What Does a HIPAA Class Consist Of?
Individuals that work with protected health information (PHI), whether directly or indirectly, are required to undergo training, or take a HIPAA class. To satisfy the HIPAA regulation, individuals must complete an annual HIPAA class, or HIPAA training program. Essential components of a HIPAA class are discussed below.
HIPAA Class: HIPAA Basics
◈ Security Rule: requires organizations working with PHI to implement safeguards to ensure the confidentiality, integrity, and availability of PHI. Safeguards include administrative, physical, and technical security measures.
◆ Administrative: these are written policies and procedures that dictate the proper uses and disclosures of PHI.
◆ Physical: include security measures implemented at an organization’s physical location. These measures include installing alarm systems, locks, CCTV cameras, etc.
◆ Technical: include security measures to secure electronic protected health information (ePHI). ePHI is PHI stored in an electronic format, such as on a computer. These measures include implementing antivirus software, firewalls, and password protection.
◈ Privacy Rule: requires organizations to ensure the privacy of PHI. The Privacy Rule, among other things, requires organizations to adhere to the minimum necessary standard. The minimum necessary standard dictates that organizations and their employees should only access PHI with a specific purpose. As such, employees must only be given access to PHI that they need to perform their job functions.
◈ Breach Notification Rule: organizations that experience a breach are required to report the breach. Depending on the scope of the breach, reporting requirements differ.
◆ Minor Breach: affecting less than 500 patients, this type of breach must be reported within 60 days from the end of the calendar year (March 1st) in which it was discovered. The breach must be reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), as well as affected patients.
◆ Major Breach: affecting 500 or more patients, this type of breach must be reported within 60 days of discovery. The breach must be reported to HHS OCR, affected patients, and the media.
HIPAA Class: Policies and Procedures
Organizations must develop policies and procedures that apply directly to their business operations. Policies and procedures are required to be in line with HIPAA standards. This includes policies and procedures dictating how an organization complies with the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule.
Policies and procedures must be reviewed annually to account for any changes in business operations. Additionally, employees must be trained annually on their organization’s policies and procedures to ensure that they adhere to them. Employees must legally attest that they have read and understood all of the policies and procedures, and they agree to comply with them. If an employee does not understand a policy or procedure, they must be given further training to clarify.
HIPAA Class: Social Media
As HIPAA requires the confidentiality of PHI to be maintained, it is important that employees are aware of the permitted uses and disclosures of PHI on social media. PHI should never be posted on social media without prior patient authorization. This includes responding to patient reviews in any way that confirms that the patient has been seen by the practice, patient testimonials on an organization’s website, and photos with PHI (even if PHI is in the background of the photo).
HIPAA Class: Phishing
Phishing occurs when hackers impersonate a trusted entity, usually through an email, prompting recipients to click on a malicious link. Clicking on the link allows hackers to access the recipients system, and in some cases, an organization’s entire network. To prevent unauthorized access to PHI, it is essential that employees are trained on how to recognize a phishing attempt.
Some common indications that an email is a phishing email include:
◈ Poorly written emails
◈ Emails asking recipients to provide their login credentials
◈ Emails containing unsolicited attachments
◈ Email addresses with spelling errors