Block Hackers with HIPAA Training
September 18, 2018
Why is Training so important?
HIPAA Rules require that your organization provide training to employees on privacy and security awareness about the law as well as your organization’s specific policies and procedures. Reminding employees of HIPAA rules and regulations and keeping them abreast of the most common forms of cybercrime is a smart move.
The Health and Human Services Office for Civil Rights Breach Portal lists 28 breaches that occurred in August 2018. Of those 28 breaches, 11 were due to email compromise, likely phishing. Cybercriminals use phishing emails in hopes that end users – your employees – will reveal sensitive information. Phishing might also be used to install malware and ransomware. Training can limit the risk for a breach of PHI if hackers attack your organization.
Who Needs to be Involved?
HIPAA training is mandatory for anyone who comes into contact with PHI. Who might this include? insurance agents, doctors, employers who provide healthcare plans, dentists, nurses, human resource officers, receptionists, part-time employees/interns, and security personnel, among others. If your business associates also come into contact with PHI, they need to be properly trained, too. Don’t forget new employees! They need to be trained soon after they begin work. If policies or procedures are ever changed in your organization, all employees that are affected must be re-trained, as well.
How to Document Training
The Office for Civil Rights requires that you document all training each time you provide it to employees. If you’re ever audited and can’t provide documentation, you will be cited for a violation. Make sure you have proof of the privacy and security awareness training you have provided your employees by keeping training sign-in sheets, signed statements acknowledging receipt of training, and computer-based training records of completion or quiz results. HIPAA requirements for documenting training are covered in 45 C.F.R. §§ 164.316(b) and 164.530(j)2.
How Often Should you Offer Training?
Any person in your organization could be the cause of a HIPAA violation or a data breach, so offering training infrequently puts your organization in harm’s way. HIPAA requires that security awareness training be performed “periodically,” but it’s in your best interest to train often. The Office for Civil Rights indicates that monthly security updates in the form of training, newsletters, email, posters, discussions, or computer-based training might be helpful, with additional training provided bi-annually. Annual or bi-annual training sessions should be more in-depth and should cover new risks faced by organizations, as well as a recap on other pertinent HIPAA information.
Health insurance agents and brokers must also meet the requirements of the Gramm-Leach-Bliley Act (GLBA). This law requires annual training. Annual training will help these groups meet the requirements of both laws, in addition to protecting their business.
How can Total HIPAA help you satisfy your training needs? Our HIPAA Prime™ online solution includes an engaging series of video modules that provide detailed explanations, in-depth discussions and real world scenarios for your organization. As well, we send quarterly training updates and compliance reminders to make sure your staff is constantly up-to-date.
Curiosity, fear, and urgency are the types of emotions criminals prey upon to pressure people into clicking links or downloading information that ultimately threatens your network. Reduce the chance that the PHI your company controls can be breached. Train everyone regularly.
- The HIPAA Security Rule 45 C.F.R. § 164.308(a)(5)(i) requires covered entities to “Implement a security awareness and training program for all members of its workforce (including management)…”