Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a critical piece of legislation in the healthcare industry. It introduced industry- and country-wide standards for the protection of sensitive healthcare data. These standards improved efficiency, security, and patient experiences in the healthcare
One of the most common causes of data breaches is employee negligence. This may include leaving a laptop in a location in which it can be easily stolen or failing to lock essential files in a secure drawer. Employees failing to follow basic IT safety practices may result in an organisation falling victim to phishing emails, thereby allowing unauthorised individuals to gain access to vast numbers of patient files.
Because of these risks, employee training is a requirement of HIPAA’s Rules. Employees must understand their responsibilities under HIPAA and how to ensure that patient data remains secure.
This article will provide some guidance on how to ensure employees are familiar with HIPAA’s strict data security requirements and how they can fulfil their obligations to protect PHI.
HIPAA is a complex piece of legislation, so a brief overview of some of the most fundamental aspects of the legislation, such as definitions, is an excellent place to start in an employee training course:
Covered entities: Defined in the HIPAA rules as 1) health plans, 2) health care clearinghouses, and 3) health care providers who electronically transmit any health information in connection with transactions for which the US Department of Health and Human Services has adopted standards. These organisations are required to comply with HIPAA.
Business Associates: Defined as organisations which conduct specific functions on behalf of a CE. BAs are subject to HIPAA compliance if the activity they perform on behalf of the CE requires the use or disclosure of individually identifiable health information. Must sign a Business Associate Agreement (BAA) before working with a CE.
PHI: “HIPAA Identifiers” that can be used to identify, contact or locate an individual, or be used with other sources to identify an individual; these identifiers are collectively known as PHI. These are listed below.
|Names||Social Security Numbers||Device Identifying Numbers|
|Addresses||Medical Record Numbers||Web URLs|
|Dates||Health Plan Numbers||IP Addresses|
|Phone Numbers||Account Numbers||Biometric Identifiers|
|Fax Numbers||Certificate/License Numbers||Photographic Images|
|Email Addresses||Vehicle Identifying Numbers||Any Other Unique Characteristic|
A thorough explanation of HIPAA’s Rules should be central to any employee training course. The Rules address specific security requirements, such as the safeguards that should be implemented or response frameworks that should be in place if a data breach were to occur.
- Privacy Rule – defines PHI and informs CEs and BAs of their responsibilities to protect patient data. The Minimum Necessary Rule is also part of the Privacy Rule, and stipulates that should PHI be handed over to a third party, only the minimum amount of data necessary to complete the specific task should be handed over.
- Security Rule – outlines the minimum physical, technical, and administrative safeguards needed to protect electronic PHI.
- Breach Notification Rule – outlines procedures that must be followed in the aftermath of a breach to ensure that the risk of damage to patients is minimal. Employees must be informed on how and when to notify the OCR and the media.
- Enforcement Rule – contains guidance on the fines and penalties that may be levied against a CE should a data breach occur. (OCR and Department of Health and Human Services can alter punishments at their discretion.)
- Omnibus Rule – covers a wide range of privacy-related areas, from the length of time a patient’s records can be held to the encryption requirements of PHI.
In HIPAA’s text, the Rules are worded vaguely, such that they are not tied to any specific technology (such as encryption) which may become outdated. It is recommended that instead of using such vague terminology, you present how Rules are being applied in your organisation, and how they affect the employees. For example, instead of listing what HIPAA’s Security Rules requirements for adequate physical safeguards, inform your employees of the specific safeguards being used, such as locked desk drawers or filing cabinets.
Best Practices Against Threats to Data Security
Employees should be introduced to the most significant threats to PHI. These include, but is not limited to, phishing attacks, ransomware campaigns, Trojan malware software, or stolen mobile devices.
Particular attention should be paid to cyber attacks. The healthcare industry is a potentially lucrative target for hackers due to the high black market value of PHI. Even if one employee falls for a phishing campaign, the whole network is compromised, and the hacker may access vast numbers of patient files before the organisation even notices it is under attack. Training courses should be explicitly offered about avoiding phishing attacks and recognising suspicious emails.
Employees should be informed of IT security best practices, such as two-factor authentication on mobile devices and private email accounts.
HIPAA Training: Summary
We have outlined some of the most critical aspects of HIPAA that any employee training course should cover. All employees at an organisation which handles the sensitive healthcare information
of patients should be familiar with at least the basic requirements of data security outlined in HIPAA. Individual employees may require further training due to their roles in the organisation or how they interact with patient data.
It is recommended that training is held regularly, in short sessions. It is essential to keep a record of training sessions, such as who attended, what the session covered, and how regularly they occur. As employee training is a HIPAA requirement, auditors may need to see records of the training sessions.