The Health Insurance Portability and Accountability Act (HIPAA Security Training) is a federal law that was enacted by Congress in August 1996 with the primary purposes of:
- Protecting healthcare workers in the U.S. from losing their health insurance coverage if they change their jobs or have pre-existing health conditions.
- Reducing administrative burdens and costs of health care by establishing standard electronic formats for various electronic transactions that were carried out on paper.
- Developing and establishing standards and requirements to protect the privacy and security of patients’ health information.
The HIPAA Privacy Rule and the HIPAA Security Rule make up most of the HIPAA law, and organizations that deal with protected health information (PHI) are required to give extra attention to both these rules. Both the HIPAA Privacy and the Security Rule have security and awareness training requirements. However, most of the implementation specifications under the Security Rule are “addressable,” whereas, the Privacy Rule’s requirements are “required.” That said, being addressable does not mean that healthcare providers can ignore these requirements and move on. In this context, “addressable” means whether the specification is reasonable, appropriate, and applicable to your practice. If OCR discovers that the addressable component applies to your system, and you have not implemented it, then you may be penalized for it. In today’s article, I will briefly explain the requirements of security and awareness training programs and how you can simplify it.
Table of Contents
Why is it important?
A study of State’s Privacy and Security Awareness conducted by MediaPro revealed that around 78% of healthcare employees showed some lack of preparedness with regards to conventional privacy and security threat scenarios. Robust data security and training on patient privacy would help reduce cybersecurity risks, and benefit organizations as they work to keep pace against evolving data breaches.
Security safeguards are only as strong as your weakest link. Hackers will always try to approach the weakest point in your defenses. Primarily there are two types of hackers: those with little skills hoping for easy prey to come along and perform exploits in bulk, and those with substantial sets of skills, taking a more targeted approach to achieve their end goal. Today’s breaches mostly involve the latter type of hackers. Why target healthcare organizations? Because healthcare data has become extremely lucrative on the black market. Healthcare data contains sensitive personal information in greater depth and breadth, making it easier for criminals to misuse this information, such as medical identity theft.
An IT Security team may be up to date on the latest HIPAA compliance rules, but without appropriate training that not only addresses HIPAA guidelines as well as the issues at stake, and the various ways security can be breached, an average employee will not know how to defend against determined hackers or how to react if a security incident occurs.
Compliance means training
HIPAA security and awareness training are one of the administrative safeguard requirements that all covered entities, as well as business associates, must enforce. The purpose of this program is to educate employees about security responsibilities and best practices. There are four areas the training programs must cover:
- Security Reminders – the organization must distribute security updates and reminders periodically. Topics that could be covered with these reminders can include on-site visitor monitoring, appropriate use of handheld devices, and detecting social engineering attacks.
- Protection from Malicious Software – healthcare employees should learn to protect against and report malicious software. Any member of the workforce that has access to electronic protected health information (ePHI), must be trained on identifying symptoms of malicious software and the procedures for controlling and reporting such issues.
- Log-In Monitoring – healthcare employees should learn to recognize discrepancies in log-in procedures, and technical safeguards should be in place to detect suspicious log-in activities.
- Password Management – healthcare employees should learn to create, change, and protect secure passwords. As password requirements may change over time, make sure you review them periodically so that it remains effective.
Each of these training requirements is addressable. However, if you skip any of the requirements because it is neither applicable nor reasonable for your practice then you must make proper documentation explaining the reason for either not implementing those components, used a different method, or implemented a partial solution.
During an audit, an auditor will review the training materials and schedules to ensure that they are sufficient and determine whether your decision is correct or incorrect. That said, going over the top with security measures will bring no harm and vice versa lacking in security could potentially result in fines and penalties. So, if you are not sure about a requirement, it is best to just implement it.
Healthcare providers get bombarded with data and information and not too much time to process them all. Besides HIPAA compliance, healthcare organizations need to deal with various other business processes and tasks. Healthcare providers can reduce administrative burden and compliance complexities by using HIPAA compliance software that has learning management system capabilities to streamline tasks, such as employee training, internal audits, policy management much more. Robust cloud-based management applications are on the rise and for obvious reasons, but that topic is for another day.