According to a study done by the Ponemon Institute (on behalf of Merlin International), many healthcare organizations aren’t providing sufficient security training to employees. The 2018 report found that 52% of organizations lack security awareness and nearly 65% of breaches are due to human error and negligence
These statistics are alarming; many organizations don’t know how to address the problem. Every year, healthcare organizations are experiencing breaches and failing to be HIPAA compliant because of their insufficient security training. However, the solution to this problem is simple: Implement proper HIPAA training practices.
This article will tell you exactly what you need to know about HIPAA training and its role in HIPAA compliance.
When Is HIPAA Training Required?
First, let’s discuss when HIPAA training is necessary. According to the HHS, a covered entity must provide training for appropriate authorization and supervision of workforce members who work with e-PHI. This means that covered entities must train all workforce members on its security policies and procedures, and must have applied appropriate sanctions against workforce members who violate its policies and procedures.
In general, any healthcare organization that handles sensitive information needs HIPAA training. If you handle health and patient records, for example, your organization has a responsibility to protect that information. Anyone in your organization who works with this information from doctors to front desk staff is required to have HIPAA compliance training
There aren’t specific guidelines on how often this training is required, other than that organizations are responsible for making sure HIPAA compliance training happens periodically. As a rule of thumb, this training should take place whenever new guidelines are released and when there are changes to your organization’s use of technology or practices. This is a large part of HIPAA compliance as it shows that your organization is putting in their best effort to keep patient information secure.
Why HIPAA Training Is Important
Beyond the protection of protected health information, HIPAA compliance training is critical because it can help your organization prevent breaches or know how to handle them if one ever does occur. When you broaden HIPAA compliance knowledge across the organization, you team gains the ability to identify risks, resolve problems and streamline processes so that your entire operation can operate on best practices.
What Should HIPAA Training Cover?
There are several things that HIPAA compliance training should cover. First, it should include an overview of what HIPAA compliance is and how it applies to organizations. It should also cover the responsibilities of covered entities and business associates. This training should also explain what’s classified as protected health information (PHI) and how to handle patient information for minors.
Once the basics are covered, HIPAA compliance training should go over current HIPAA rules and regulations to keep your organization up to date. Finally, technology will come into play and HIPAA compliance training should cover the role of technology, threats to patients' privacy and password policies.
While this information does not directly relate to compliance, it’s also important for your organization to know the consequences of failing to be HIPAA compliant. This includes the business impacts for the organization, jail time and fees that may occur.
Another consideration to keep in mind before you begin HIPAA compliance training is the state of your organization. For example, if you found concerns during your risk assessment or knowledge gaps where individuals could benefit from HIPAA training, it's worth spending time on specific areas to get your organization up to speed.
How to Document HIPAA Training
Documentation is key in maintaining HIPAA compliance. Other articles in this series have detailed how to document other aspects of the HIPAA compliance process. When it comes to documentation for training, you should be able to show the members of your organization have done HIPAA compliance training, what resources they used to complete the training and when it was completed. This way, in the event of an audit, you can show that you've taken this step to prevent breaches. This type of documentation is also helpful for internal use because it's a great way to keep track of your training efforts.
Where to Find HIPAA Training and Resources
There are three different ways you can access HIPAA training and resources. The first is government sponsored HIPAA compliance training. The Department of Health and Human Resources (HHS) provides HIPAA training resources that your organization can use for free. You may also be able to take free or low-cost HIPAA training courses as part of a continuing medical education program at a local college. There are also several third-party training options that are available online. However, you should do your research before relying on these resources for your organization. These third-party training resources aren't always up to date.
The HHS also provides specific resources for special tops in healthcare privacy. This includes emergency situations, genetic information, and more. You can go here to the resources page, where you can see if any of these topics apply to your organization.
If you’re not sure where to start with HIPAA compliance training, the OCR has established to listservs to inform the public about health information privacy, FAQs, guidance, and technical assistance materials. They encourage healthcare professionals to sign up and stay informed—you can sign up to receive updates here.
Bottom Line
While it’s easy to get wrapped up in other aspects of maintaining HIPAA compliance, don’t let training slip through the cracks. Good HIPAA compliance training can be the difference between passing and failing a HIPAA audit.
The steps your organization must take to achieve HIPAA compliance may seem complicated. However, once you understand what the requirements are, putting everything into place isn’t as overwhelming. We created this series of posts to help organizations like yours, and make requirements clear. If you want to know more, you can check out the rest of the posts in the series by clicking here.
