It is easy to imagine the kind of challenges doctors, nurses, and other health care professionals face when fighting to keep us healthy. There is no need to add the extra pressure that comes with a potential cyberattack. Without a robust security architecture, your patients’ data is at risk of exposure, which could pose a severe privacy risk. But without proper staff training, the potential fallout can compound, which in the worst case could result in loss of life.
HIPAA training for employees can alleviate the stress and get your staff cyber-ready. Learn how you can comply with HIPAA training.
Let’s discuss.
What Part Of The Law Covers HIPAA Training For Employees?
Employee training is part of both the privacy rule and security rule of the regulation. Covered in section 45 CFR 164.530 and 164.308, you can find a full-text version of the article here.
The training comprises the administrative safeguards, which we will explore in more detail a little later.
Privacy Rule vs. Security Rule
Congress and lawmakers added the security rule around the year 2003 and intended it to complement the privacy rule while coming in line with more modern cybersecurity systems and practices.
The privacy rule pertains to all protected health information (PHI), both physical and electronic, while the security rule only pertains to electronic PHI.
Many cybersecurity frameworks will distinguish different types of safeguarding, and the security rule also refers to three kinds of protections.
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
Training requirements for employees fall under the administrative safeguards of the covered entity. However, later on in the article, we will see that all precautions are related to employee training in one way or another.
Lastly, the code lays out a series of “standards” and “addressables” within each law section. Implementing standards is mandatory for all covered entities and business associates while implementing addressables is more flexible and open to interpretation.
Training for employees is a standard within the law. Still, the policy and procedures fall under “addressable,” meaning that while the covered entity and business associates will be required to carry out staff training, the staff’s guidelines will be up to the privacy official or security team’s development.
Request a Free Consultation!
Who Needs To Provide HIPAA Training?
Because staff training is a standard, all covered entities and business associates that deal with PHI will have to provide training.
What is a covered entity?
A covered entity under HIPAA could be any of the following:
Health Care Providers | Health Plans | A Healthcare Clearinghouse |
|
|
Entities that process nonstandard healthcare information they receive from another entity |
These are some examples of covered entities under HIPAA. The regulation understands that some functions are not carried out by just the covered entity, so it distinguishes between a covered entity, and a business associate.
What is a business associate?
Suppose the covered entity engages a third-party provider to help carry out its health care function. In that case, the third-party will be classified as a business associate and will have to comply with HIPAA. Keep in mind that the business associate will only have to comply with the law if the functions or activities require any PHI disclosure.
Therefore, both the covered entity and the business associate will have to provide staff training.
HIPAA Training Requirements
The security rules state that employee training is a standard that falls under administrative safeguards.
As mentioned before, the security rule comprises three types of safeguards. Administrative safeguards are all the policies and procedures that clearly show how the covered entity will comply with HIPAA. The elements that you can expect to see are:
- A Written set of privacy procedures, developed and implemented by a privacy officer or official (more on this later)
- A policy that states which employees or group will have access to the PHI (restricted only to employees who require it for job function)
- The covered entity must show appropriate ongoing training for employees
- Third-party networks must also comply with the policies procedures set out by the covered entity
- The covered entity must have a response or emergency plan in place for breaches and provide data back-ups
- Internal audits should form part of the policy framework
The security policies and procedures will form the framework for training. As long as the administrative safeguards adhere to the requirements laid out by the regulation, the training will be relatively straightforward.
However, as a general rule of thumb, some things need to be included regardless of policy. These factors relate directly to the training itself, and it should consist of:
- What is protected under HIPAA
- Why it is being protected
- And How employees should protect that information
What Is Protected Under HIPAA
Employees need to be made aware of what is considered PHI as part of their training. The extent of what is classified as PHI will depend on the kind of provider you are. For example, if your organization offers health plans, all the program information will be considered PHI. But your organization will not have to apply safeguards to any prescriptions given to your employees as that falls under the doctor’s jurisdiction.
Here are some things that you will need to consider when developing a training program:
- Patient information
- Addresses
- Name and date of birth
- Social Security Numbers (SSN)
- Insurance client numbers
- Health Care Provision Information
- Prescriptions
- Psychological reports
- Treatment schedules
- Insurance coverage
- Dental plans
These are a few examples; you will have to review your information system to understand the PHI you might process.
Why Is PHI Being Protected
Much like privacy risk assessments, HIPAA training is an exercise in privacy awareness. Any one can easily feel embarrassed about their medical condition, and it is for this reason the healthcare industry should take great care when dealing with PHI. Ingraining this ethos into the training humanizes the patient experience for the personnel and business associates, making it easier to carry out the protective measures. Beyond personal embarrassment, there are real concerns attributed to loss or theft of medical information, namely medical identity theft or blackmail.
How employees protect the PHI will come down to the policies set out by the organization. We will discuss this in greater detail later in the section titled “Policy and Procedure Under HIPAA.”
How Often Will I Need To Conduct HIPAA Training
Changing threats and updates to systems will mean that new information will need to be injected into the training program. HIPAA rules do state that training will need to be refreshed “periodically.” However, this period is open to interpretation, as the regulation does not give any specific details on timing.
Generally speaking, the accepted period for any type of security awareness refresher training is annual. Many voluntary cybersecurity frameworks will state annual retraining as a best practice method, and this will also work for regulatory requirements. It is more a matter of consistency, especially when it comes to the judgment of regulators.
Policy and Procedures Under HIPAA
As mentioned previously, the policies and procedures make up the “how” of the training.
Most staff and personal, bar the management, will not need to concern themselves with administrative safeguards. For example, a doctor carrying out their job function will not need to develop a security policy. Instead, they should be able to follow the privacy or security policy set out by the security administrative team.
The policies and procedures themselves will make up the remaining two safeguards, those being physical and technical.
Physical Safeguards
The physical security of an organization is often overlooked in the grand scheme of things. Staff can tend to forget that not incorrect disposal of a piece of paper can give deep insight into the organization’s operations, and bad actors will take advantage of this.
It is also important to mention that even though data is often stored digitally, you can access it through physical means. For example, a hard drive that carries sensitive information is classified as digital, but if not locked away properly, a hacker can simply pick it up and take it away. And if not encrypted, they will easily access what is stored on it.
However, physical safeguards do go beyond simply locking your doors. Ensuring that only the right people have access to restricted parts of the organization is also a physical safeguard.
This section will examine physical security policies that you need to train your health staff in as part of the HIPAA training requirements.
- Restrict access to physical PHI: Doctors will often write down prescriptions on a specialized document. This document now contains PHI that will need to be secured. As part of the policy, any place (i.e., doctors’ offices, hospital wards, etc.) will need to restrict access to only personnel who require it as part of the job function. Using keycard systems is a great way to automate this process. The staff should be made aware of this so that they can identify any unauthorized personnel quickly.
- Correct PHI disposal: any physical form of PHI, whether it be prescriptions or health plan print-outs, will need to be disposed of correctly. All personnel will need to know how to dispose of this information correctly. A generally accepted form of destruction is to use a paper shredder. But the regulation does not specify in which way PHI needs to be destroyed, so that will have to be decided by the organization.
- Correct identification of patients or customers: there should be a policy in place that staff can follow to correctly identify that the customer or patient they are treating is genuine. This will limit the success of social engineering attempts through direct proximity.
- Keeping inventory: staff should keep an inventory of all PHI they process. This will make any audits easier to manage and carry out. The training will require the admin to implement an inventory system, and the staff will then have to learn to use it.
Technical Safeguards
Technical safeguards are the primary line of defense for all ePHI (electronic) and should form the bulk of the training. Most information management systems nowadays are either automated or fully digital. These management systems are also widely used in the healthcare industry. Meaning staff and personnel handling ePHI need to take extra care when transmitting or storing information.
The IT infrastructure’s administrative side should apply the appropriate protection to the information system as a whole, like a firewall, anti-malware, and access controls. But on a personal accountability level, a policy should be implemented to ensure all ePHI is handled correctly.
The technical safeguards that fall outside administrative controls are the ones that you should train your staff in; here are a few examples.
- Password Management: all staff members that have access to ePHI will need to adhere to a password management policy. Generally, password management will include auto-generated passwords and password lifecycles (i.e., changing every three months). You can employ password management tools to help, but make sure the software is easy to use.
- Multi-Factor Authentication: it is almost impossible to get away with creating an online account without giving some form of 2-factor authentication, whether it be through mobile or apps. The healthcare industry will need to start using MFA in its information systems. Therefore the staff will need to be trained in using MFA when accessing ePHI; this will ensure that all users accessing the information are genuine.
- Secure Communication and Data Transmission: there should be a policy in place that dictates the use of private corporate networks. The staff should adhere to this policy, and as part of the training, there should be restricted use of any personal forms of communication. This restriction means using social media on internal networks is prohibited (limiting the interaction with bad actors). Any transmission of ePHI will need to be done through proper internal channels using only authorized communication networks.
- Proper Use of Workstations: the organization should train the staff in appropriate workstation use. This training would involve accounts and password management, the information life cycle, or the proper deletion of ePHI. It will ultimately depend on the information system’s type and complexity, so don’t limit it.
There is scope for the policy to be much wider-reaching, especially considering how complicated a hospital’s management can be. But as these policies are some cyber industry standards, you can apply them to all healthcare niche businesses.
Closing Remarks
Staff awareness is an integral part of any cybersecurity architecture. But it doesn’t have to be an uphill battle.
Human error still remains one of the biggest reasons for data breaches. The healthcare industry in particular, suffers significantly from violations due to the sensitivity of the health information.
Regulations like HIPAA intend to bring modern approaches of security to the industry. But regulations are not enough to keep attackers at bay, who are seemingly always one step ahead.
If you work in the healthcare industry and are looking to stay one step ahead of the attackers, consider partnering with a Managed Security Service Provider (MSSP).
Furthermore, consider RSI Security as the MSSP for you. With years of experience in compliance advisory services, we can help you in HIPAA training for employees, creating a program, and other aspects of the regulation. Contact us today and schedule a consultation.
Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper
Not sure if your HIPAA or healthcare compliance efforts are up to snuff? Unsure about where to even start? Download RSI Security’s comprehensive guide to navigating the HIPAA and healthcare compliance labyrinth. Upon filling out this brief form you will receive the whitepaper via email.