HIPAA Rules require that your organization provide training to employees on privacy and security awareness. Employees should know about the law as well as your organization’s specific policies and procedures. Reminding employees of rules and regulations through HIPAA training and keeping them abreast of the most common forms of cybercrime is a smart move.
The Health and Human Services Office for Civil Rights Breach Portal lists 28 breaches that occurred in August 2018. Of those 28 breaches, 11 were due to email compromise, likely phishing. Cybercriminals use phishing emails in hopes that end users – your employees – will reveal sensitive information. Hackers also use phishing to install ransomware. Informed employees are less likely to fall prey to hackers that target your organization.
Who Needs to be Involved in HIPAA Training?
HIPAA training is mandatory for anyone who comes into contact with PHI. Who might this include? Insurance agents, doctors, employers who provide healthcare plans, dentists, nurses, human resource officers, receptionists, part-time employees/interns, and security personnel, among others. If your business associates also come into contact with PHI, they need to be properly trained, too. Don’t forget new employees! They must receive training soon after their start date. If policies and procedures change, update your materials and re-educate employees impacted by the changes.
How to Document HIPAA Training
The Office for Civil Rights requires that you document all training each time you provide it to employees. If you’re ever audited and can’t provide documentation, you will be cited for a violation. Make sure you have proof of the privacy and security awareness education you have provided your employees by keeping sign-in sheets, signed statements acknowledging receipt of training, and computer-based records of completion or quiz results. HIPAA requirements for documenting training are covered in 45 C.F.R. §§ 164.316(b) and 164.530(j)2.
How Often Should You Offer HIPAA Training?
Any person in your organization could be the cause of a HIPAA violation or a data breach, so offering training infrequently puts your organization in harm’s way. HIPAA requires that security awareness education be performed “periodically,” but it’s in your best interest to train often. The Office for Civil Rights indicates that monthly security updates in the form of training, newsletters, email, posters, and discussions. Computer-based modules might be helpful, with additional training provided bi-annually. Annual or bi-annual sessions should be more in-depth and should cover new risks faced by organizations, as well as a recap on other pertinent HIPAA information.
Health insurance agents and brokers must also meet the requirements of the Gramm-Leach-Bliley Act (GLBA). This law requires annual education. This will help these groups meet the requirements of both laws, in addition to protecting their business.
Total HIPAA offers everything you need to train employees? Our HIPAA Prime™ online solution includes an engaging series of video modules that provide detailed explanations, in-depth discussions and real-world scenarios for your organization. Furthermore, we send quarterly updates and compliance reminders to make sure your staff is constantly up-to-date.
In essence, curiosity, fear, and urgency are the types of emotions criminals prey upon to pressure people into clicking links or downloading information that ultimately threatens your network. Reduce the chance that the PHI your company controls can be breached. Train everyone regularly.
- https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
- The HIPAA Security Rule 45 C.F.R. § 164.308(a)(5)(i)
