analyses. As part of these analyses, CEs and BAs will define the functions of each party that may come into contact with Protected Health Information (PHI). After a risk analysis, the organization should determine what training needs to be provided and develop a HIPAA training program and security awareness training program for its employees.
The content of each training program will depend on the nature of the organization’s relationship with PHI and the roles of each individual with respect to PHI. An organization may need to develop different training courses for different employee roles. Training may need to be conducted over a number of sessions and training will need to be provided regularly to ensure continued compliance.
Though this may be off-putting for the company involved, as it is undoubtedly costly and time-consuming, it is of critical importance. Too much information thrown at employees will mean information is not retained.
In addition to initial training on HIPAA and security awareness training, HIPAA requires training to be provided periodically. Refresher HIPAA training sessions should be provided annually to ensure none of the requirements of HIPAA are forgotten. Refresher training on security awareness and cybersecurity best practices should be conducted more frequently, in line with industry best practices.
Advice on HIPAA Compliance Training
Though there are no official HIPAA training guidelines, here we offer advice on how best to train employees. These are not hard-and-fast rules, and may be inappropriate in some situations, but do offer managers a good guide on how to compile a HIPAA training course.
Do include all employees. Senior staff may consider it a waste of time to undergo such training, either due to experience or lack of contact with PHI. However, it is important that they are involved in training and the inclusion of senior staff may encourage others to take HIPAA training seriously.
Do emphasize the consequences of HIPAA violations. Not only does this include fines for the organization but violations of the HIPAA Rules can have consequences for those who caused the breach and their colleagues. Most importantly, there are likely to be consequences for patients whose privacy has been violated.
Do have short, regular training sessions. They will keep employees engaged, leaving them more likely to retain the information. These should be conducted in addition to the annual refresher sessions required by the Department of Health and Human Services.
Don’t include a lecture, however brief, about the history of HIPAA, its legal context, a timeline of its amendments etc. This is likely to cause the trainees to lose focus. Instead, emphasize their role in protecting PHI.
Don’t read long passages of text from the HIPAA guidelines. Not only is it a waste of time, as employees could do this themselves, it is not engaging.
Don’t forget to maintain a record of training sessions and attendees. This is necessary should a breach occur, as it shows that the organization was following HIPAA training requirements.
Sample Training Curriculum
- Introduction to HIPAA – This should include a brief overview of HIPAA legislation, as well as detail the main aspects of the act. This should not, however, include a long introduction to the history of HIPAA.
- Why is HIPAA needed? –There is no harm in reminding employees of why acts such as HIPAA are required. Try to include case-studies of recent incidents where HIPAA was breached and the consequences of the breach.
- HIPAA terminology –As a piece of legal documentation, the terms used in HIPAA can be very confusing for ordinary employees. Providing a “dictionary” of common terms (e.g., “covered entity”) will be helpful, especially at the beginning of the training course.
- When does HIPAA apply? – HIPAA applies to any organization that holds healthcare records, such from hospitals to healthcare clearinghouses.
- Covered Entities– A Covered Entity (CE) is any organization that creates, accesses, transfers, and stores PHI. It is essential that they are HIPAA compliant, and non-compliance can result in severe penalties.
- Examples of CEs – Under HIPAA, any hospital, medical practitioner, healthcare clearinghouse or billing company are considered to be CEs as they have access to PHI.
- Are employers CEs?– Employers are not usually considered to be CEs, though they often have healthcare records for their employees. However, if employers engage in some schemes such as the Employee Assistance Program, they are “hybrid entities” and must be HIPAA-compliant.
- Business Associates– Business Associates are any organization or individual that is contracted by the CE to perform a service that requires contact with PHI. Business Associates may, in turn, hire other Business Associates. Recent changes to HIPAA mean BAs must also be HIPAA-compliant, and thus any BAs must train their employees on HIPAA requirements.
- Types of BA – BA’s essentially include any external entity hired by the CE to perform a service that puts them in contact with PHI. This can range from management consulting to accounting.
- Business Associate Agreement –Before hiring a BA, the CE must ensure that the BA signs a Business Associate Agreement. This ensures that BAs is aware that they must be HIPAA compliant and implement safeguards to protect PHI.
- What is PHI?– Under the HIPAA Privacy Rule, certain classes of information are deemed to be “protected” and must remain confidential. They must be protected by measures such as encryption and cannot be accessed by unauthorized personnel. All employees should be trained on identifying PHI so they can treat it accordingly.
- Examples of PHI – PHI may include an individual’s name (including previous names), their past medical record, their credit card details, and their social security number. Unauthorized access to PHI puts patients at risk.
- HIPAA Rules– Since 1996 – when HIPAA first came into effect – many aspects of the legislation have been amended. This includes the addition of “rules” that address specific aspects of data privacy.
- Privacy Rule– defines PHI and instructs CEs on how to protect data. Also gives patients the right to inspect their PHI and correct errors. Includes the Minimum Necessary Rule, which stipulates that only the minimum amount of information required to complete a task may be disclosed.
- Security Rule –addresses electronic PHI (ePHI). It outlines the administrative, physical, and technical safeguards needed to protect health data.
- Enforcement Rule – introduced penalties for noncompliance and gave the Department of Health and Human Services the ability to prosecute for HIPAA violations.
- Breach Notification Rule – gives a CE or BA 60 days after the discovery of a breach to notify the OCR and affected individuals. Additionally, if over 500 patients are affected, the CE must notify the media.
- Omnibus Rule – addresses a wide range of areas. For example, it stipulates that any PHI leaving the BA or CE’s firewall must be encrypted. It also allows patient records to be held indefinitely.
- HIPAA Password Policies
- Changing passwords – As passwords are an “addressable requirement” under HIPAA, it does not specify how often passwords should be changed. Experts do not agree on the frequency of change either. We recommend that they are changed frequently, but not so frequently that they are likely to be forgotten and thus may be written down.
- Password strength –Passwords should contain a good mixture of upper- and lower-case letters, as well as numbers and special characters where permitted. Long pass phrases of multiple unrelated words are now considered the best option.
- Two-factor authentication – Two-factor authentication is now considered to be a requirement for protecting accounts as passwords alone do not provide sufficient protection.
- HITECH Act– The Health Information Technology for Economic and Clinical Health Act was introduced to help the healthcare sector adapt to the modern age.
- Meaningful use – Under HITECH, those holding electronic health records (EHR) must show that there is legitimate purpose for holding onto healthcare records and demonstrate meaningful use of EHRs. Initially optional, it is now mandatory for all healthcare providers.
- HITECH and HIPAA –Though separate from HIPAA, it is closely related to the act and acts as a reinforcement. Whilst HIPAA focusses on all aspects of privacy, the HITECH Act has special focus on digital health records.
- Exceptions to HIPAA Privacy – Children and Minors
- Cases of abuse– Medics are often on the front line when dealing with child abuse cases. If a CE has reasonable grounds to suspect such a case, the CE can choose not to disclose the patient’s health information to the child’s legal guardian. They may also inform the police or Child Services without violating HIPAA.
- Independent minors – If a minor has emancipated him/herself from their legal guardian, they must be treated as a legal adult and their PHI cannot be disclosed to their biological parents without permission.
- Allowable Uses and Disclosures of PHI – It is essential for healthcare employees to be told when PHI can be accessed, used, and disclosed.
- Permitted uses and disclosures – Explain the uses and disclosures permitted by the HIPAA Privacy Rule
- Authorizations– Explain when, and in what format, patient authorizations must be obtained.
- Patient Rights Under HIPAA – The HIPAA Privacy Rule gives patients certain rights. Healthcare employees must understand what those rights are and when they can be exercised.
- Access to medical records – Training should cover a patient’s right to obtain a copy of their healthcare data, check their medical records for errors, have their healthcare data provided electronically,
- Restricting disclosures – Patients have the right to restrict disclosures of their PHI
- Accounting of disclosures – Patient have the right to obtain a copy of the CE’s accounting of disclosures.
- HIPAA and Social Media – HIPAA predates social media so no mention is made in the HIPAA text, but given the potential for social media HIPAA violations it should be specifically covered in training.
- Social media and PHI- Training should include how HIPAA applies to disclosures on social media sites and websites.
- Threats to Privacy
- Cybercrime –Healthcare data is a lucrative target for cybercriminals. Hacking and phishing pose a huge threat to data privacy. Training employees on spotting phishing emails, or employing secure networks across the organization, can help minimize these threats.
- Human error – It is expected that all employees will make mistakes from time to time, but in the healthcare sector this can pose a huge threat to patient privacy. Some reasonable steps can be taken to minimize the threats, such as clear-desk policies having regular security awareness training sessions.
- Penalties for Non-Compliance– For HIPAA to have authority, there must be adequate penalties to act as a deterrent for noncompliance. Ensuring employees have adequate understanding of the potential penalties for HIPAA non-compliance can help prevent breaches.
- Administrative fines – Financial penalties for HIPAA non-compliance can be as high as $1.5 million. This will depend upon the nature of the violation, namely whether or not there was willful neglect, or if the violation could have been avoided.
- Personal fines –If an individual violates HIPAA with malicious intent, they can face a personal fine of up to $250,000.
- Jail sentences –Some HIPAA violations will be severe enough to warrant a jail sentence. Sentences may be up to 10 years.
HIPAA Training: Summary
Training may be seen as a pain by many employees, but it is imperative that training courses are provided and that they are taken seriously. HIPAA training ensures everyone will have a comprehensive understanding of HIPAA legislation, which will reduce the risk of violations.
Providing regular security awareness training sessions will help to reduce the risk of a security breach, avoid costly data breaches, and the subsequent increased scrutiny from OCR and state attorneys general.
Training is a requirement of HIPAA and evidence that training has been provided will need to be provided to regulators in the event of a HIPAA compliance audit or data breach investigation. It is therefore important to ensure that evidence that the workforce has been trained is maintained as proof that the HIPAA training requirements have been met.
How often must HIPAA training be provided?
HIPAA does not state how often training should be provided other than saying it needs to be provided when an employee joins the organization and periodically thereafter. The best practice is to provide refresher HIPAA training and security awareness training at least annually and when functions are affected by a material change in policies or procedures.
What should be included in HIPAA security awareness training?
Security awareness training for healthcare employees should teach cybersecurity best practices, explain the cyber risks to protected health information, and cover the main threats that employees are likely to encounter. Employees must be trained how to identify threats such as phishing emails and how to respond when a potential threat is encountered.
What HIPAA training documentation must I keep?
You must be able to provide evidence that training has been provided to the workforce, so it is essential to keep a training log. The log should detail the employees that have received training, when the training was provided, the type of training received, the content of the course, and the individual who provided the training. The log should be kept with other HIPAA documentation and employee files should be updated confirming training has been provided.
Will the HHS’ Office for Civil Rights issue fines for inadequate HIPAA training?
As of 2020, no fines have been issued solely for HIPAA training failures, but inadequate training has increased the financial penalties imposed in multiple HIPAA compliance investigations. In 2020, two settlements were reached with HIPAA covered entities that included a financial penalty for the lack of HIPAA Privacy Rule and security awareness training.
Do volunteers require HIPAA training?
HIPAA training must be provided to anyone who accesses protected health information, as well as anyone who may encounter PHI. That means virtually all individuals in healthcare will be required to have at least some HIPAA training including volunteers, interns, students, administration and back office staff, hospital porters, physicians, and nurses.