Enterprise IT security news and advice

HIPAA Training

HIPAA Overview

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a critical piece of legislation in the healthcare industry. It introduced industry- and country-wide standards for the protection of sensitive healthcare data. These standards improved privacy, security, and efficiency, and gave patients new rights over their healthcare data.

One of the most common causes of data breaches is employee negligence, such as leaving a laptop in a location where it can be easily stolen, failing to lock essential files in a secure drawer, or log out of an EHR session when leaving the computer unattended. Employees failing to follow basic IT safety practices may result in an organization falling victim to a phishing attack, thereby allowing unauthorized individuals to gain access to vast numbers of patient records.

Because of these risks, employee training is a requirement of the HIPAA Rules. Employees must understand their responsibilities under HIPAA and be taught how to keep patient data private and confidential.

This article will provide some guidance on how to ensure employees are familiar with HIPAA’s strict data security requirements and how they can fulfil their obligations to protect PHI.

HIPAA Basics

HIPAA is a complex piece of legislation, so a brief overview of some of the most fundamental aspects of the legislation, such as definitions, is an excellent place to start in an employee HIPAA training course:

Covered entities: Defined in the HIPAA rules as 1) health plans, 2) health care clearinghouses, and 3) healthcare providers who electronically transmit any health information in connection with transactions for which the US Department of Health and Human Services has adopted standards. These organizations are required to comply with the HIPAA rules.

Business Associates: Defined as organizations which conduct specific functions on behalf of a CE. BAs are subject to HIPAA if the activity they perform on behalf of the CE requires the use or disclosure of individually identifiable health information. BAs must sign a Business Associate Agreement (BAA) before working with a CE. The BAA outlines their responsibilities under HIPAA.

PHI: “HIPAA Identifiers” that can be used to identify, contact or locate an individual, or be used with other sources to identify an individual, turn healthcare data into Protected health Information (PHI). There are 18 identifiers defined in the HIPAA Rules: These are listed below.

Names Social Security Numbers Device Identifying Numbers
Addresses Medical Record Numbers Web URLs
Dates Health Plan Numbers IP Addresses
Phone Numbers Account Numbers Biometric Identifiers
Fax Numbers Certificate/License Numbers Photographic Images
Email Addresses Vehicle Identifying Numbers Any Other Unique Characteristic

The HIPAA Rules

A thorough explanation of HIPAA’s Rules should be central to any employee HIPAA training course. The Rules address specific privacy and security requirements, such as the safeguards that should be implemented to protect PHI and response frameworks that should be in place that must be followed if a data breach were to occur.

The Privacy Rule – The Privacy Rule defines PHI and informs CEs and BAs of their responsibilities to protect patient data. The Minimum Necessary Rule is also part of the Privacy Rule and stipulates that should PHI be handed over to a third party, only the minimum amount of data necessary to complete the specific task should be handed over. The Privacy Rule also gives individuals rights over their healthcare data.

The Security Rule – The Security Rule outlines the minimum physical, technical, and administrative safeguards needed to protect electronic PHI.

The Breach Notification Rule – The Breach Notification Rule outlines procedures that must be followed in the aftermath of a breach to ensure that the risk of harm to patients is kept to a minimum. Employees must be informed on how and when to notify the patients, the OCR, and the media if it falls within their job description.

The Enforcement Rule – contains guidance on the fines and penalties that may be levied against a CE should a data breach occur. (OCR and Department of Health and Human Services can alter punishments at their discretion.)

The Omnibus Rule – covers a wide range of privacy-related areas, from the length of time a patient’s records can be held to the encryption requirements of PHI. The Omnibus Rule integrated the requirements of the HITECH Act into HIPAA.

Patient Rights Under HIPAA

One area of HIPAA compliance that has come under increasing scrutiny is patient rights. The HHS’ Office for Civil Rights launched an enforcement initiative in 2019 targeting noncompliance with patient rights to access, inspect, and correct their medical records if errors are found. The enforcement drive remains active and many fines have been issued.

It is important that healthcare employees – and employees of business associates – are made aware about the rights given to individuals with respect to their PHI, privacy, and disclosures of PHI and the time frame for responding to requests from patients to access their data and the circumstances when requests may be denied.

Allowable Uses and Disclosures of PHI

Central to any HIPAA compliance training course is the allowable uses and disclosures of PHI. Healthcare employees must be made aware of when PHI can be accessed, for what reason, and uses and disclosures that are prohibited. Many uses and disclosures are permitted, but only if authorizations are obtained from patients in advance.

The HIPAA Rules on uses and disclosures of PHI must be clearly explained to avoid accidental HIPAA violations, which can have serious consequences for employees and patients. It must also be made clear that unauthorized PHI access – snooping on records – is strictly prohibited.

How to be a HIPAA Compliant Employee

When providing HIPAA training it is important to make sure it is relevant to each individual’s role in the organization. While the HIPAA Rules must be explained, be sure to tailor the training to each role. You should give employees the information they need to apply HIPAA to their day-to-day work and teach the workforce how to be HIPAA compliant employees. You should also clearly explain the potential consequences of HIPAA violations – to the organization, patients, and individual employees, including clearly explaining your HIPAA sanctions policy.

Best Practices to Combat Threats to Data Security

In HIPAA’s text, the Rules are often broad and can be interpreted in different ways. No specific technology (such as encryption) is specified, which may become outdated. It is up to each CE to determine how to comply with the HIPAA Rules and to train employees on the policies and procedures. You should specify in your HIPAA training the safeguards that you require to be implemented to ensure compliance, such as locked desk drawers or filing cabinets, password requirements, and your device and media controls.

Employees should be introduced to the most significant threats that could result in impermissible uses and disclosures of PHI. These include, but are not limited to, phishing attacks, ransomware, malware, use of mobile devices and removable media, leaving devices and paperwork unattended, logging out of computers and systems containing PHI, and setting strong passwords.

Particular attention should be paid to avoiding phishing and other cyberattacks. The healthcare industry is a potentially lucrative target for hackers due to the high black-market value of PHI and the industry is actively targeted. If one employee falls for a phishing campaign, the whole network could easily be compromised, and patient data could be stolen. Training courses should be cover how to identify phishing emails and other cyber threats, and what to do if suspicious emails or computer activity is identified.

Employees should also be trained on IT security best practices, such as the used of two-factor authentication on mobile devices and email accounts.

HIPAA Training for Employees

HIPAA training for employees should be provided during the onboarding process or at least within 2-3 weeks of commencing employment. Employees must be made aware of HIPAA, the need for compliance, and how HIPAA applies to their role and responsibilities. HIPAA training for employees will help to ensure that the HIPAA Rules are not accidentally violated.

Training must be provided “as necessary and appropriate for members of the workforce to carry out their functions” to comply with the HIPAA Privacy Rule and when “functions are affected by a material change in policies or procedures.” The HIPAA Security Rule requires CEs and BAs to “implement a security awareness and training program for all members of the workforce.”

Refresher HIPAA training must be provided periodically, and while the frequency is not specified in the HIPAA Rules, it is widely accepted that refresher HIPAA training should be provided annually. Security awareness training is also required periodically and should be guided by a risk assessment. Current security advice is to provide security awareness training at least every 6 months.

HIPAA Training: Summary

We have outlined some of the most critical aspects of HIPAA that any employee training course should cover. All employees at an organization that handles sensitive healthcare information should receive initial training and periodic refresher training on HIPAA and cybersecurity. Individual employees may require further training due to their roles in the organization or how they interact with patient data.

It is recommended that training is held regularly, in short sessions. It is essential to keep a record of training sessions, such as who attended, what the session covered, and how regularly they occur. As employee training is a HIPAA requirement, auditors may need to see records of the training sessions as proof that training has been provided.


What is the timeframe for providing HIPAA training to new employees?

The HIPAA text does not specify a timeframe for providing HIPAA training to new employees, as this is left to the discretion of each entity. It is not always possible to provide training before work duties are commenced, but training should be provided as soon as possible and certainly within the first few weeks of starting employment.

How long should HIPAA training take?

HIPAA does not stipulate the length of training sessions. Training should provide an overview of HIPAA and be appropriate to the role of each individual. Try not to cover all training in a long single session, as employees are unlikely to take all the information on board. Try to keep training sessions under 40 minutes and provide HIPAA training and security awareness training in separate sessions.

To what extent should HIPAA training be role-based?

It is important to give all employees an overview of HIPAA so they have a good grasp of the scope of the legislation. Certain groups of employees will require additional training on aspects of HIPAA that are relevant to their job. A training course should include core elements for all employees, and optional modules that can be completed by individuals in specific roles.

Should privacy and security training include anything other than the HIPAA regulations?

Several states have introduced legislation covering the privacy and security of medical data. In addition to providing training on the requirements of HIPAA, training must also cover state laws, as appropriate. For instance, healthcare employees must be provided with Texas HB 300 training if they are based in or do business with Texas residents.

What are the most important elements of HIPAA training?

Healthcare employees must be able to identify PHI, know how to protect it, what disclosures are permitted, and be aware of the consequences of HIPAA violations. Training should explain the requirements of HIPAA but it is also important to make sure those requirements are understood so they will be applied by employees after training. You should therefore evaluate understanding at the end of the training sessions.