HIPAA Training for IT Professionals

HIPAA Training for IT Professionals - HIPAA Guide.net

The nature of HIPAA training for IT professionals can vary depending on an IT professional’s employment status, functions, and responsibilities. Because of these variables, there is no one-size-fits-all IT professional HIPAA training program. However, it can benefit all IT professionals in healthcare, health insurance, and support industries to take advantage of standard HIPAA awareness training.

Due to the increasing use of information technology in healthcare, health insurance, and support industries, HIPAA training for IT professionals should consist of more than the basic HIPAA training requirements. IT professionals need to be aware of the challenges faced by public-facing members of the workforce, the shortcuts workforce members might take “to get the job done”, and why some workforce members may be reluctant to report security incidents.

Depending on their employment status, functions, and responsibilities, IT professionals may also need to be aware of common errors made by workforce members when using information technology, the ways in which cybercriminals infiltrate networks to access databases of Protected Health Information (PHI), and the “real” consequences of unauthorized disclosures of PHI beyond fines, corrective action plans, sanctions, loss of contract, and refresher training.

Why Employment Status Matters to HIPAA Training for IT Professionals

IT professionals required to received HIPAA training include employees of covered entities and business associates, individuals contracted to work exclusively for a covered entity or business associate, and individuals who qualify as business associates or subcontractors in their own right. Employment status matters because different requirements apply with respect to the minimum HIPAA training for IT professionals that must be provided.

Covered Entities’ IT Workforces

All employees of a covered entity and individuals contracted to work exclusively for a covered entity are considered to be members of the covered entity’s workforce because they are under the direct control of the covered entity, regardless of whether or not they are paid by the covered entity.

Covered entities are required to implement policies and procedures designed to ensure compliance with the HIPAA Privacy Rule and HIPAA Breach Notification Rule. They are also required to safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

Thereafter, covered entities are required to provide policy and procedure HIPAA training “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity [in compliance with HIPAA]”. Policy and procedure training must be repeated whenever there is a material change to policies or procedures that impacts workforce members’ functions.

In addition, covered entities have to implement a security awareness and training program for all members of the workforce that takes into account the requirements of §164.306 – the HIPAA Security Rule’s General Rules. Among other provisions, the General Rules require covered entities to safeguard PHI (specifically electronic PHI) from reasonably anticipated uses or disclosures that are not permitted or required by the HIPAA Privacy Rule.

Because of these requirements, HIPAA training for IT professionals is likely to consist of policy and procedure HIPAA training and security awareness training relevant to their functions and responsibilities. It is less likely to consider interactions with other members of the workforce when IT professionals work on an IT helpdesk, assist with technical issues in situ, or are faced with a security incident about which they have minimal information.

Business Associates’ IT Workforces

While the same definition of workforce applies to business associates, business associates are only required to comply with HIPAA Privacy Rule standards that are applicable to the service being provided to or on behalf of a covered entity. This means the requirement to implement policies and procedures designed to ensure compliance with the HIPAA Privacy Rule is a limited requirement, and policy and procedure HIPAA training will also be limited.

With regards to security awareness and training programs, while these still have to take the requirements of 164.406 into account, they are less likely to consider reasonably anticipated uses or disclosures that are not permitted or required by the HIPAA Privacy Rule. It is even less likely that business associate HIPAA training for IT professionals will consider interactions with covered entities’ workforces and the “real” consequences of unauthorized disclosures.

Self-Employed IT Professionals and Subcontractors

HIPAA training for IT professionals that are self-employed or subcontractors should be similar to HIPAA training for business associates’ IT workforces. However, whereas a business associate will have a HIPAA Security Officer or compliance team responsible for developing policies and procedures and designing security awareness and training programs, self-employed IT professionals and subcontractors do not have an equivalent “guidance structure”.

The lack of a guidance structure can leave gaps in HIPAA training for IT professionals when it is not only necessary to ensure the IT service being provided for or on behalf of a covered entity supports HIPAA compliance, but it may also be important to be aware of workforce challenges, shortcuts, and common errors that can expose PHI to unauthorized access. The nature of these potential issues can also vary according to IT professionals’ functions and responsibilities.

A Selection of IT Professionals’ Functions and Responsibilities

The range of IT professionals’ functions and responsibilities is almost as wide as those of healthcare providers. IT professionals can interact with public-facing members of the workforce via IT helpdesks, in situ (i.e., installing a printer or investigating a computer issue), and/or during technology training. When working in situ (i.e., in a hospital unit) IT professionals may also directly interact with patients, family members, and other members of the public.

IT professionals can also work behind the scenes developing software, ensuring existing software is updated or patched, and/or managing users’ access rights. In some cases, behind the scenes IT professionals may also be responsible for contingency planning, procurement and asset management, and/or entering into Business Associate Agreements. Some may also act as a Managed Service Provider for a covered entity or business associate.

Most of these functions and responsibilities have the potential to result in an impermissible use or disclosure of PHI or expose PHI to unauthorized access. For example, it may be the case that, because what is considered PHI under HIPAA has not been explained in HIPAA training for IT professionals, a member of the helpdesk team advises a healthcare employee to include PHI in the metadata of an email to bypass a security measure configured to prevent data loss.

Additionally, IT professionals working in situ may impermissibly disclose more than the minimum necessary PHI to a member of a patient’s family, or may disclose information that a patient has requested is kept private – something that can also happen during technology training. IT professionals responsible for contingency planning and Managed Service Providers also need to be aware of HIPAA Privacy Rule standards in order to mitigate the risk of a HIPAA violation.

Furthermore, when developing or updating software, IT professionals need to understand what challenges workforce members have to ensure the software is not too complicated to use and can be used under pressure. This level of knowledge extends to understanding why workforce members may take short cuts or download unsanctioned apps to “get the job done”, or make unforced errors – and then be reluctant to report security incidents due to the threat of sanctions.

The Consequences of Incomplete HIPAA Training for IT Professionals

It is unfair to blame incomplete HIPAA training for IT professionals for workforce members taking shortcuts or making unforced errors, because those workforce members should also have received HIPAA training to mitigate the likelihood of these events occurring. However, the responsibility for “sorting the mess out” is often delegated to IT professionals, who may struggle to resolve compliance issues if they have an incomplete knowledge of HIPAA and how it is applied in the workplace.

It can also be the case that IT professionals are 1) instructed to identify the cause of an impermissible disclosure or data breach “within sixty days” because that is the time allowed by the HIPAA Breach Notification Rule to notify impacted individuals of the breach, and 2) told that the consequences of late notifications (and of impermissible disclosures or data breaches) are fines, corrective action plans, sanctions, loss of contract, and/or refresher training.

While the time allowed and the consequences of late notifications are technically accurate, they do not take into account the real consequences of unauthorized disclosures of PHI – typically medical identity theft and insurance fraud. Medical identity theft and insurance fraud can result in patients’ health data being used by ineligible persons to obtain healthcare, prescription drugs, and medical equipment at a huge cost to the healthcare and health insurance industries.

More importantly, when patient data is stolen and misused, it can result in misdiagnoses, delays in the provision of healthcare, and wrong pharmaceuticals being prescribed to genuine patients. In a survey conducted in 2014, 15% of respondents reported the misdiagnosis of an illness because somebody else had misused their healthcare data, 14% reported a delay in receiving medical treatment, and 11% were prescribed the wrong pharmaceuticals.

Consequences of Medical Identity Theft

Significantly, 56% of respondents said they lost trust and confidence in their healthcare provider. When this happens, patients are less willing to share intimate details about their illnesses, giving healthcare providers less information to make accurate diagnoses and prescribe appropriate courses of treatment. Patients are also less likely to comply with treatment plans – resulting in worse patient outcomes, readmissions, and increased pressures on the health system.

How to Best Support HIPAA Training for IT Professionals

It is impractical to provide HIPAA training for IT professionals that covers every possible intentional or unintentional use or disclosure of PHI that is in violation of the HIPAA Privacy Rule. But it is possible to provide IT professionals with HIPAA awareness training that offers a better understanding of HIPAA, a better understanding of the challenges public-facing members of the workforce experience, and a better understanding of policy and procedure training.

HIPAA awareness training covers topics that are consistent in every HIPAA-regulated environment. These topics include an explanation of what PHI is – and what it isn’t – why PHI should “really” be protected, and why it is necessary to provide all members of the workforce HIPAA-focused security awareness training even when they have no access to PHI. Some HIPAA awareness training also includes sections on why data breaches occur and how to prevent them.

Because HIPAA awareness training is developed to be consistent for every member of the workforce, it can support HIPAA training for IT professionals by offering a different perspective of what HIPAA means to workers in different roles. This can help IT professionals develop more effective software solutions, create contingency plans that allow for compliant continuity of operations, and develop technology training that demonstrates how technologies should be used in real world scenarios.

Covered entities, business associates, and self-employed IT professionals can find out more about HIPAA awareness training from a variety of sources. Before subscribing to a HIPAA awareness training course, it is advisable to request a curriculum to ensure that the course content is relevant. It is also advisable to check the course is accredited by a recognized training assessor – for example, by the American Health Information Management Association (AHIMA).

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/