Breaches are increasing every day. Looking at the HIPAA “Wall of Shame“, we can see that most of the reported breaches are listed as a “Hacking/IT Incident”. Checking further in the Location of Breached Information section, we see that these hacking incidents are usually email related. Certainly, some of the hacking incidents are firewall breaches or similar form of attack, but most are due to an employee making a mistake. Most attacks require someone on the inside to do something that allows the attacker to gain access. This is why many breaches start with a phishing attack. Providing HIPAA staff training for your practice is a good way to help prevent these attacks. It empowers your employees so that they don’t fall prey to phishing emails. Read on to find out how you can provide the training your staff needs to protect your practice.
HIPAA Staff Training is the law
Let’s start with the big one. Providing training for your staff is mandatory under HIPAA regulations. It is actually addressed in two places:
- An Administrative Requirement of the HIPAA Privacy Rule (45 CFR §164.530) states
- An Administrative Safeguard of the HIPAA Security Rule (45 CFR §164.308)
The HIPAA Privacy Rule states that Cover Entities and Business Associates provide training to their workforce that is necessary for them to carry out their duties. This means that staff should be trained on how to protect the confidentiality, availability and the integrity of your practice’s PHI. The Security Rule states that staff should be given security awareness training to keep them current on new threats.
However, because HIPAA regulations are meant to apply to Covered Entities and Business Associates of all sizes, these requirements are flexible and allow for tailoring to your circumstances. The regulations don’t specify exactly how an entity should provide the training, just that it be provided.
Creating your own training program
HIPAA and security training does not have to be a tedious or stressful process for your office. To make the process easier, first, decide what you want to achieve by implementing your training program. Elements you may want to consider:
- security training on phishing emails
- safe Internet surfing
- passwords and how to make them secure
- HIPAA regulations
- sending PHI via email, text, fax and how to do it securely
- leaving voicemail messages properly
- computer security and how to ensure workstations aren’t accessible when unattended
- safe photography of your practice (patients shouldn’t be in the background)
These are examples that cover a wide range of potential areas for you to add to your program.
We wrote a more in-depth post on training items that you can read here.
Repetition is the key
Unless you are in the security field or have an interest in it, this topic will be boring and often confusing. This is why offering training one time will not help your staff to retain the information. For topics like phishing, the training should be provided several times throughout the year. This will allow your staff to retain the information so that when they see a phishing email, they are better able to identify it.
An easy way to offer free phishing training to your staff is to use Google’s online phishing test. It presents the user with several types of phishing emails and shows how to identify them as harmful.
The Google online phishing test can be found here.
Document all of your training efforts
Whatever you decide for your practice’s training program, be sure to document it in your HIPAA documentation. This a necessary in the event of an audit so that you can prove that you did indeed provide the required training.
In addition, be sure to have each employee sign off each time they receive training. This way they cannot deny having received training after a potential incident occurs.
The Department of Health and Human Services also has training standards they expect to see. They began grading the efforts of practices to ensure that training was sufficient to achieve compliance. Their goal seems to be to help practices (and Business Associates) avoid used canned training DVDs or online videos. This is where security awareness training comes in. Training should be current and on topics that are relevant to your circumstances. Below is the grading scale that HHS released. Notice Rating 4, evidence of training is poorly documented and generic. This shows the importance of documentation for HHS. It also shows that they don’t want to see generic training. Make your training as focused on your practice as possible.
Following these guidelines is a good way of establishing your own training program. Just be sure to follow through and not make it a one-off event. Training needs to be frequent, relevant and documented. Not only will you achieve HIPAA compliance, but you will also ensure that your practice doesn’t suffer its own embarrassing and costly breach.