Whether your employees work on the front line of healthcare, or your organization handles patient data in an office environment, you’ll need to provide HIPAA compliance training.
Not only is HIPAA compliance training required by law, but it’s also vital for protecting your business from expensive lawsuits and data breaches. Regardless of how large your business is, you need to provide regular HIPAA training to ensure every employee stays up to date with the latest rules and regulations updates.
But what, exactly, should your HIPAA compliance training achieve? Here are the nine key things you need to cover in your training program.
Awareness of HIPAA
First of all, every employee must understand what the Health Insurance Portability and Accountability Act is. You can’t assume that new hires will have undertaken HIPAA compliance training before, so you must explain why this training is mandatory. You should also explain that after their initial training, employees will be expected to complete refresher training throughout their careers.
HIPAA and its Rules
Once your employees have context, you can begin to explain the reason why HIPAA is vital in a healthcare setting. At this stage, you should introduce the concept of patient health information, why it needs to be protected by data privacy laws, and the potential consequences a lack of compliance may have. The primary HIPAA Rules are:
The HIPAA Privacy Rule protects the privacy of individually identifiable health information. The rule covers various mechanisms by which an individual is identified, including date of birth, social security number, driver's license or state identification number, telephone number, or any other unique identifier.
Additionally, the covered entity cannot use the information for purposes other than those for which it was collected without first providing patients with a clear notice informing them of their right to opt-out of such use and how they may do so.
The HIPAA Security Rule requires that all covered entities have procedures in place to protect the integrity, confidentiality, and availability of electronic protected health information.
Protected Health Information is defined as:
"individually identifiable health information electronically stored or transmitted by a covered entity."
That includes "all forms of technology used by a covered entity that are reasonably likely to contain records that are protected health information."
The Security Rule also provides standards for ensuring that data are properly destroyed when no longer needed.
Additionally, the rule provides for sanctions for violations of provisions within the Security Rule.
Breach Notification Rule
The HIPAA Breach Notification Rule requires that covered entities report any incident that results in the "theft or loss" of e-PHI to the HHS Department of Health and Human Services, the media, and individuals who were affected by a breach. The HHS Office for Civil Rights investigates all complaints related to a breach of PHI against a covered entity.
HIPAA’s Technical Terms
HIPAA covers a very specific subset of data privacy. So, you need to give your employees a glossary of terms they’ll need to know as part of their HIPAA compliance training. The main terms you should cover and explain are:
- Covered entity
- Business associates
- Protected Health Information (PHI)
In HIPAA, a covered entity is defined as:
"A health plan, a health care clearinghouse or a health care provider who transmits any health information in electronic form in connection with a transaction referred to in section 1173(a)(1) of the Social Security Act." (An electronic transaction is one the U.S. government defines as "Any transmission between computers that uses a magnetic, optical or electronic storage medium." Read here for more information.)
HIPAA also stipulates that an organization does not have to be in the health care industry to be considered a covered entity - specifically, it can include schools, government agencies, and any other entity that transmits health information in electronic form.
A business associate is defined as:
"A person who creates, receives, maintains or transmits any health information on behalf of a covered entity and whose activities involve:
1) The use and/or disclosure of protected health information;
2) Performing functions or activities regulated by HIPAA;
3) Designing, developing, configuring, maintaining or modifying systems used for HIPAA-regulated transactions."
PHI stands for "protected health information" and is defined as:
"Individually identifiable health information that includes demographic data, medical history, mental or physical condition, or treatment information that relates to the past, present or future physical or mental health of an individual."
The HITECH Act defines PHI specifically as:
"(1) Individually identifiable health information that is transmitted by electronic media;
(2) Individually identifiable health information that is transmitted or maintained in any medium described in paragraph (1); and (3) Individually identifiable health information that is created or received by a health care provider, health plan, employer, or health care clearinghouse."
The HITECH Act expanded PHI to include information that does not meet the HIPAA definition of PHI but relates to the health, welfare or treatment of an individual.
PHI and Associated Responsibilities
Given that your company is a covered entity under HIPAA, you’ll need to explain the role that PHI plays in your business and what responsibilities your employees have to keep that information secure. This should include how much PHI your company’s business associates can access, and the responsibilities that your business associates have in handling that data.
Patients’ Rights and HIPAA
Under HIPAA, patients have the right to see and request copies of their PHI or amend any records in a designated record set about the patient. They also have the right to request that data is sent to a designated person or entity.
Covered entities can only deny these requests in very specific and rare circumstances, so your employees need to fully understand the HIPAA Right of Access clause and how it applies to your organization.
PHI Uses and Disclosures
HIPAA only permits for PHI to be disclosed in two specific ways. The first is under the Right of Access clause, as mentioned above. The second is if the Department of Health and Human Services (HHS) requests it as part of an investigation or enforcement action.
In addition, PHI can only be used without the patient’s consent if it’s needed for treatment and healthcare operations, or it’s being used to determine payment responsibilities.
As such, every employee should receive HIPAA compliance training in their specific job area regarding how they can access data and who is responsible for handling disclosure requests.
The Need for PHI Protection
Once employees understand how PHI is protected, they need to understand why. This should cover the reasons why PHI is considered sensitive information, and, if applicable, case studies that demonstrate how unauthorized use of PHI can cause significant harm.
PHI Security Awareness and Privacy Threats
Not only do your employees need to understand general security awareness concepts, but they should also be aware that many cyber security policies, like using multi-factor authentication, are mandatory under HIPAA.
This part of your training should cover how PHI presents a privacy threat both for patients and your company. Because this data is highly sought after by cybercriminals, you should train employees about the importance of good cybersecurity practices and the responsibilities they have in keeping their workspace secure.
Consequences and Penalties
Finally, your employees need to understand what consequences and penalties they and your company may face for non-compliance.
With penalties carrying fines of up to $50,000 per violation or potential jail time and criminal charges for Willful Neglect charges, employees need to understand the different levels of infractions and how they can affect both themselves and the company.
At this stage, it’s a good idea to use case studies to demonstrate fines and penalties delivered to healthcare businesses and how these infractions are incurred. You should also emphasize to employees that they have the right to speak up if they feel that HIPAA is being violated within your business.
Key Objectives of HIPAA Compliance Training
With HIPAA being an extensive, yet vital part of any healthcare business, you need to make sure you’ve covered all of the bases in your compliance training. By focusing on these objectives, you can deliver meaningful and engaging HIPAA training to ensure your employees and your business stays on the right side of the law.