Why You Shouldn’t Use a Free HIPAA Training PowerPoint

While in the past using a free HIPAA training PowerPoint was an acceptable method to train employees, the Department of Health and Human Services (HHS) has deemed this insufficient. Employees are required to be trained annually, making group training ineffective. For instance, if a new employee was hired right after your company’s annual training, they could go a full year without receiving the proper training. It is recommended that HIPAA training is conducted in a way that engages employees. 

When using a HIPAA training sign in sheet, employees can easily sign in, and leave without completing their training. When creating your training program, you should include means for employees to legally attest that they have read and understood all of the training material; simply passing around a HIPAA training sign in sheet does little to prove that employees are paying attention to and understand the training. 

Effective HIPAA Training

Adequate employee training includes materials on HIPAA standards, as well as your organization’s internal policies and procedures. Training on HIPAA standards teaches employees the proper uses and disclosures of protected health information (PHI), which limits the risk of your organization experiencing an insider breach. Insider breaches occur when employees access PHI excessively or without a specific purpose. HIPAA requires organizations working with PHI, and their employees, to adhere to the minimum necessary standard; this means that PHI should only be accessed to perform a job function.

Employee training may also include how to recognize phishing emails, and the proper use of social media. Phishing emails have increased in prevalence as hackers become more sophisticated. Phishing emails target employees by posing as a trusted individual, either asking employees to divulge confidential information, or prompting them to click on a malicious link. These are both tactics hackers use to gain access to the employee’s computer, and in some cases the organization’s entire internal network.

It is important for employees to understand how they are permitted to use social media. It is not permitted to disclose a patient’s PHI on social media without their explicit written consent. This includes testimonials on your website, photos of patients, or photos that have PHI in the background. To be safe it is best that you have a “no social media at work” policy. 

Additionally, responding to online patient reviews has strict requirements in which you are not permitted to disclose or comment on PHI, even when the patient puts their own PHI in a review. There was a recent case in which a small dental practice was fined $10,000 for responding to a patient review, confirming that the individual was a patient. When responding to patient reviews, the only HIPAA compliant responses are “Thank you” or “Please call our office.” Even when a patient is complaining, for instance, that they had to wait a long time to see the doctor, a response stating “we’re sorry you had to wait so long,” is not HIPAA compliant, as you are confirming that the person is a patient. 

HIPAA Training With Compliancy Group

Compliancy Group’s HIPAA compliance solution includes all of the required annual training. Clients are given access to the employee training module through our web-based HIPAA platform, the Guard. Employees are given unique login credentials, enabling administrators to track employees’ training progress. Throughout the training, employees are asked to legally attest that they have read and understood the training material, ensuring that employees are aware of what is required of them.