The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Bill Clinton in 1996. HIPAA’s initial objective was to address the issue of healthcare coverage for individuals between jobs. Prior to HIPAA, workers that were temporarily out of work could find themselves without healthcare coverage. HIPAA introduced new protections for people in this situation, and still maintains this function to this day.
However, HIPAA is better known for introducing a “federal floor of privacy protections for individuals´ individually identifiable health information” and for standardizing how Covered Entities use, store, disclose, and share Protected Health Information (PHI). By introducing strict requirements for safeguarding PHI, HIPAA contributed towards a more robust data security framework for health plans, health care clearinghouses, and health care providers.
For a Covered Entity to be HIPAA-compliant, it is essential all members of the workforce are trained on the Covered Entities policies and procedures for safeguarding PHI. The training should be tailored “as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity”, and must be provided within a reasonable period of time after a new employee, joins the Covered Entities workforce (see 45 CFR § 164.530).
Further HIPAA training must also be provided whenever a material change in the Covered Entity´s policies and procedures affect an employee´s role. If the material change only affects a small group of the workforce, only those who the material affects need to undergo HIPAA training. However, if the material change affects all the workforce (i.e., there is a change in breach notification procedures), all employees will have to undergo refresher training.
While the above section of HIPAA applies only to Covered Entities, the Security Rule Administrative Safeguards (45 CFR § 164.308) apply to both Covered Entities and Business Associates. This standard requires Covered Entities and Business Associates to develop a security and awareness training program for their entire workforces to ensure compliance with policies and procedures relating to the safeguarding of electronic Protected Health Information (ePHI).
Although there is no training-related requirement for Covered Entities and Business Associates to provide refresher security and awareness training, both types of organizations are required to conduct frequent risk assessments. If a risk assessment identifies a need for further training, The Covered Entity or Business Associate is required to provide further training or document why training was not provided.
The definition of the term “members of the workforce” goes beyond public-facing medical employees or health plan administrators to include students, volunteers, contractors, and senior management who might never encounter PHI/ePHI in their day-to-day functions. Nonetheless, all members of the workforce are required to undergo HIPAA training for Covered Entities and Business Associates to be HIPAA compliant.
However, not every member of the workforce will need the same level of training to carry out their functions in compliance with HIPAA. For example, a hospital environmental services technician will need to understand what HIPAA is and how to report unauthorized disclosures of PHI, but they will not need a comprehensive understanding of (for example) patients´ rights, the HITECH Act, or the consequences of violating HIPAA beyond their employer´s Sanctions Policy.
Consequently, the best way to overcome dissimilar training requirements is via modules. Individual modules can be prepared to align with the organization´s HIPAA policies and procedures, and those which are relevant to different groups of the workforce can be presented as “necessary and appropriate” for member of the workforce to carry out their functions. This option is far more effective than providing too much information to staff who will never need it.
With this in mind, we have compiled three series of sample HIPAA training modules. The first – Basic HIPAA Modules – should be used to provide members of the workforce with a grounding in HIPAA. The second – Advanced HIPAA Modules – should be used to build on the basic training; and the third – “HIPAA Training for Students” – contains modules from both the Basic and the Advanced curricula along with student-specific modules.
The Basic HIPAA modules contain elements of HIPAA that will be mutual to many functions. Geared towards Covered Entities´ training obligations under the Privacy Rule, these modules might be used for introducing new employees to HIPAA – provided they are complemented with function-specific advanced modules – or as the basis for refresher training when material changes occur.
The best way to introduce a HIPAA training course is to provide an overview of HIPAA, what it is, who the rules apply to, and why it is important employees comply with policies and procedures designed to safeguard PHI/ePHI from impermissible uses and disclosures.
When HIPAA is first introduced to new employees, its language can be confusing to trainees with no experience of US legislation. Therefore, it can be beneficial to explain the terminology that will be used during HIPAA training – especially what constitutes PHI/ePHI.
A knowledge of the HITECH Act will not be essential for employees to perform their day-to-day functions but understanding how the Meaningful Use and Promoting Interoperability programs evolved may help employees better understand policies based on Security Rule standards.
Depending on the content of other modules, this is a good place to explain the Enforcement Rule and Breach Notification Rule. Ideally the three other main HIPAA rules – the Privacy Rule, the Omnibus Final Rule, and the Security Rule – should each have their own modules.
It is essential all members of the workforce – regardless of their function – have a basic understanding of the Privacy Rule and concepts such as the Minimum Necessary Standard, patients´ rights, and seeking consent before disclosing PHI to third parties.
A module relating to the Omnibus Final Rule is important for Covered Entities to include as the Omnibus Final Rule enacted provisions of the HITECH Act to enhance existing security protections. The Rule also made Business Associates directly liable for violations of HIPAA.
Although policies developed around the Security Rule may only apply to employees with access to ePHI, all employees should be given a foundation in Security Rule basics so they better understand mechanisms implemented to comply with the physical, administrative, and technical safeguards.
Although patients´ rights may have already been covered in the Privacy Rule module, public-facing employees will require a deeper knowledge of what patients can request and how long Covered Entities and (potentially) Business Associates have to comply with access and correction requests.
A module relating to the disclosure rules will support the Privacy Rule model by providing further information about when it is okay to disclose PHI and when patient consent is required before disclosing PHI to families, friends, and other third parties.
The consequences of HIPAA violations not only impact Covered Entities, Business Associates, and patients, but can also impact employees responsible for negligently or deliberately violating their employer´s HIPAA policies. Therefore, this module should expand on the HIPAA sanctions policy.
In addition to training employees to be HIPAA-compliant, it can benefit Covered Entities and Business Associates to train staff on identifying and reporting potential threats to PHI that may result in a HIPAA violation and – importantly – on reporting HIPAA violations as soon as they occur.
This module could either be used as a summary of basic HIPAA training or as a refresher module following a material change in policies and procedures. Ideally it should contain best practices for HIPAA compliance, plus a list of do´s and don´ts tailored to the groups´ functions.
While the basic HIPAA modules provide employees with a grounding in HIPAA, more advanced modules can help employees apply what they have learned in the basic modules to real-life situations. These modules are particularly relevant for employees with access to ePHI as many of them relate to Security Rule policies.
Providing a timeline of HIPAA can reinforce the concept that HIPAA is constantly evolving to meet new challenges. This can prepare employees for subsequent “material change” refresher sessions, or for retraining when their roles and functions change.
This module should include both physical and online threats to patient data. So, in addition to warning employees about disclosing ePHI online, they should be alerted to safeguarding paper copies of PHI, positioning workstations out of public view, and ensuring mobile devices are secured.
Regardless of the HIPAA Rules, most Covered Entities and Business Associates will have policies relating to computer safety – not just the physical safety of workstations, but also the allowable uses of workstations for personal use to prevent viruses and malware.
All employees need to be aware it is a breach of the HIPAA Privacy Rule to share any information about a patient on social media. Even unintentional disclosures can result in sanctions for non-compliance, while patients can bring a private course of action against the individual responsible.
In emergency situations, the Office for Civil Rights has the discretion to waive certain elements of HIPAA to support the flow of health information. This module should cover typical scenarios in which the HIPAA rules may be relaxed and how employees will be informed about any changes.
All Covered Entities and Business Associates are required to appoint a HIPAA Officer who is responsible for developing HIPAA policies and procedures. This module is a good opportunity for employees to meet the HIPAA Officer who will be the point of contact for questions and reports.
A good way to determine how much information has been absorbed during HIPAA training is to conclude each session with a HIPAA compliance checklist. Each checklist should be tailored to the subjects being taught during training in the context of trainees´ roles.
As mentioned in the HIPAA Timeline module, HIPAA is constantly evolving and any update to the regulations is likely to impact policies and procedures. While this may not result in a material change for all members of the workforce, it is still advisable to include this module in all refresher training.
HB300 extends the definition of a Covered Entity for organizations that create, use, maintain, or transmit the health information of a Texas resident – regardless of where the organization is located. Consequently, training on the Texas Medical Records Privacy Act may apply outside of Texas.
Although cybercriminals seek to extract healthcare data when launching phishing and malware attacks, the personal data of healthcare employees can also be at risk. Making healthcare employees aware of cybersecurity dangers for their personal data can change the way they think about ePHI.
With the previous module in mind, a further module about how to protect ePHI from cyber threats is likely be more effective if employees can relate the online best practices provided in this module with the cybersecurity dangers mentioned in the previous module.
Healthcare students are most often supervised when they first perform practical roles. Nonetheless, it is important they are aware about HIPAA and not discussing patients, conditions, or treatments unless it is relevant to their medical training. Furthermore, the Department of Health and Human Services regards students as members of a Covered Entity´s workforce, so it is a requirement of HIPAA they undergo training within a reasonable period of time from when they start studying.
With this is mind, an ongoing HIPAA training course for healthcare students will likely consist of a selection of modules from each of the basic and advanced modules suggested above. In addition, Covered Entities may choose to add further modules that are relevant to ways in which students will more likely access, use, and disclose PHI/ePHI. Suggestions for these further modules are below.
Although students will be supervised when they first access ePHI, the risk exists they could repeat information they have seen verbally or via social media. Students need to be aware that any unauthorized disclosure of ePHI – regardless of how ePHI is accessed – is a violation of HIPAA.
It is also a violation of HIPAA to reproduce any ePHI that has been accessed in medical training in reports, projects, and presentations unless the student has obtained the express written consent of the subject of the ePHI, or the ePHI has been deidentified.
It is just as important that students adhere to HIPAA policies and procedures as it is healthcare professionals do. Therefore, this module should contain best practices for HIPAA compliance from a student´s perspective and a role-relevant list of do´s and don´ts tailored for students.
HIPAA Privacy Officers are responsible for providing privacy training to Covered Entities´ workforces, while HIPAA Security Officers are responsible for providing security awareness training to the workforces of Covered Entities and Business Associates. Ideally. HIPAA Officers should work together to compile training courses that cover all aspects of HIPAA to prevent “double training”.
Thereafter, the issue exists of providing training that is “necessary and appropriate” and relate to employee functions. Provide too much training, and much of it could be lost among the volume of information that has to be absorbed. Provide too little training, and the risk exists of a HIPAA Violation for which the Covered Entity or Business Associate is liable for due to a lack of training.
Therefore, HIPAA Privacy and Security Officers may wish to review the following best practices to ensure HIPAA training is effective:
One final piece of advice for providing HIPAA training is to make sure the training is documented. This involves noting the date, the content of the training, and who attended. In the event HIPAA training includes a module on Texas Medical Records Privacy Act and HB 300, attendees are required to sign a document to state they have been trained on the Act. As with all HIPAA documentation, training records must be maintained for a minimum of six years.
HIPAA training must be provided to all members of the workforce. This includes everyone from the C-suite down to environmental services technicians, contractors, volunteers, and students – regardless of the level of contact they may have with Protected Health Information.
There is no requirement to provide classroom-based training sessions. Computer-based training courses are the easiest to administer and are usually well received by employees. Whether you develop your own course or use a third-party training course, make sure it is modular. Short modules are best, as they are easier for employees to fit into busy workflows.
In the event of an audit or compliance investigation, the HHS´ Office for Civil Rights will need to be provided with evidence to show training has been provided to employees, the frequency of training sessions, and what the training covered. You must maintain a training log and store it with your HIPAA documentation.
The HHS’ Office for Civil Rights has stepped up enforcement of HIPAA compliance in recent years and imposed two financial penalties on healthcare providers in 2020 for training failures. OCR settled one case for $1.5 million to resolve HIPAA violations including a lack of Privacy Rule training and a small healthcare provider was fined $25,000 for violations including the failure to provide security awareness training to employees.
HIPAA refresher training sessions should be provided every two years at a minimum, although it is a recognized best practice to provide refresher HIPAA training annually. Two years is a long time. It would be easy for some HIPAA requirements to be forgotten by employees.
Copyright © 2022 ComplianceHome