What Training is Required Under HIPAA?

The Health Insurance Portability and Accountability Act, better known as HIPAA, is one of the principal laws regulating the healthcare industry in the United States, but what are the training requirements for staff under HIPAA?

Due to the complex nature of HIPAA, no one can reasonably be asked to work with data or other elements subject to HIPAA Rules without first receiving appropriate training. The Act itself takes this into account and states in two different sections that training for staff is mandatory. For such a broad piece of legislation, with various exceptions and special cases, the risk that untrained individuals would make a mistake that jeopardizes the information security of potentially millions of patients is too great to leave training as a voluntary step.

Perhaps somewhat contradictory to this attitude towards risk reduction is the level of detail given in the text of the Act on exactly what training is to be given, and how it should be conducted. To put it bluntly, not a lot of information is provided. The HIPAA Privacy Rule only states that training should be given “as necessary and appropriate for members of the workforce to carry out their functions”, while the HIPAA Security Rule has a similarly vague statement remarking that covered entities and their business associates should “implement a security awareness and training program for all members of the workforce”.

Won’t This Lead to Confusion and Compliance Issues?

At first, this approach may seem a bit lax – training has to be provided but the areas and subjects are not defined, nor are the levels of knowledge that trained staff must be shown to possess. However, given the evolution of the healthcare environment and the breadth of HIPAA’s scope, it makes sense to not try to regulate this area too closely. Indeed, the lack of specifics allows healthcare organizations a greater deal of flexibility in the systems they use and other vital aspects of how they conduct their business.

No one should be better positioned to determine appropriate training for staff on various components of a covered entity’s systems or procedures than the covered entity itself. If the Department of Health and Human Services’ Office for Civil Rights (OCR) had to review and design training for every system or organization, they would quite probably lack the resources to do anything else.

This approach also puts a certain onus on the covered entity. Should a breach occur and it is discovered that staff had not been given training, it is quite likely that they organization would be liable and subject to penalties from OCR. If, on the other hand, the covered entity or business associate can show that they have a sufficiently robust training program in place that has been followed, the breach may be seen in a better light as a result of an accident and not as a result of negligence on the part of the entity.

But how can a covered entity determine what training is “necessary and appropriate”? A key tool that the organization can refer to when determining their requirements and designing their training program is their risk assessment report. As part of this assessment, the roles and responsibilities of individual staff members of every level should have been cataloged, with the different risks estimated on the basis of the data being handled or the function being executed. When starting with this information, the “necessary and appropriate” training should be much easier to identify and design.

It is more than likely that the different functions will require training in different areas. Covered entities should resist the temptation to implement a “one-size-fits-all” approach and should instead minutely examine who would benefit from what type of training in order to keep things as relevant as possible to employees’ roles. While designing multiple modules would initially take more time, the long term efficiency benefits would far outweigh any short term losses.

Imagine, if you will, that every staff member had to sit through a day long training session where only some parts relevant to their role were interspersed irregularly throughout the presentations. First of all, we can easily see that employees would be wasting time learning information that is not relevant to their duties – time that would more efficiently be spent performing their job. Secondly, such a long session is likely to result in employees not paying attention, even despite best their intentions. Thirdly, it is a recipe for confusion; employees who receive training that is irrelevant to their function may incorrectly apply procedures or information they learned during the session to situations where it is not appropriate.

Training and HIPAA Compliance: Some Best Practices

For training to be successful, we advise that it should be as relevant as possible to the employee’s role. For efficiency, try to strike a healthy balance in the number of modules between individual sessions for every employee and a single session for everyone. We also advise that sessions should be kept short, but held regularly. Information retention is likely to be higher following classes of about 40 minutes every month or few weeks as opposed to one three-hour session every quarter.

Given the short duration of the sessions, we advise you to focus on the vital information only – avoid filler such as the background of HIPAA or other “nice to have” details. Also, avoid lecture like sessions where the text of the law is dictated to employees – make the sessions active and the content relate-able.

Be sure to document the who, what, and when or your training. Auditors may need to see records that show the frequency, attendance, and content of sessions.

Finally, getting top management to buy-in, attend, and vocally support training will encourage buy-in from employees. It will also show them that the organization is taking compliance seriously – something that should be reinforced by sessions on the consequences of HIPAA breaches for companies, employees, and patients.

HIPAA Compliance – Training Curriculum

Designing a training curriculum can be very difficult, and it is usually the case that many different curricula are needed for different employee roles. Such diversity can be a management nightmare, both financially and logistically. To help ease the burden, we offer a sample HIPAA Training Curriculum below. Each module is essentially self-contained, and the selection of modules offered on each training course can be tailored to the needs of the employee.

  1. Introduction to HIPAA and HIPAA Compliance – Most employees will have a good understanding of what HIPAA legislation means, but newer employees will certainly benefit from such an introductory module. Indeed, even more experienced employees will probably benefit from a refresher course.
    1. What is HIPAA? – The most fundamental part of the course, it is good to start with a more general introduction to ensure that all employees are starting from the same basic understanding of privacy regulation. To make it more relevant, you could also include recent news stories concerning HIPAA violations.
    2. Applicability of HIPAA –As with all legislative acts, HIPAA has far-reaching implications and any organisation that deals with health information will have to abide by its rules. However, there are many exceptions. It is good to give employees a broad overview of such exceptions.
    3. “HIPAA Dictionary” –HIPAA is a piece of legal documentation. Thus, it is dense with terminology and abbreviations. Before beginning on any other training, give employees a chance to learn the most common phrases that they will use in their day-to-day work.
  2. Covered Entities and their Duties – Most organisations offering HIPAA training courses will be classed as “covered entities”. This includes any organisation that creates, stores, transfers, or otherwise accesses private health data.
    1. What are the roles of a CE? – CE’s must be HIPAA-compliant, meaning they must maintain the integrity of all private health information (PHI) that they access. They have other responsibilities, too, such as ensuring patients can access their data.
    2. Example CEs –Hospitals, medical practitioners, insurers and healthcare clearing houses are the most common types of CEs. However, there are some unusual cases. If employers partake in an Employee Assistance Program, they are “hybrid entities”. Thus, they must be HIPAA-compliant.
  3. Business Associates – As well as CEs, business associates are charged with protecting patient data. Employees must be aware of what can be considered a BA, and how to deal with them.
    1. Business Associate Agreements – When hiring a third party, the CE must ensure they sign a Business Associate Agreement. Required by HIPAA, a BAA charges the BA with maintaining the integrity of PHI in the same way as the CE. Employees that deal with BAs should be trained in how to write and interpret a BAA.
    2. Types of Associate –CE’s rarely carry out all data processing. Thus, they hire BAs to preform specific tasks. Common BAs include IT managers, accountants, and consultants. If the third party will come across PHI, they are considered a BA.
  4. Protected Health Information – HIPAA’s Privacy Rule classifies certain types of information as “protected”, meaning that it must remain private. Only authorized personnel can access the information, and certain measures must be in place to safeguard the data.
    1. What is PHI? – Protected Health Information includes, but is not limited to, names, addresses, gender, medical history, credit card information and social security numbers. If a cybercriminal accesses any of this information, patients are left vulnerable to identity theft. Thus, employees must be able to identify this information and treat it accordingly.
  5. HIPAA Rules – Since it was enacted, many “rules” have been added to HIPAA legislation. Though these address specific aspects of privacy legislation, much of the wording is quite vague. This is deliberate, as it allows the legislation to remain “timeless”.
    1. Privacy Rule – The Privacy Rule was the first part of HIPAA that defined PHI and instructed CEs and BAs on how to protect it. The Minimum Necessary Rule is also part of the Privacy Rule, as it prevents an excess of information being given to different individuals.
    2. Security Rule –With electronic PHI (ePHI) having increasing importance, HIPAA needed to address ways to protect it. The Security Rule outlines the minimum safeguards (physical, technical and administrative) needed.
    3. Breach Notification Rule –If a breach occurs, certain actions must be taken to protect patients. Thus, the HIPAA lays out what actions are to be taken by the CE to prevent such damage. Employees must be informed on how and when to notify the OCR and the media.
    4. Enforcement Rule – All legislation needs to have some associated punishment. The consequences for HIPAA breaches are laid out in the Enforcement Rule, though the OCR and Department of Health and Human Services can alter punishments at their discretion.
    5. Omnibus Rule –The Omnibus Rule covers a wide range of privacy-related areas, from the length of time a patient’s records can be held to the encryption requirements of PHI. Nevertheless, employees should be given an overview of the rule and trained in specific areas as necessary.
  6. Password Policies – Many organisations are confused about HIPAA’s Password Requirements. They are considered to be “addressable requirements”, meaning that some form of protection must be in place that is at least as effective as passwords.
    1. Password strength – Changing passwords is debated among tech specialists, though all agree that passwords should contain a mix of upper- and lower-case characters, special characters and numbers. Longer passwords are preferable, and tricks such as the phrase technique can help ensure the memorability of passwords.
    2. Two-factor Authentication – Increasingly important, two-factor authentication is the main “rival” to password technology. Upon each login attempt, users are provided with a one-time generated passcode that only they can use. Understanding this technology can help employees choose the appropriate safeguards for PHI.
  7. Dealing with Children and Minors – Patients under the age of 18 are the most common exception to HIPAA rules. Employees should learn to deal with this patient category, as there are some different procedures for protecting and accessing data.
    1. Legal guardians – Usually, medical decisions will be made by the minor’s legal guardian. Any consent for access to data must also be given by these legal guardians. However, there may be some instances in which a court decides the guardian is unable to make decisions and appoint a new proxy guardian. Additionally, emancipated minors must be treated as legal adults.
    2. Difficult cases – Unfortunately, healthcare workers are often at the frontline when spotting and reporting cases of child abuse. If a CE believes that the patient has been abused, they may choose not to disclose health data to their legal guardian and instead contact Child Services, who will take over the case.
  8. Health Information Technology for Economic and Clinical Health Act – HITECH was introduced in the late 2000’s to help encourage healthcare providers to use electronic patient records. As it concerns patient health information, employees should be made aware of its reach.
    1. HITECH and HIPAA – HITECH and HIPAA both relate to patient data and patient privacy. HITECH is seen as a reinforcement of HIPAA, with a special focus on digital health records and meaningful use of collected data.
  9. Threats to Patient Privacy – There are many threats – both internal and external – to the integrity of patient data. Employees should be made aware of these threats so that they can be identified and addressed.
    1. Cybercrime – An increasing number of cybercriminals are choosing to target healthcare data. This can be via phishing emails, malware or hacking. Employees should receive thorough training in how to identify suspect emails.
    2. Human error –The second major threat to PHI integrity, employees making simple mistakes – such as leaving cabinets unlocked – can leave patients at risk from fraud. Employees must be trained in how to enact appropriate safeguards and prevent mistakes from being made.
  10. Penalties for non-compliance – As outlined above in the Enforcement Rule, HIPAA non-compliance has severe penalties. These should be outlined to employees as a deterrent mechanism, highlighting the importance of compliance.
    1. Financial Penalties – There are two types of financial penalties: administrative or personal. The administrative fines range from $50,000 to $2.5 million and are levied against the negligent organisation. By contrast, personal fines are for individuals who were HIPAA non-compliant. If it was deemed that there was malicious intent behind the non-compliance, individuals may face fines of up to $250,000.
    2. Jail terms –In severe cases, the OCR may seek judicial remedies to HIPAA violations. This may result in a jail term of 10 years.

HIPAA Training – Conclusion

All employees that deal with PHI should be trained in HIPAA compliance. Given the extensive nature of HIPAA documentation, the training should be aligned to the employee’s role within the company. The above curriculum is a good starting place from which such training courses can be developed, helping to minimize the risk of HIPAA breaches and avoid any resulting penalties.