Confusingly, though training employees in HIPPA compliance is absolutely necessary, the requirements laid out by the legislation regarding training are vague. This is in part due to the fact HIPAA covers a broad range of covered entities (CEs) and their business associates (BAs).
Training, in some form, is required under the Administrative Requirement of the HIPAA Privacy Rule and an Administrative Safeguard of the HIPAA Security Rule. Neither provide very comprehensive guidelines: training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule) and that CEs and BAs should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule).
Regrettably, this lack of certainty regarding HIPAA training guidelines does lend itself to confusion. Despite the lack of clear rules, should a breach of Protected Health Information (PHI) occur and it is found that staff weren’t adequately training, the CE and BAs may be issued a fine by the Office for Civil Rights. The OCR sits within the Department for Health and Human Services.
Objectives of HIPPA Training
To prevent such a breach happening, it is essential that regular risk assessments are conducted by both the CEs and BAs. These will establish the role each employee has regarding the handling of PHI. This can help ensure that each employee gets training appropriate to his/her role.
CEs should tailor security awareness and training programs for the role of each employee, manager, associate etc. that will come in contact with PHI. For complex roles, many training sessions may be required.
Providing training can be costly and time-consuming, which is often off-putting. It is, however, necessary. We recommend that training sessions are offered in shorter, frequent sessions rather than one long. This way, employees are more likely to stay focussed and retain critical information.
Top Training Tips
To help CEs and their business associates navigate the confusing world of HIPAA compliance training, we have compiled a simple list of best practices for employee training.
Do try to keep training sessions short. This will make employees more likely to retain information and thus help prevent further breaches. Remember: ignorance is not considered an excuse for PHI breaches.
Do provide regular training sessions. Each can focus on a different aspect of training, update staff on new developments or even just remind employees of the most important aspects of the regulation.
Do inform employees of the dangers of a PHI breach. These can include fines and legal action for the CE, and a loss of privacy for the patient affected. Such information can help highlight the need for HIPAA compliance.
Do include all levels of management in training. Everybody needs a refresher from time to time, and a lack of training provided to higher levels reflects poorly on the CE in an audit.
Don’t forget to make clear records of when the training occurred, who was involved and what information was handed out. If the OCR carries out an investigation or an audit, this information will be critical.
Don’t just read passages from HIPAA. Explain legal jargon and summarise important pieces of information. Try to ensure that participants both know the required legislation but also understand how to enact it in their day-to-day roles.
Don’t go into the history of HIPAA – it is not essential information and is likely to cause participants to lose focus before you even begin. Having so much information thrown at you before you even get into the important information will alienate employees.
Designing a training course can be complicated, and it can be difficult to decide what is appropriate for different employees. Here we describe a sample HIPAA training curriculum, which can be tailored as needed. Some modules – such as Introduction to HIPAA – are core to all employees, whilst others are more suitable for those in specific roles. Who receives what training is at the discretion of the CE.
- Introduction to HIPAA – This should include a brief overview of HIPAA legislation, as well as detail the main aspects of the act. This should not, however, include a long introduction to the history of HIPAA.
- Why is HIPAA needed? – Though this may seem intuitive, there is no harm in reminding employees of why acts such as HIPAA are required. This can include case-studies of recent incidents where HIPAA was breached.
- HIPAA terminology – HIPAA is a complex piece of legal documentation. It would be unreasonable to expect all employees to understand the terminology, so providing a “dictionary” of common terms (e.g. “covered entity”) will be hugely beneficial.
- Applicability of HIPAA – HIPAA applies to any body that holds healthcare records, from hospitals to healthcare clearing houses. Knowing who has to abide by HIPAA policy is essential in ensuring compliance.
- Covered Entities – Under HIPAA, a Covered Entity (CE) is any organisation that creates, accesses, transfers and stores PHI. They must be HIPAA compliant, meaning they must maintain the integrity of the PHI.
- Examples of CEs – Generally, any hospital, medical practitioner, healthcare clearinghouse or billing company are considered to be CEs as they have access to PHI.
- Are employers CEs? – Generally, employers are not considered to be CEs, though they often have healthcare records for their employees. There are some exceptions – if employers engage in some schemes such as the Employee Assistance Program, they are “hybrid entities” and must be HIPAA-compliant.
- Business Associates – Business Associates are any organisation or individual that are contracted by the CE to perform a service. They must also be HIPAA-compliant, and thus any BAs must train their employees in HIPAA legislation.
- Types of BA – BA’s essentially include any external body hired by the CE to perform a service. This can range from management consulting to accounting. As long as they have access to PHI, they must be HIPAA-compliant.
- Business Associate Agreement – Before beginning business with a BA, a CE must ensure that the BA signs a Business Associate Agreement. This is a legal document entrusting the integrity of the PHI into the BA, and legally binding them to be HIPAA compliant.
- What is PHI? – Under the HIPAA Privacy Rule, certain classes of information are deemed to be “protected” and must remain confidential. They cannot be transmitted to or accessed by unauthorised personnel. Any employee that comes into contact with such information must be trained to identify it and treat it accordingly.
- Examples of PHI – PHI may include an individual’s name (including previous names), their past medical record, their credit card details, and their social security number. Accessing any one of these pieces of information leaves the patient vulnerable, but combining them with each other or other details such as ZIP code is incredibly dangerous.
- HIPAA Rules – Since it was originally written, many aspects of HIPAA have been amended. This includes the addition of many “rules” that address specific aspects of data privacy. Most employees will deal with specific rules or aspects of the rules, so the next section can be tailored to their need.
- Privacy Rule – Coming into effect in 2003, the Privacy Rule defined PHI and also instructed CEs on how to protect data. It also gave the patient privacy rights, including the right not to disclose private health care to health insurers. The Privacy Rule also includes the Minimum Necessary Rule, which stipulates that only the minimum amount of information required to complete a task may be passed on to another authorised employee.
- Security Rule – The Security Rule addresses electronic PHI (ePHI). It outlines the administrative, physical and technical safeguards needed to protect health data.
- Enforcement Rule – To help ensure that HIPAA is being followed, the Enforcement Rule was introduced. It outlines the penalties for non-compliance, and gives the Department of Health and Human Services the ability to prosecute for HIPAA violations.
- Breach Notification Rule – The Breach Notification Rule stipulates that a CE or BA has 30 days after the discovery of a breach to notify the OCR. Additionally, if over 500 patients are affected, the CE must contact the media.
- Omnibus Rule – The most recent addition to HIPAA, the Omnibus Rule addresses a wide range of areas. For example, it stipulates that any PHI leaving the BA or CE’s firewall must be encrypted. It also allows patient records to be held indefinitely.
- HIPAA Password Policies
- Changing passwords – HIPAA doesn’t specify how often passwords should be changed, and experts don’t agree on the frequency of change either. We recommend that they are changed frequently, but not so frequently that they will need to be written down.
- Password strength – Passwords should contain a good mixture of upper- and lower-case letters, as well as numbers and special characters where permitted. Longer passwords are better.
- Two-factor authentication – HIPAA stipulates that if an alternative method of protection can be found that offers the same level of protection as passwords, they may be used in place of passwords. Two-factor authentication is a good, safe alternative, generating unique passcodes for each login attempt.
- HITECH – The Health Information Technology for Economic and Clinical Health Act was introduced to help the healthcare sector adapt to the modern age.
- Meaningful use – Under HITECH, those holding electronic health records (EHR) must show that there is legitimate purpose for holding onto healthcare records. Initially optional, it is now mandatory for all healthcare providers.
- HITECH and HIPAA – Though separate from HIPAA, it is closely related to the act and acts as a reinforcement. Whilst HIPAA focusses on all aspects of privacy, HITECH has special focus on digital health records.
- Exceptions to HIPAA Privacy – Children and Minors
- Cases of abuse – Unfortunately, working in the healthcare profession, medics may come across distressing cases. If a CE has reasonable grounds to believe that a minor is being abused/neglected, the CE can choose not to disclose the patient’s health information with the legal guardian. They may also inform the police or Child Services.
- Independent minors – If a minor has emancipated him/herself from their legal guardian, they must be treated as a legal adult.
- Legal requirements – If a court decides that someone other than the minor’s legal parent or guardian must make their medical decisions, a third party may access the child’s healthcare data.
- Threats to Privacy
- Cybercrime – Regrettably, healthcare data is an increasingly prominent target for cybercriminals as it has huge value on the black market. Thus, cybercrime – primarily in the form of hacking – poses a huge threat to the data privacy. Adopting some of the aforementioned policies and practices can help lessen the threat, though it is unfortunately unlikely to be completely eliminated.
- Human error – All employees will make mistakes from time to time – it is completely normal. However, when this threatens patient privacy, such mistakes can have resounding consequences. It is essential that employees understand the potential dangers of HIPAA non-compliance and that they understand the policies in place to prevent breaches.
- Penalties for Non-Compliance – For any piece of legislation to have authority, there must be adequate penalties to act as a deterrent. HIPAA is no exception. Ensuring employees have adequate understanding of the potential penalties for HIPAA non-compliance can help prevent breaches.
- Administrative fines – Financial penalties for HIPAA non-compliance can range from $50,000 to $2.5 million per occurrence. This will depend upon the nature of the violation.
- Personal fines – If an individual violated HIPAA and there was malicious intent behind their actions, they can face a personal fine of up to $250,000.
- Jail sentences – In some instances, if a breach is deemed sufficiently severe, an individual may receive a jail sentence of up to 10 years.
HIPAA Compliance Training: Summary
The phrasing of the HIPAA legislation means that it is up to covered entities and their business associates how best to provide training to employees. Ultimately, so long as sufficient training is provided to allow employees understand how to prevent PHI breaches, it should be adequate. Training should also be tailored to the role of individual employees, which both maximises efficiency and increases the likelihood of retention. The sample curriculum supplied here is a good base from which a full training course can be developed.