Despite its importance, the training guidelines outlined by HIPAA are vague. This can lead to a lot of confusion, as it leaves a lot of responsibility on the CE or BA regarding how training is to be conducted, what is to be covered in training sessions and who should be involved in the courses. Training is, however, mandatory: the HIPAA Privacy Rule stipulates it as part of its Administrative Requirements, whilst the HIPAA Security Rule lists it as an Administrative Safeguard. Yet in both cases the wording is unspecific: training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule) and that CEs and BAs should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule).
The broad wording is, in part, to accommodate for changes in privacy technology. For example, if HIPAA specified that all employees should be trained on password protection, and a new, better technology came along, the HIPAA would need to be updated regularly. This is neither efficient nor economical, so it is better to have some in-built flexibility. Additionally, the training requirements of each BA and CE are different. Thus, it is impossible to have a one-size-fits-all training course.
The Office for Civil Rights (OCR), which oversees HIPAA enforcement, places a huge emphasis on HIPAA training. If they conduct a HIPAA compliance audit and find no training scheme is in place, they may order corrective action or even issue fines. To avoid such fines, and other associated HIPAA, it is best to have an employee-wide training course.
Objectives of HIPAA Training
The uncertainty surrounding the wording of these stipulations undoubtedly complicates HIPAA compliance. Nevertheless, if HIPAA is violated and subsequent investigations determined it was at least in part due to a lack of training, the covered entity (CE) or business associate (BA) would be deemed negligent. Thus, they could be fined by the Office for Civil Rights (OCR).
To help ensure HIPAA compliance, CEs and BAs must rely on adequate risk assessments. These lay out the responsibilities and functions of each party that may come into contact with a patient’s Protected Health Information (PHI). After a risk assessment, the organisation should then establish a security awareness and training program for its employees.
From there, the content of each training program will depend on the nature of the organisation’s relationship with the PHI. Training may need to be conducted over a number of sessions to ensure their continued relevance. This is particularly important in light of new technological developments.
The organisation may also be required to run multiple sessions for different employee roles. Though this may be off-putting for the company involved, as it is undoubtedly costly and time-consuming, it is of critical importance. Too much information thrown at employees in a short time span will not only overwhelm them, but is likely to compromise on detail.
Advice on HIPAA Compliance Training
Though there are no official HIPAA training guidelines, here we offer advice on how best to train employees. These are not hard-and-fast rules, and may be inappropriate in some situations, but do offer managers a good guide on how to compile a HIPAA training course.
Do include all employees. Senior staff may consider it a waste of time to undergo such training, either due to experience or lack of contact with PHI. However, it is important that they are involved in training and may encourage others to take it seriously.
Do emphasise the consequences of a HIPAA violation. Not only does this include fines for the organisation, but is likely to have further consequences for those who caused the breach and their colleagues. Most importantly, there are likely to be consequences for the patient whose PHI was violated.
Do have short, regular training sessions. This will keep employees engaged, leaving them more likely to retain the information. These will occur in addition to the annual refresher sessions required by the Department of Health and Human Services.
Don’t include a lecture, however brief, about the history of HIPAA, its legal context, a timeline of its amendments etc.. This is likely to cause the trainees to lose focus. Instead, emphasise their roles in protecting a patient’s PHI.
Don’t read long passages of text from the HIPAA guidelines. Not only is it a waste of time, as employees could do this themselves, but it is not engaging.
Don’t forget to make a record of the training session and its attendees. This is necessary should a breach occur, as it shows that the organisation was following guidelines.
Sample Training Curriculum
- Introduction to HIPAA – This should include a brief overview of HIPAA legislation, as well as detail the main aspects of the act. This should not, however, include a long introduction to the history of HIPAA.
- Why is HIPAA needed? –There is no harm in reminding employees of why acts such as HIPAA are required. Try to include case-studies of recent incidents where HIPAA was breached and the consequences of the breach.
- HIPAA terminology –As a piece of legal documentation, the terms used in HIPAA can be very confusing for ordinary employees. Providing a “dictionary” of common terms (e.g. “covered entity”) will be helpful, especially at the beginning of the training course.
- When does HIPAA apply? – HIPAA applies to any organisation that holds healthcare records, such from hospitals to healthcare clearing houses.
- Covered Entities – A Covered Entity (CE) is any organisation that creates, accesses, transfers and stores PHI. It is essential that they are HIPAA compliant, and non-compliance can result in severe penalties.
- Examples of CEs – Under HIPAA, any hospital, medical practitioner, healthcare clearinghouse or billing company are considered to be CEs as they have access to PHI.
- Are employers CEs?– Employers are not usually considered to be CEs, though they often have healthcare records for their employees. However, if employers engage in some schemes such as the Employee Assistance Program, they are “hybrid entities” and must be HIPAA-compliant.
- Business Associates – Business Associates are any organisation or individual that are contracted by the CE to perform a service. Business Associates may, in turn, hire other Business Associates. Recent changes to HIPAA mean BAs must also be HIPAA-compliant, and thus any BAs must train their employees in HIPAA legislation.
- Types of BA – BA’s essentially include any external body hired by the CE to perform a service that puts them in contact with PHI. This can range from management consulting to accounting.
- Business Associate Agreement –Before hiring a BA, the CE must ensure that the BA signs a Business Associate Agreement. This ensures that BAs remain HIPAA compliant and also employ necessary safeguards to protect PHI.
- What is PHI? – Under the HIPAA Privacy Rule, certain classes of information are deemed to be “protected” and must remain confidential. They must be protected by measures such as encryption and cannot be accessed by unauthorised personnel. All employees should be trained on identifying PHI so they can treat it accordingly.
- Examples of PHI – PHI may include an individual’s name (including previous names), their past medical record, their credit card details, and their social security number. Accessing any one of these pieces of information leaves the patient vulnerable, but combining them with each other or other details such as ZIP code is incredibly dangerous.
- HIPAA Rules – Since 1996 – when HIPAA first came into effect – many aspects of the legislation have been amended. This includes the addition of many “rules” that address specific aspects of data privacy.
- Privacy Rule– defines PHI and instructs CEs on how to protect data. Also gives patients the right not to disclose private health care to health insurers. Includes the Minimum Necessary Rule, which stipulates that only the minimum amount of information required to complete a task may be passed on to another authorised employee.
- Security Rule –addresses electronic PHI (ePHI). It outlines the administrative, physical and technical safeguards needed to protect health data.
- Enforcement Rule – introduced a number of penalties to ensure that HIPAA is followed. It outlines the penalties for non-compliance, and gives the Department of Health and Human Services the ability to prosecute for HIPAA violations.
- Breach Notification Rule – gives a CE or BA has 30 days after the discovery of a breach to notify the OCR. Additionally, if over 500 patients are affected, the CE must contact the media.
- Omnibus Rule – addresses a wide range of areas. For example, it stipulates that any PHI leaving the BA or CE’s firewall must be encrypted. It also allows patient records to be held indefinitely.
- HIPAA Password Policies
- Changing passwords – As passwords are an “addressable requirement” under HIPAA, it doesn’t specify how often passwords should be changed. Experts don’t agree on the frequency of change either. We recommend that they are changed frequently, but not so frequently that they are likely to be forgotten and thus are going to be written down.
- Password strength –Passwords should contain a good mixture of upper- and lower-case letters, as well as numbers and special characters where permitted. Longer passwords are always better. Using unusual characters to spell out a word, or a mix of languages, is also recommended.
- Two-factor authentication – HIPAA stipulates that if an alternative method of protection can be found that offers the same level of protection as passwords, they may be used in place of passwords. Two-factor authentication is a good, safe alternative, generating unique passcodes for each login attempt. Thus, even if someone accesses the original login, they may not have access to the device where the passcode is being sent.
- HITECH – The Health Information Technology for Economic and Clinical Health Act was introduced to help the healthcare sector adapt to the modern age.
- Meaningful use – Under HITECH, those holding electronic health records (EHR) must show that there is legitimate purpose for holding onto healthcare records. Initially optional, it is now mandatory for all healthcare providers.
- HITECH and HIPAA –Though separate from HIPAA, it is closely related to the act and acts as a reinforcement. Whilst HIPAA focusses on all aspects of privacy, HITECH has special focus on digital health records.
- Exceptions to HIPAA Privacy – Children and Minors
- Cases of abuse– Medics are often on the front line when dealing with child abuse cases. If a CE has reasonable grounds to suspect such a case, the CE can choose not to disclose the patient’s health information with the legal guardian. They may also inform the police or Child Services without violating HIPAA.
- Independent minors – If a minor has emancipated him/herself from their legal guardian, they must be treated as a legal adult and their PHI cannot be disclosed to their biological parents without permission.
- Threats to Privacy
- Cybercrime –Healthcare data is a lucrative target for cybercriminals as it reaches high prices on the black market.. Thus, hacking and phishing poses a huge threat to the data privacy. Training employees on spotting phishing emails, or employing secure networks across the organisation, can help minimise these threats.
- Human error – It is expected that all employees will make mistakes from time to time, but in the healthcare sector this can pose a huge threat to patient privacy. Some reasonable steps can be taken to minimise the threats, such as clear-desk policies having regular updates on HIPAA legislation.
- Penalties for Non-Compliance – For HIPAA to have authority, there must be adequate penalties to act as a deterrent. Ensuring employees have adequate understanding of the potential penalties for HIPAA non-compliance can help prevent breaches.
- Administrative fines – Financial penalties for HIPAA non-compliance can range from $50,000 to $2.5 million per occurrence. This will depend upon the nature of the violation, namely whether or not there was wilful neglect or the violation could have been avoided.
- Personal fines –If an individual with malicious intent behind their actions, they can face a personal fine of up to $250,000.
- Jail sentences –Some HIPAA violations will be severe enough to warrant a jail sentence. These sentences may be up to 10 years.
HIPAA Training: Summary
Training may be seen as an unnecessary hassle by many employees, but it is imperative that all take part. This is to ensure comprehensive understanding of HIPAA legislation across the organisation, which in turn can help reduce the risk of violations. Additionally, training is an “addressable” requirement, meaning some form of training must occur. It is important as well that all employers keep a record of training activities to supply to the OCR if an audit is conducted.