The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Bill Clinton in 1996. Follow its introduction, HIPAA’s primary function was to address the issue of healthcare coverage for individuals between jobs. Prior to HIPAA, workers that were temporarily without pay could find themselves without healthcare coverage, and therefore potentially unable to access important medical treatment. HIPAA introduced new protections for people in this situation, and still maintains this function to this day.
However, HIPAA is now better know for revolutionising the landscape of data protection in the United States. Before HIPAA, there were no industry-wide standards or best practices for ensuring that the security of sensitive information was guaranteed. Healthcare organisations and professionals in the industry were left to determine the best methods of safeguarding private healthcare information of individuals. Data privacy laws varied from state to state. This lack of consensus put patients at risk of having their data stolen, and made the industry as a whole more vulnerable to breaches caused by cyberattacks.
Upon the introduction of HIPAA, industry-wide standards were implemented with the aim to improve efficiency, security, and patient experiences in the healthcare industry. Due to the high black-market value of healthcare information, criminals often target healthcare organisations to access this sensitive data and use it for malicious purposes and personal financial gain. Fraud has devastating consequences for the victims, who may spend years and thousands of dollars in legal fees trying to reclaim their identities. By introducing strict requirements regarding the safeguarding of protected healthcare information (PHI), HIPAA helps to create a more robust data security framework within healthcare organisations in the United States.
HIPAA is a comprehensive legislative act incorporating the requirements of several other legislative acts, including the Public Health Service Act, Employee Retirement Income Security Act, and more recently, the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The fines for violating HIPAA’s Rules are substantial. In some instances, criminal charges may also apply, depending on the severity of the case. To avoid the financial costs and repetitional damages associated with a HIPAA violation, it is essential that healthcare organisations take all the necessary steps to ensure that they are fully compliant with the Act.
One of the most important aspects of ensuring that an organisation is HIPAA-compliant is by implementing a rigorous and robust training program for all employees. Many data breaches occur due to employee negligence, such as leaving a laptop in a location in which it can be easily stolen or failing to lock important files in a secure drawer. Ignorance about basic IT safety practices may result in employees accidentally falling for phishing emails, which may result millions of files being stolen by a hacker.
Employees must understand their responsibilities under HIPAA. This article will provide some guidance on how to ensure employees are familiar with HIPAA’s strict data security requirements and how they can fulfil their obligations to protect PHI. The HIPAA Privacy Rule states that training should be given “as necessary and appropriate for members of the workforce to carry out their functions”, while the HIPAA Security Rule has a similarly vague statement remarking that covered entities and their business associates should “implement a security awareness and training program for all members of the workforce”.
HIPAA is a complex piece of legislation, and it is essential that employees have a firm grasp of the fundamentals so that they have a basic understanding of the rules and understand HIPAA’s importance and wider consequences.
One of the first issues to address when considering HIPAA compliance is what types groups are liable to comply with HIPAA. If an individuals and organisations is subject to HIPAA compliance, they are known as a “Covered Entity”, or CE. CEs are defined in the HIPAA rules as 1) health plans, 2) health care clearinghouses, and 3) health care providers who electronically transmit any health information in connection with transactions for which the US Department of Health and Human Services has adopted standards.
Organisations which conduct certain functions on behalf of a CE is known as a “business associate”, or BA. BAs are subject to HIPAA compliance if the activity they perform on behalf of the CE requires the use or disclosure of individually identifiable health information. This may include providing data analysis, legal, accounting, consulting, management, or financial services.
Before a CE enters a business partnership with a BA, the CE must obtain assurance in the form of a Business Associate Agreement (BAA) that the BA will follow the HIPAA Rules and ensure that the appropriate safeguards are in place to maintain the integrity of the protected health information.
It is also worth defining what precisely is meant by PHI. There are eighteen “HIPAA Identifiers” that can be used to identity, contact or locate an individual, or be used with other sources to identify an individual; these identifiers are collectively known as PHI. These are listed below.
|Names||Social Security Numbers||Device Identifying Numbers|
|Addresses||Medical Record Numbers||Web URLs|
|Dates||Health Plan Numbers||IP Addresses|
|Phone Numbers||Account Numbers||Biometric Identifiers|
|Fax Numbers||Certificate/License Numbers||Photographic Images|
|Email Addresses||Vehicle Identifying Numbers||Any Other Unique Characteristic|
A thorough explanation of HIPAA’s Rules should be central to any employee training course. The Rules address specific security requirements, such as the safeguards that should be implemented or response frameworks that should be in place if a data breach were to occur.
If employees are to respond well to a training course, only the most vital information should be presented to them. In HIPAA’s text, the Rules are worded vaguely, such that they are not tied to any specific technology (such as encryption) which may become outdated. It is recommended that instead of using such vague terminology, you present how to Rules are being applied in your organisation, and how they affect the employees. For example, instead of listing what HIPAA’s Security Rules requirements for adequate physical safeguards, inform your employees of the specific safeguards being used, such as locked desk drawers or filing cabinets.
Employees fulfilling particular tasks in an organisation may require specific training giving a more in-depth look at HIPAA’s Rules such that they are familiar with all aspects of the legislation that pertain to their role.
In order to protect sensitive information, employees should be made aware of what threatens it. The healthcare industry is increasingly becoming a target for cybercriminals, who then sell the data on the black market. One of the most common ways hackers access data is through targeted phishing campaigns. Many of the largest data breaches in recent years are the result of phishing attacks, with millions of people being affected in some instances.
Classic phishing attacks involve sending mass emails to as many people as possible, and hoping that even a small proportion of them fall for the attack. Therefore, even if only one employee in an organisation unwittingly hands over their login information or downloads a file riddled with software, the whole network is compromised. Many IT security courses run by healthcare organisations train employees in the basic elements of recognising a phishing attack, but as technology becomes more advances, so too do the techniques that cybercriminals use. Therefore, frequent, regular training reminding people of good IT security practices while also updating their knowledge on what such attacks look like is vital in ensuring that PHI is not compromised.
Another potential threat to data security is the theft or loss of mobile device. Mobiles, tablets, and laptops are ubiquitous, and many people use them for work. This means that they may contain a huge amount of PHI. Should the device be stolen, and only protected by a weak password, it is highly likely that the information would be accessed by unauthorised individuals.
Although many organisations recommend the use of “strong” passwords, data security experts point out that, with the right software, hackers can still guess the passwords within minutes. Two-factor authentication is instead being purported as the best practice for security mobile devices. Upon each login attempt, users are provided with a one-time generated passcode that only they can use. This may be sent to a phone number or email address. This added layer of security ensures that only those authorised to access the device can do so. Instructing employees on the importance of mobile device security will go a long way in ensuring that breaches of sensitive data are avoided.
We have outlined some of the most critical aspects of HIPAA that any employee training course should cover. All employees at an organisation which handles the sensitive healthcare information of patients should be familiar with at least the basic requirements of data security outlined in HIPAA. Certain employees may require further training due to their roles in the organisation or how they interact with patient data.
It is recommended that training is held regularly, in short sessions. Employees should be engaged during the training course, and tested on their understanding of their responsibilities under HIPAA. Certain aspects of HIPAA, such as the Security Rule, are more applicable in a day-to-day setting, and employees should be served regular reminders on issues such as IT best practices and the dangers of cyberattacks.
It is important to keep a record of training sessions, such as who attended, what the session covered, and how regularly they occur. As employee training is a HIPAA requirement, auditors may need to see records of the training sessions.
Finally, it is easy to understate the importance of employee training. It is essential that an organisation has a well-trained staff to protect such sensitive data. Should a data breach occur, and investigators discover that it was the result of inadequate training, hefty fines would be incur, and the organisation face severe reputational damage. Although employee training may be costly in the short term, the benefits are worth the effort.
Copyright © 2019 ComplianceHome