How to Train Your Employees in HIPAA Compliance

Ever been to a water park and gone down one of those enormous slides? If so, you likely remember there being a park lifeguard at the top of the slide and near the bottom to ensure your continued safety. But imagine if those employees weren’t trained in safety and first aid—of course, the ride was likely designed well and with other safeguards, but it would make for a serious oversight by the park to do all that while not also ensuring their employees keep guests safe.

Adequate cybersecurity requires the same thing, as does HIPAA compliance—it’s not enough to just put technological controls in place. Meeting HIPAA regulations requires investment in the human aspect of your organization, and while they don’t necessarily need to understand first aid and slide safety, your employees do need to be trained in certain ways to be compliant.

As experienced HIPAA assessors, we know HIPAA requirements can be overwhelming for some organizations. To help simplify this particular aspect, we’re going to break down the requirements of employee training within each HIPAA rule, along with how you can meet them and some extra benefits you can reap from making the effort.

The human aspect of cybersecurity is often overlooked, but for those who must be HIPAA compliant, the following will help you get your personnel trained to both meet the regulations and protect the sensitive information in your charge.

The Role of Employees in HIPAA Compliance

When it comes to HIPAA training, it’s not enough to simply educate your employees about the basics of the law. To be truly compliant, you must ensure that each employee is aware of HIPAA requirements and can perform their job in a HIPAA-compliant manner, while also:

Documenting All Training: HIPAA requires such documentation, and it should include the content of the training as well as when it was administered, to whom, and how frequently.
Tracking Success Rates: You should keep records of who has completed HIPAA training successfully and what successful completion entailed (e.g., passing a test on the training content).

What are the HIPAA Training Requirements?

But what should such HIPAA training entail then? There are different details within each of the HIPAA Security, Privacy, and Breach Notification Rules:

Rule	Employee Training Requirements
Security Rule	Including the implementation of security reminders for all members of your workforce, both covered entities and business associates must implement a security awareness and training program for all members of the workforce—even those with no access to electronic protected health information (ePHI). Within that security awareness and training program, there are three specific security topics you must cover: How to Guard Against, Detect, and Report Malicious Software: For example, train staff on how to identify suspicious emails, how to scan files before downloading them, and how to review permission requests. Login Monitoring: Train staff on how to successfully use your organization’s login process, monitor login attempts, and detect and report login discrepancies. Secure Password Management: Train staff on how to safely create, store, and manage their passwords to prevent unauthorized access.
Privacy Rule	For covered entities, you must train workforce members on the HIPAA-related policies and procedures relevant to their roles within a reasonable period after the person becomes employed, and that training must be documented.
HITECH Breach Notification Rule	Both covered entities and business associates must instruct their staff on how to report HIPAA violations to supervisors, managers, and/or the Privacy or Security Officer, including the timing of these reports. Employees must be aware of the consequences of delaying a report in terms of: The impact it will have on patients impacted by the breach; The possible fallout for your organization if notifications are delayed longer than necessary; and The potential consequences regarding their jobs if a breach comes to light weeks after it has happened.

Rule

Employee Training Requirements

Security Rule

Including the implementation of security reminders for all members of your workforce, both covered entities and business associates must implement a security awareness and training program for all members of the workforce—even those with no access to electronic protected health information (ePHI).

Within that security awareness and training program, there are three specific security topics you must cover:

How to Guard Against, Detect, and Report Malicious Software: For example, train staff on how to identify suspicious emails, how to scan files before downloading them, and how to review permission requests.

Login Monitoring: Train staff on how to successfully use your organization’s login process, monitor login attempts, and detect and report login discrepancies.

Secure Password Management: Train staff on how to safely create, store, and manage their passwords to prevent unauthorized access.

Privacy Rule

For covered entities, you must train workforce members on the HIPAA-related policies and procedures relevant to their roles within a reasonable period after the person becomes employed, and that training must be documented.

HITECH Breach Notification Rule

Both covered entities and business associates must instruct their staff on how to report HIPAA violations to supervisors, managers, and/or the Privacy or Security Officer, including the timing of these reports. Employees must be aware of the consequences of delaying a report in terms of:

The impact it will have on patients impacted by the breach;

The possible fallout for your organization if notifications are delayed longer than necessary; and

The potential consequences regarding their jobs if a breach comes to light weeks after it has happened.

HIPAA Training Tips

Regarding meeting all these criteria, we have a few quick recommendations:

DO:	DON’T:
Do provide regular training sessions and/or materials. Each instance can focus on a different aspect of training, update staff on new developments, or just remind employees of the most important aspects of HIPAA Rules.	Don’t go too deeply into the history of HIPAA. While it is important to understand why HIPAA was enacted, it is more important employees are aware of the key regulations that directly impact their roles.
Do inform employees of the consequences of a PHI breach, including: Potential fines and legal action against your organization; Privacy violations for patients; and Even criminal charges against employees in some situations.	Don’t just read passages from the HIPAA text to your employees—explain the legal jargon and summarize important pieces of information. Try to ensure that participants both know the required legislation but also understand how to enact it in their day-to-day roles.
Do include all levels of management in training—everybody needs a refresher from time to time.	Don’t forget to document: What training is provided Who it is provided to Which subjects are covered (If the OCR carries out an investigation or an audit, this information will need to be provided.)

DO:

DON’T:

Do provide regular training sessions and/or materials. Each instance can focus on a different aspect of training, update staff on new developments, or just remind employees of the most important aspects of HIPAA Rules.

Don’t go too deeply into the history of HIPAA. While it is important to understand why HIPAA was enacted, it is more important employees are aware of the key regulations that directly impact their roles.

Do inform employees of the consequences of a PHI breach, including:

Potential fines and legal action against your organization;

Privacy violations for patients; and

Even criminal charges against employees in some situations.

Don’t just read passages from the HIPAA text to your employees—explain the legal jargon and summarize important pieces of information.

Try to ensure that participants both know the required legislation but also understand how to enact it in their day-to-day roles.

Do include all levels of management in training—everybody needs a refresher from time to time.

Don’t forget to document:

What training is provided
Who it is provided to
Which subjects are covered

(If the OCR carries out an investigation or an audit, this information will need to be provided.)

3 Benefits of Thorough HIPAA Training

And while all this is necessary to ensure your full HIPAA compliance, taking special care to be thorough when training your employees can also provide a few extra advantages:

1. Reduce the Risk of Data Breaches

Security awareness training—especially when provided regularly—can significantly reduce the risk of a data breach in the first place.

As we mentioned earlier, IT departments often focus primarily on technical measures to secure networks, and the neglect of the human factor commonly becomes the cause of data breaches. By providing security awareness training to the workforce and teaching cybersecurity best practices, risky behaviors can be eliminated and costly data breaches can be prevented.

2. Reduced Risk of Accidental HIPAA Violations

Moreover, it won’t just be breaches you’re more likely to avoid.

If healthcare organizations don’t provide training on HIPAA policies and procedures, your employees would likely remain unaware of the restrictions the law places on the uses and disclosures of PHI, as well as the need to ensure the privacy of patient information.

All that would leave you open to an accidental HIPAA violation, but regular and extensive HIPAA training ensures employees are aware of their responsibilities under HIPAA while helping them understand their important role in maintaining your organization’s compliance.

3. Good Support in Case of an Audit

Finally, while there’s no direct penalty or fine given out just for inadequate or non-existent HIPAA training, it is one of the key safeguards that should be used to prevent breaches of protected health information (PHI).

And breaches are something you would get fined for—if one does occur, triggering an OCR audit that reveals your organization did not prioritize training, you may receive a bigger fine should the OCR feel that the breach could’ve been prevented if not for your negligence.

But, if you do conduct detailed training and a data breach still occurs, you will at least have the records of employee training to provide to the OCR, and such evidence would likely help your organization face less severe penalties.

Moving Forward with Your HIPAA Compliance

So while your organization isn’t a water park that needs to train its staff to ensure guests make it down rides and through wave pools safely, those of you who must achieve HIPAA compliance must similarly invest in instructing your employees in the role they play in something so important.

Now that you understand a little more regarding this aspect of HIPAA, you may be wondering if you should get a more complete picture of where your organization stands in terms of compliance by way of an external evaluation of your efforts to date. There are many benefits to outsourcing your HIPAA assessment, and if you’re interested in learning more, please contact our team of experts who can help you make a final decision.

In the meantime, check out our other resources that will simplify other HIPAA characteristics and ease your compliance journey moving forward:

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.