Healthcare information security

How to satisfy HIPAA awareness and training requirements

Karen Walsh
December 17, 2019 by
Karen Walsh

Introduction

While data privacy and security regulations abound, few bring the same number of frustrated groans from IT departments as the Health Insurance Portability and Accountability Act (HIPAA). 

The acronym “HIPAA” sounds a lot like the word “hippo.” In many ways, the connection between the two is an excellent way to think of the regulation. Hippos are highly aggressive and unpredictable, making them some of the world’s most dangerous animals. Similarly, HIPAA is a highly aggressive regulation, one that includes heavy fines and jail time. Just as you would teach someone going on a safari to steer clear of hippos, you need to educate your staff according to the HIPAA training compliance requirements to protect patient data. 

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

What are the HIPAA training requirements?

The regulatory morass known as “HIPAA” imbeds training in two small sections of two rules. Similar to the rest of the law, the training requirements are equal parts prescriptive and vague. 

According to the HIPAA Security Rule Administrative Safeguards, all covered entities must annually train all workforce members and document said training. The training and documentation must:

  • Be provided to all workforce members by the annual compliance date
  • Be provided to new workforce members within a “reasonable period” after joining the workforce
  • Be updated if a material change in policies or procedures occurs and then given again to align with the changes
  • Be retained for at least six years

The HIPAA Privacy Rule Administrative Safeguards provide a bit more detail to help you understand the information that needs to be in the training. The specifications include:

  • Periodic security updates
  • Procedures for guarding against, detecting and reporting malicious software
  • Procedures for monitoring login attempts and reporting discrepancies
  • Procedures for creating, changing and safeguarding passwords

At first glance, these don’t seem too difficult. After all, you have all of the materials you use every year. You can just hand the documents out to your employees, have them sign a sheet stating they read them and forget about it until next year. 

While this process follows the word of the regulation, it doesn’t really follow the spirit of data privacy and security. 

Why HIPAA training matters

“I really love doing my annual HIPAA training,” said no one ever. Managers and department heads end up nagging people to take the training and may even feel that the training negatively impacts employee productivity. Even more to the point, if you have employees who have spent years in the healthcare industry, they probably roll their eyes a little bit and mutter internally, “I’ve done this every year.”

Unfortunately, while most employees think they know how to protect patient health information (PHI) and electronic PHI (ePHI), the data breach and HIPAA violation data tell a different story. According to the Department of Health and Human Services (HHS), “Impermissible Use & Disclosures” was the most investigated issue requiring corrective action in 2018. The next four were “Safeguards,” “Administrative Safeguards,” “Access” and “Technical Safeguards.” 

If we delve a little deeper into the top three issues, a trend starts to show. People misused or inappropriately disclosed information. Training is covered by “Administrative Safeguards.” Both Safeguards and Administrative Safeguards also required correction. Better training is a theme running through these issues. 

How to create an effective HIPAA training program

Cybersecurity shouldn’t be seen as a burden. You need employees with good cyber hygiene so that you can protect yourself from financial, reputational and compliance risk. However, information security is no longer simply a business need: it’s an important life skill necessary for life in the new digital world in which we live. 

Make it personal

When people feel connected to a topic, they’re more likely to remember the information. Your employees go to doctors, emergency rooms or therapists. HIPAA privacy and security training starts as a way to meet a compliance mandate, but you can also make it about helping your employees know their own rights.

Talk to your employees and make sure they feel that their HIPAA training empowers them. Your disclosure policy teaches them about how to protect your patients’ data, but it can also teach employees how to advocate for their own privacy rights.

Make it relevant

Similar to “make it personal,” make it relevant means don’t just list policies but explain why they matter. Think about your password policy for a moment. Most likely, it includes something similar to this:

  • All passwords should be 8-12 characters and need to have a combination of uppercase letters, lowercase letters, numbers, and/or special characters.

Also, you most likely have a large number of users with passwords like:

  • Password1
  • P@ssword
  • Password1234
  • Summer123

Sure, these passwords meet your policy requirements. However, they’re also some of the most used and compromised passwords. Some of your employees probably even use the same password for their work email and their personal social media accounts. 

Empower your employees by making your password policy training relevant to their lives outside of work. If they’re using a weak password at home, they’re using it at work. Make sure they understand how best practices protect their own accounts and family members. Once they practice good cyber hygiene at home, they’ll naturally use it at work. 

Make it continuous

HIPAA only requires one training per year. The problem with that? Your workforce members don’t just deal with PHI and ePHI once a year. They deal with it every day. 

Your HIPAA compliance training needs to occur on a regular basis. You don’t need to do a training every day — that would be tiresome for your employees. However, if you offer short training events multiple times a year, they’re more likely to remember the information and act on it. 

If you dedicate 10 minutes to HIPAA training at one employee meeting per month, you’re getting your employees to do 120 minutes — two full hours — of training a year. Normally, no one is going to sit through two hours of anything about HIPAA, but breaking it up into pieces makes it more palatable. Moreover, if it becomes a regular part of your employee meetings, then you’re baking it into your office culture. 

Conclusion: Building strong habits builds strong HIPAA hygiene 

HIPAA compliance needs to become second nature to your employees. If you only discuss it once a year to meet your compliance requirements, you don’t build HIPAA hygiene. Furthermore, if you treat it as an annual burden, you send out the message that ePHI and PHI are only important because the law says so. In reality, you know that patient information matters personally and ethically, even more than it matters legally. 

With the right approach, you can protect your patients and your workforce members. By creating a culture of continuous learning, you create a culture of continuous HIPAA compliance. 

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

 

Sources

  1. 45 CFR § 164.530 - Administrative requirements., Legal Information Institute
  2. 45 CFR § 164.308 - Administrative safeguards., Legal Information Institute
  3. Top Five Issues in Investigated Cases Closed with Corrective Action, by Calendar Year, HHS.gov
Karen Walsh
Karen Walsh

Karen Walsh is an attorney, auditor, teacher, author, and compliance enthusiast. When not reading new cybersecurity/privacy regulations and standards, she writes about them to help spread cyber awareness. In her "free" time, she volunteers with The Diana Initiative, an annual conference focused on supporting women in cybersecurity. You can find her on LinkedIn ( https://www.linkedin.com/in/geekykaren/ ) and Twitter ( https://twitter.com/GeekmomK )