Does my staff need HIPAA training, is a common question asked by organizations. Does your organization handle, or have the potential to view, protected health information (PHI)? If so, your staff needs HIPAA training. More details on what types of organizations are required to conduct HIPAA training, and what should be included in HIPAA training, are discussed below.
Does My Staff Need HIPAA Training: Types of Entities Requiring Training
Does my staff need HIPAA training? Under HIPAA, all staff that handles PHI, or has the potential to access PHI, must be trained. HIPAA training ensures that PHI use and disclosure is in line with the HIPAA minimum necessary standard. HIPAA training also enables organizations to adequately secure PHI, and provides staff with guidelines on how to report a breach should one occur.
Covered Entities
These organizations are involved in treatment, payment, and healthcare operations. Organizations that fall under this umbrella include healthcare providers, health plans, and healthcare clearinghouses.
Business Associates
These organizations receive, transmit, create, maintain, or store PHI on behalf of their covered entity clients. Business associates include organizations such as managed service providers, SaaS providers, and third-party claims processors.
What Should HIPAA Training Include?
HIPAA training must be conducted annually to reinforce HIPAA standards, and instill a culture of compliance within your organization. HIPAA training consists of four major components.
HIPAA Basics
Employees must be trained on the HIPAA Privacy, Security, and Breach Notification Rules.
Policies and Procedures
Policies and procedures create a framework for how your organization and employees adhere to HIPAA standards. To ensure that employees are aware of your organization’s policies and procedures, they must be trained on them annually. Depending on an employee’s job role, the detail in which they are trained will vary. For instance, your Privacy Officer will need a much deeper understanding of your privacy policies than your office administrator.
Social Media Use
In an ideal world, staff would not be on social media during work hours. However, this is an unrealistic expectation. This is why staff members must be aware of the proper use of social media in the workplace. PHI should never be contained in a social media post without prior written authorization from the patients. It is also required to receive written consent from a patient before posting patient testimonials to your website. Additionally, responding to patient reviews in a manner that confirms that an individual is a patient is prohibited.
Cybersecurity Best Practices
Cybersecurity training is an essential component of HIPAA compliance, especially when the majority of HIPAA breaches occur due to human error, particularly stemming from phishing attacks. Employees that are trained on how to recognize phishing emails are less likely to fall victim to phishing attempts. They are also more likely to report the phishing email to management, preventing other employees from taking the bait.