How to satisfy HIPAA awareness and training requirements
Introduction
While data privacy and security regulations abound, few bring the same number of frustrated groans from IT departments as the Health Insurance Portability and Accountability Act (HIPAA).
The acronym “HIPAA” sounds a lot like the word “hippo.” In many ways, the connection between the two is an excellent way to think of the regulation. Hippos are highly aggressive and unpredictable, making them some of the world’s most dangerous animals. Similarly, HIPAA is a highly aggressive regulation, one that includes heavy fines and jail time. Just as you would teach someone going on a safari to steer clear of hippos, you need to educate your staff according to the HIPAA training compliance requirements to protect patient data.
Implementing HIPAA Controls
What are the HIPAA training requirements?
The regulatory morass known as “HIPAA” imbeds training in two small sections of two rules. Similar to the rest of the law, the training requirements are equal parts prescriptive and vague.
According to the HIPAA Security Rule Administrative Safeguards, all covered entities must annually train all workforce members and document said training. The training and documentation must:
- Be provided to all workforce members by the annual compliance date
- Be provided to new workforce members within a “reasonable period” after joining the workforce
- Be updated if a material change in policies or procedures occurs and then given again to align with the changes
- Be retained for at least six years
The HIPAA Privacy Rule Administrative Safeguards provide a bit more detail to help you understand the information that needs to be in the training. The specifications include:
- Periodic security updates
- Procedures for guarding against, detecting and reporting malicious software
- Procedures for monitoring login attempts and reporting discrepancies
- Procedures for creating, changing and safeguarding passwords
At first glance, these don’t seem too difficult. After all, you have all of the materials you use every year. You can just hand the documents out to your employees, have them sign a sheet stating they read them and forget about it until next year.
While this process follows the word of the regulation, it doesn’t really follow the spirit of data privacy and security.
Why HIPAA training matters
“I really love doing my annual HIPAA training,” said no one ever. Managers and department heads end up nagging people to take the training and may even feel that the training negatively impacts employee productivity. Even more to the point, if you have employees who have spent years in the healthcare industry, they probably roll their eyes a little bit and mutter internally, “I’ve done this every year.”
Unfortunately, while most employees think they know how to protect patient health information (PHI) and electronic PHI (ePHI), the data breach and HIPAA violation data tell a different story. According to the Department of Health and Human Services (HHS), “Impermissible Use & Disclosures” was the most investigated issue requiring corrective action in 2018. The next four were “Safeguards,” “Administrative Safeguards,” “Access” and “Technical Safeguards.”
If we delve a little deeper into the top three issues, a trend starts to show. People misused or inappropriately disclosed information. Training is covered by “Administrative Safeguards.” Both Safeguards and Administrative Safeguards also required correction. Better training is a theme running through these issues.
How to create an effective HIPAA training program
Cybersecurity shouldn’t be seen as a burden. You need employees with good cyber hygiene so that you can protect yourself from financial, reputational and compliance risk. However, information security is no longer simply a business need: it’s an important life skill necessary for life in the new digital world in which we live.
Make it personal
When people feel connected to a topic, they’re more likely to remember the information. Your employees go to doctors, emergency rooms or therapists. HIPAA privacy and security training starts as a way to meet a compliance mandate, but you can also make it about helping your employees know their own rights.
Talk to your employees and make sure they feel that their HIPAA training empowers them. Your disclosure policy teaches them about how to protect your patients’ data, but it can also teach employees how to advocate for their own privacy rights.
Make it relevant
Similar to “make it personal,” make it relevant means don’t just list policies but explain why they matter. Think about your password policy for a moment. Most likely, it includes something similar to this:
- All passwords should be 8-12 characters and need to have a combination of uppercase letters, lowercase letters, numbers, and/or special characters.
Also, you most likely have a large number of users with passwords like:
- Password1
- P@ssword
- Password1234
- Summer123
Sure, these passwords meet your policy requirements. However, they’re also some of the most used and compromised passwords. Some of your employees probably even use the same password for their work email and their personal social media accounts.
Empower your employees by making your password policy training relevant to their lives outside of work. If they’re using a weak password at home, they’re using it at work. Make sure they understand how best practices protect their own accounts and family members. Once they practice good cyber hygiene at home, they’ll naturally use it at work.
Make it continuous
HIPAA only requires one training per year. The problem with that? Your workforce members don’t just deal with PHI and ePHI once a year. They deal with it every day.
Your HIPAA compliance training needs to occur on a regular basis. You don’t need to do a training every day — that would be tiresome for your employees. However, if you offer short training events multiple times a year, they’re more likely to remember the information and act on it.
If you dedicate 10 minutes to HIPAA training at one employee meeting per month, you’re getting your employees to do 120 minutes — two full hours — of training a year. Normally, no one is going to sit through two hours of anything about HIPAA, but breaking it up into pieces makes it more palatable. Moreover, if it becomes a regular part of your employee meetings, then you’re baking it into your office culture.
Conclusion: Building strong habits builds strong HIPAA hygiene
HIPAA compliance needs to become second nature to your employees. If you only discuss it once a year to meet your compliance requirements, you don’t build HIPAA hygiene. Furthermore, if you treat it as an annual burden, you send out the message that ePHI and PHI are only important because the law says so. In reality, you know that patient information matters personally and ethically, even more than it matters legally.
With the right approach, you can protect your patients and your workforce members. By creating a culture of continuous learning, you create a culture of continuous HIPAA compliance.
Implementing HIPAA Controls
Sources
- 45 CFR § 164.530 - Administrative requirements., Legal Information Institute
- 45 CFR § 164.308 - Administrative safeguards., Legal Information Institute
- Top Five Issues in Investigated Cases Closed with Corrective Action, by Calendar Year, HHS.gov