What is HIPAA Awareness Training?
All employees must receive training on the HIPAA Privacy Rule and the HIPAA Security Rule. HIPAA security awareness training goes beyond the minimum training requirements. HIPAA awareness training consists of activities a covered entity can undertake, as frequently as is needed, to ensure HIPAA rules are followed on a day-to-day basis.
HIPAA Awareness Training: Privacy Rule Training and Security Rule Training
Before employers can develop an effective HIPAA awareness training program, they must meet the minimum training requirements imposed by the rules themselves – the Privacy Rule and the Security Rule.
The HIPAA Privacy Rule requires covered entities to train workforce members on its privacy policies and procedures that governing use and disclosure of PHI, as necessary and appropriate for the workforce members to perform their job roles. HIPAA Privacy Rule training is required for each new member of a covered entity’s workforce, within a reasonable period of time after the person joins the workforce. Privacy Rule training must also be provided to each member of the covered entity’s workforce whose functions are affected by a material change in the covered entity’s policies or procedures, within a reasonable period of time after the material change becomes effective.
The Department of Health and Human Services states that the Privacy Rule training requirement may be satisfied by a small physician practice’s providing each new member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies; whereas a large health plan may provide training through live instruction, video presentations, or interactive software programs.
The HIPAA Security Rule requires covered entities to provide security awareness and training to workforce members, including management. This can be done by implementing security reminders, in the form of periodic security updates; protection from malicious software, in the form of procedures for guarding against, detecting, and reporting malicious software; login monitoring, in the form of procedures for monitoring login attempts and reporting discrepancies; and password management, in the form of procedures for creating, changing, and safeguarding passwords.
What Should HIPAA Awareness Training Consist of?
HIPAA awareness training should provide employees with an understanding of why the rules they are being trained on actually matter. Providing this awareness to workforce members can be accomplished by:
- Explaining the penalties for HIPAA violations: This explanation will make employees aware of how violation of HIPAA can result in significant financial consequences, and in an organization’s having to undertake significant remedial efforts.
- Explaining the consequences for individuals discovered to have violated HIPAA rules: This explanation will make employees aware that consequences of violating HIPAA can be far-reaching, and can include, in addition to monetary penalties, publication by HHS of the facts of the violation; placement of a covered entity’s name on the HIPAA “Wall of Shame,” and in some instances, criminal penalties.
- Making the training as interactive as possible: Making employees read policies or watch videos technically can satisfy training requirements. However, this kind of passive training is more likely to be forgotten than interactive training in which workforce members can participate. Interactive training can consist of the following:
- Giving employees quizzes and then going over the results;
- Providing newsletters, and then holding meetings to go over the content of the newsletters and allowing for questions; and
- Using (and explaining the content in) posters and other types of visual reinforcement.
- Providing monthly cybersecurity updates: These updates can consist of going over recent news involving cyberattacks and explaining cybersecurity concepts. Employees should be encouraged to ask cybersecurity-related questions. If a number of employees have the same question or a similar one, consider providing refresher training on the topic.
- Tailoring training to specific departments and roles: One training program does not fit all. HIPAA training for the IT department should not be the exact same as that for administrative workers. Material relevant to a workforce member’s specific role within the organization should be emphasized.
- Being proactive in training: This means providing training as soon as possible following any privacy or security violation and after a data breach has been experienced. The individuals involved should be retrained, or sanctioned, as necessary. It is equally important, as part of HIPAA awareness training, to retrain staff to ensure similar breaches do not occur in the future. It is possible that workforce members not involved in a recent violation or breach may nonetheless have failed to understand HIPAA requirements or are making similar mistakes; this “after-violation” HIPAA awareness training can prevent such mistakes from recurring.
- Avoiding information overload: While any specific threats to the workforce (such as malware threats) should be communicated as necessary, covered entities should avoid constantly bombarding employees with information about new cybersecurity threats. Giving too much information all at once can serve to de-emphasize the importance of any one piece of information. Employees who are overloaded with alert information may suffer from alert fatigue, and may ignore new information.
HIPAA Awareness Training: Policies and Procedures
In addition to the video training module, employees receive training on your organization’s HIPAA Privacy and Security Policies and Procedures. This training provides employees with information on how your organization specifically complies with the HIPAA rules and regulations.
Policies and Procedures. Employees such as your compliance and security officers must read through and understand your full policies and procedures. However, the average employee only needs a basic understanding of your policies and procedures. Within our training module, employees are provided with a summary of your organization’s policies and procedures. Once they have read the documents, employees legally attest that they have read and understood the documents. If an employee does not understand a particular section, administrators are notified so that they may receive additional training.
HIPAA Awareness Training: Documentation and Tracking
Our HIPAA compliance tracking software stores all of the documentation you need to prove that your employees completed their training, and that they agree to adhere to HIPAA standards. Administrators have the ability to track each employee’s training progress, as each employee is given unique login credentials to access the training material. When it is time for employees to be retrained, which must occur annually, administrators are notified.