The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Bill Clinton in 1996. Follow its introduction, HIPAA’s primary function was to address the issue of healthcare coverage for individuals between jobs. Prior to HIPAA, workers that were temporarily without pay could find themselves without healthcare coverage, and therefore potentially unable to access important medical treatment. HIPAA introduced new protections for people in this situation, and still maintains this function to this day.
However, HIPAA is now better known for revolutionizing the landscape of data protection in the United States. Before HIPAA, there were no industry-wide standards or best practices for ensuring that the security of sensitive information was guaranteed. Healthcare organizations and professionals in the industry were left to determine the best methods of safeguarding private healthcare information of individuals. Data privacy laws varied from state to state and the lack of uniformity put patients at risk of having their data stolen and made the industry as a whole more vulnerable to data breaches caused by cyberattacks.
Upon the introduction of HIPAA, industry-wide standards were implemented with the aim of improving efficiency, security, and patient experiences in the healthcare industry. Due to the high black-market value of healthcare information, criminals often target healthcare organizations to access this sensitive data and use it for malicious purposes and personal financial gain. Fraud has devastating consequences for the victims, who may spend years and thousands of dollars in legal fees trying to reclaim their identities. By introducing strict requirements regarding the safeguarding of protected healthcare information (PHI), HIPAA helps to create a more robust data security framework within healthcare organizations in the United States.
HIPAA is a comprehensive legislative act incorporating the requirements of several other legislative acts, including the Public Health Service Act, Employee Retirement Income Security Act, and more recently, the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The fines for violating HIPAA’s Rules are substantial. In some instances, criminal charges may also apply, depending on the severity of the case. To avoid the financial costs and reputational damages associated with a HIPAA violation, it is essential that healthcare organizations take all the necessary steps to ensure that they are fully compliant with the Act.
One of the most important aspects of ensuring that an organization is HIPAA-compliant is implementing a rigorous and robust training program for all employees. Many data breaches occur due to employee negligence, such as leaving a laptop in a location in which it can be easily stolen or failing to lock important files in a secure drawer. Ignorance about basic IT safety practices may result in employees accidentally falling for phishing emails, and phishing attacks often end with significant data theft.
Employees must understand their responsibilities under HIPAA. This article will provide some guidance on how to ensure employees are familiar with HIPAA’s strict data security requirements and how they can fulfil their obligations to protect PHI.
The HIPAA Privacy Rule states that training should be given “as necessary and appropriate for members of the workforce to carry out their functions”, while the HIPAA Security Rule is also light on detail stating that covered entities and their business associates should “implement a security awareness and training program for all members of the workforce”. Aside from calling for training to be provided when there “functions are affected by a material change in policies or procedures,” there is no other mention of training.
HIPAA is a complex piece of legislation, and it is essential that employees have a firm grasp of the fundamentals so that they have a basic understanding of the rules and understand HIPAA’s importance and wider consequences.
One of the first issues to address when considering HIPAA compliance is what groups are required to comply with HIPAA. If an individual or organizations is subject to HIPAA compliance, they are known as a “Covered Entity”, or CE. CEs are defined in the HIPAA rules as 1) health plans, 2) healthcare clearinghouses, and 3) healthcare providers who electronically transmit any health information in connection with transactions for which the US Department of Health and Human Services has adopted standards.
Organizations which conduct certain functions on behalf of a CE are known as a “business associate”, or BA. BAs are subject to HIPAA compliance if the activity they perform on behalf of the CE requires the use or disclosure of individually identifiable health information. This may include providing data analysis, legal, accounting, consulting, management, or financial services.
Before a CE enters a business partnership with a BA, the CE must obtain assurance in the form of a Business Associate Agreement (BAA) that the BA will follow the HIPAA Rules and ensure that the appropriate safeguards are in place to maintain the confidentiality and integrity of the protected health information.
It is also worth defining what precisely is meant by PHI. There are eighteen “HIPAA Identifiers” that can be used to identity, contact, or locate an individual, or be used with other sources to identify an individual; these identifiers are collectively known as PHI. These are listed below.
|Names||Social Security Numbers||Device Identifying Numbers|
|Addresses||Medical Record Numbers||Web URLs|
|Dates||Health Plan Numbers||IP Addresses|
|Phone Numbers||Account Numbers||Biometric Identifiers|
|Fax Numbers||Certificate/License Numbers||Photographic Images|
|Email Addresses||Vehicle Identifying Numbers||Any Other Unique Characteristic|
A thorough explanation of HIPAA’s Rules should be central to any employee training course. The Rules address specific security requirements, such as the safeguards that should be implemented or response frameworks that should be in place if a data breach were to occur.
Privacy Rule – defines PHI and informs CEs and BAs of their responsibilities to protect patient data. The Minimum Necessary Rule is also part of the Privacy Rule and stipulates that should PHI be handed over to a third party, only the minimum amount of data necessary to complete the specific task should be handed over.
Security Rule – outlines the minimum physical, technical, and administrative safeguards needed to protect electronic PHI.
Breach Notification Rule – outlines procedures that must be followed in the aftermath of a breach to ensure that the risk of damage to patients is minimal. Employees must be informed on how and when to notify the OCR and the media.
Enforcement Rule – contains guidance on the fines and penalties that may be levied against a CE should a data breach occur. (OCR and Department of Health and Human Services can alter punishments at their discretion.)
Omnibus Rule – covers a wide range of privacy-related areas, from the length of time a patient’s records can be held to the encryption requirements of PHI.
Patient rights are an important aspect of the HIPAA Rules and the HHS’ Office for Civil Rights has been cracking down on noncompliance. It is important for employees to be made aware of patient rights under HIPAA to prevent noncompliance and HIPAA fines. When patient rights are violated and complaints are filed with OCR, they are investigated.
Ensure employees know about the right of patients to obtain and inspect their medical records and the time frame for responding. Patients are permitted to have errors in their records corrected. They can request restrictions of disclosures of their PHI, must be notified about the organization’s privacy practices, can request an accounting of disclosures.
The HIPAA Privacy Rule restricts uses and disclosures of PHI to certain healthcare functions – treatment, payment, and healthcare operations. Other uses and disclosures of PHI are only permitted if prior authorization is obtained.
Healthcare employees must be aware of the allowable uses and disclosures and when they must obtain authorizations. This is one of the most important elements to include in HIPAA training.
It is important to explain the importance of compliance with the HIPAA Rules to protect patient privacy and ensure the confidentiality, integrity, and availability of PHI at all times. It is also important to explain the consequences of HIPAA violations to the organization, the workforce, and individual employees.
The HIPAA sanctions policy must be clearly explained, so employees are aware how deliberate and accidental HIPAA violations will affect them.
In order to protect sensitive information, employees should be made aware of what threatens it. The healthcare industry is a major target for cybercriminals, who then sell the data on the black market. One of the most common ways hackers access data is through targeted phishing campaigns. Many of the largest data breaches in recent years are the result of phishing attacks, with millions of people being affected in some instances.
Classic phishing attacks involve sending mass emails to as many people as possible and hoping that a small proportion of them fall for the attack. Therefore, even if only one employee in an organization unwittingly hands over their login information or downloads a file containing malware, the attacker may gain access to the entire network.
Many IT security courses run by healthcare organizations train employees in the basic elements of recognizing a phishing attack, but as technology becomes more advanced, so too do the techniques that cybercriminals use. Therefore, frequent, regular training reminding people of good IT security practices while also updating their knowledge on what such attacks look like is vital in ensuring that PHI is not compromised. Security awareness training, including teaching employees how to identify phishing emails, is a requirement of the Security Rule, according to recent guidance from the HHS’ Office for Civil Rights.
Another potential threat to PHI is the theft or loss of mobile device. Mobiles, tablets, and laptops are ubiquitous, and many people use them for work. This means that they may contain a huge amount of PHI. Should the device be stolen, and only protected by a weak password, it is highly likely that the information could be accessed by unauthorized individuals.
Although many organizations recommend the use of “strong” passwords, data security experts point out that, with the right software, hackers can still guess the passwords within minutes. Two-factor authentication is now considered to be an important security measure. Upon each login attempt, users are provided with a one-time generated passcode that only they can use. This may be sent to a phone number or email address. This added layer of security ensures that only those authorized to access the device can do so. Instructing employees on the importance of mobile device security will go a long way in ensuring that breaches of sensitive data are avoided.
If employees are to respond well to a training course, only the most vital information should be presented to them. In HIPAA’s text, the Rules are worded vaguely, such that they are not tied to any specific technology (such as encryption) which may become outdated.
It is recommended that instead of using such vague terminology, you present how to Rules are being applied in your organization, and how they affect the employees. For example, instead of listing what HIPAA’s Security Rules requirements for adequate physical safeguards, inform your employees of the specific safeguards being used, such as locked desk drawers or filing cabinets, and the electronic safeguards such as passwords, logging off from systems, 2-factor authentication etc.
Employees fulfilling particular tasks in an organization may require specific training that gives a more in-depth look at HIPAA’s Rules such that they are familiar with all aspects of the legislation that pertain to their role.
HIPAA awareness training is concerned with making employees aware of how HIPAA applies to day-to-day tasks and working practices, and ensuring employees are provided with the knowledge they need to work in a HIPAA compliant way and avoid the many common employee HIPAA violations. HIPAA awareness training must be provided to all employees who work with patients and/or require access to PHI in all its forms; written, verbal, and electronic.
HIPAA awareness training should ideally be provided before an employee commences their duties during onboarding, although this may not always be possible. To be compliant, training should be provided within days or the first month. HIPAA training is not a one-time event. Both the HIPAA Privacy and Security Rules require HIPAA refresher training to be provided periodically. The frequency that these refresher HIPAA training sessions are provided is left to the discretion of each CE and BA, but the best practice is to provide these sessions at least annually and when suggested through risk assessments.
In addition to refresher HIPAA training, security awareness training sessions must be provided periodically. These training sessions will help to ensure that employees are kept up to date on the latest threats to patient privacy and data security. These sessions will help employees recognize threats and act appropriately, thus helping to prevent data breaches. Recently, the HHS’ Office for Civil Rights fined a covered entity for failing to implement a security awareness training program prior to experiencing a data breach.
We have outlined some of the most critical aspects of HIPAA that any employee training course should cover. All employees at an organization which handles the sensitive healthcare information of patients should be familiar with at least the basic requirements of data security outlined in HIPAA. Certain employees may require further training due to their roles in the organization or how they interact with patient data.
It is recommended that training is held regularly, in short sessions. Employees should be engaged during the training course and tested on their understanding of their responsibilities under HIPAA. Certain aspects of HIPAA, such as the Security Rule, are more applicable in a day-to-day setting, and employees should be served regular reminders on issues such as IT best practices and the dangers of cyberattacks.
It is important to keep a record of training sessions, such as who attended, what the session covered, and how regularly they occur. As employee training is a HIPAA requirement, auditors may need to see records of the training sessions.
Finally, do not underestimate the importance of employee training. It is essential that an organization has a well-trained workforce to protect such sensitive data. Should a data breach occur, and investigators discover that it was the result of inadequate training, hefty fines would be incurred, and the organization face is likely to suffer severe reputational damage. Although employee training may be costly in the short term, the benefits are worth the effort.
HIPAA training must be provided to all members of the workforce who may come into contact with PHI, so they know how to protect it. That includes everyone from the C-suite down. Even cleaners may encounter PHI on physical documents so they too will need to receive training.
There is no requirement to provide classroom-based training sessions. Computer-based training courses are the easiest to administer and are usually well received by employees. Whether you develop your own course or use a third-party training course, make sure it is modular. Short modules are best, as they are easier for employees to fit into their busy workflows.
In the event of an audit or compliance investigation, OCR will need to be provided with evidence to show training has been provided to employees, the frequency of training sessions, and what the training covered. You must maintain a training log and store it with your HIPAA documentation. You should also keep a record of training in each employee file.
The HHS’ Office for Civil Rights has stepped up enforcement of HIPAA compliance in recent years and imposed two financial penalties on healthcare providers in 2020 for training failures. OCR settled one case for $1.5 million to resolve HIPAA violations including a lack of Privacy Rule training and a small healthcare provider was fined $25,000 for violations including the failure to provide security awareness training to employees.
HIPAA refresher training sessions should be provided every two years at a minimum, although it is a recognized best practice to provide refresher HIPAA training annually. Two years is a long time. It would be easy for some HIPAA requirements to be forgotten by employees.
Copyright © 2021 ComplianceHome