Online HIPAA Compliance Training with Compliancy Group

Online HIPAA compliance training allows organizations to train employees on HIPAA standards. Compliancy Group’s online HIPAA compliance training enables organizations to train employees and track their training progress.

Online HIPAA Compliance Training: What Should be Included

The HIPAA regulation requires organizations working with protected health information (PHI) to train their employees annually. Annual training should include training on HIPAA basics, your organization’s policies and procedures, cybersecurity, and the proper use of social media.

◈ HIPAA Basics. Online HIPAA compliance training should start with an overview of HIPAA basics. This includes training on the HIPAA Privacy, Security, and Breach Notification Rules. 

◆ Privacy Rule. The HIPAA Privacy Rule dictates the proper uses and disclosures of PHI. To ensure that PHI is only used and disclosed for a specific purpose, this Rule also established the minimum necessary standard. The minimum necessary standard requires organizations, and their employees, to only use and disclose PHI to perform a job function. This minimizes the risk of insider breaches as employees are designated different levels of access to PHI based on their roles and responsibilities. Training employees on the HIPAA Privacy Rule ensures that they are aware of the permitted uses and disclosures of PHI.

◆ Security Rule. The HIPAA Security Rule mandates the confidentiality, integrity, and availability of PHI to be upheld through the implementation of HIPAA safeguards. These include administrative, technical, and physical safeguards. Awareness of the Security Rule ensures that you are adequately protecting PHI from unauthorized access.

◆ Breach Notification Rule. The Breach Notification Rule requires organizations that experience a breach to report the incident. Depending on the size of the breach, reporting requirements differ. Breaches affecting 500 or more patients must be reported within 60 days of discovery to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), affected patients, and the media.

Breaches affecting less than 500 patients must be reported within 60 days from the end of the calendar year (March 1) in which the breach was discovered. These breaches must be reported to HHS’ OCR and affected patients.

◈ Policies and Procedures. To ensure that employees adhere to HIPAA standards, it is important to develop policies and procedures for your organization. Policies and procedures dictate the proper uses and disclosures of PHI for your organization, in line with the Privacy Rule. They also include your organizations safeguards, and dictate the proper measures for reporting a breach, should one occur.

◈ Cybersecurity. Healthcare is one of the most targeted industries for cyberattacks. As such, it is important that employees are trained on how to recognize cyberattacks. The most common form of cyberattacks are phishing attempts. A phishing attack occurs when a hacker disguises themselves as a trusted entity so that they can gain access to sensitive information.

◈ Social Media. In any industry, improper use of social media can be detrimental to your business. In healthcare, sharing PHI on social media without patient consent is a HIPAA violation. Ideally, employees should not use social media at work, but this isn’t always realistic, so training employees on what information is permitted to be shared is essential. Before posting a patient review to your website, or sharing an image of them on other social platforms, you must receive prior authorization (even if a patient or patient information is present in the background of a photo). Employees must be aware of this so that they don’t accidentally share PHI without consent.