Who should take HIPAA training? – And why it’s so important

Queries about HIPAA training are on a rise again. Here are the top four queries that we receive from healthcare employers these days.

  • Is HIPAA training important?
  • Who should take HIPAA training?
  • What should the new workers be trained upon? 
  • Should I retrain workers amid COVID-19?

Let’s look into these queries, one at a time.

Who should take HIPAA training? 

Every person in your organization who has access to or may need to access patient information should receive HIPAA training. This includes, employees, contract workers, part-time staff and volunteers. If you have staff that can access rooms that store protected health information – consider training them too.

Simply stating, you should train every worker who may come across protected health information. Whether, it’s the IT staff responsible for the maintenance of your IOT devices; or it’s the package delivery service that sends letters with patient information – they should know the value of protected health information and how to safeguard it.  

Moreover, if you use third-party services for processing or storing patient information, their employees too should receive suitable HIPAA training.  

Here’s a four-point checklist for you. Check every person, department and organization against this list. 

All workers who match the description below should be considered as at-risk employees. An error on their behalf could risk loss of protected health information (PHI). All such employees should be trained.     

  1. Could an error on behalf of the worker disclose or damage PHI?
  2. If his or her computer or phone gets hacked – could the hacker gain access to PHI? 
  3. If his or her device is stolen or lost – could it lead to unauthorized access to PHI?
  4. Can the worker access work-areas where PHI is stored or used?

Figure out all possible cases under which an employee’s actions could pose a security risk to protected health information. And remember, security risk isn’t just about protecting it from thieves and hackers – Security risk includes risk to the integrity, confidentiality and availability of the patient information. 

At-risk employees and HIPAA training 

Moreover, there are jobs in your organizations that carry a high security risk. Such at-risk employees should receive priority training. If you conduct a yearly HIPAA training program, consider training the at-risk employees every six months. 

Conducting risk assessment is the best method to find your at-risk employees. It would help you access the security risks to the protected health information in your system. Once you have assessed the risks, you can easily figure out the employees most at-risk of causing a HIPAA violation. Besides, conducting risk assessment is a mandatory requirement under the HIPAA rules. 

New hires, internal promotions, and change of work responsibilities create additional HIPAA risks. You should have systems in place to account for these risks. All such employees should receive suitable HIPAA training as soon as possible. 

HIPAA 101 training

Unfortunately, most employers just conduct a HIPAA 101 training and leave it at that. Such training doesn’t help. True, your employees should know what HIPAA is, and what the three HIPAA rules are; but, it is not enough. The HIPAA rules require you to train your workers for ensuring the security of protected health information. 

Consider the examples listed below. Every worker listed below belongs to a different work-group, and requires distinct training.    

  • Front-desk workers should know which patient information they can disclose and which should be withheld. 
  • A nurse using IOT devices should know that he or she should never leave the device unlocked. 
  • A new hire should know your company policy on access control and tailgating. 
  • Your Fax operator should know about fax security measures. 
  • Employees with email access over their office computers should know about phishing and ransomware protection. 
  • Doctors using mobile phones should know about mobile device security.

One training doesn’t fit all. A doctor has little need to know about fax security. And a fax operator has little or no need to learn about IOT security. And, none of the two have the need to learn about the breach notification rule. So be very careful – when selecting your training program. 

The three HIPAA rules – Privacy rule, Security and Breach notification rules – deal with three different aspects of protected health information. Training needs should be determined by understanding the training needs of your employees. HIPAA 101 training is a good practice, but it’s better to have a training program that’s customized as per job-descriptions.  

Training for Business Associates

HIPAA also requires that the staff of your business associates should receive suitable HIPAA training too. Although their training isn’t your responsibility, it’s best to ensure that you work only with vendors who conduct HIPAA training for their staff. 

Similarly, if you use a cloud-based service for storing protected health information, or if the IOT devices with you use third-party servers, ensure that all such vendors conduct HIPAA training for their employees. 

These requirements can be fulfilled easily by adding them to your business associate contract with the vendor. 

What should be included in HIPAA training?

Unfortunately, most HIPAA training programs provide an introduction to HIPAA and the three HIPAA rules, and leave it at that. When evaluating a training program for your organization, ask yourself the following three questions – 

  1. Does the training focus on information or action?
  2. Can my team use the content to take decisions?
  3. Does it cover the three HIPAA rules? 

The value of a training program stems from its usability. Training a hospital nurse with a HIPAA program best-suited for health clearinghouses is a waste of time and effort, both. The focus of the training session should be how-to and what-if activities, rather than what-is quizzes. 

Moreover, it should be accessible with devices at hand. And, it should help trainees figure out if they have mistakenly violated HIPAA. 

In conclusion

Before the COVID-19 pandemic, protected health information rarely left private networks of healthcare organizations. Use of personal devices was also fairly limited. But today, patient information is flowing over the open web, like any other information. Physicians are using telehealth tools for virtual examination of patients. Moreover, the use of personal devices for healthcare also surged.  

Besides this, HHS OCR guidance and notifications of enforcement discretion have changed how protected health information is being used and disclosed. 

Under these circumstances, you may want to conduct a HIPAA risk assessment of your organization. Besides this, you should re-examine the list of employees, who need HIPAA training. You should also consider revising your HIPAA training material. Update the material such that it focuses upon mobile devices, telehealth tools, and fighting phishing and malware. 

Should you re-train all your employees? Or, should you train only those who are now more at-risk of causing a HIPAA violation? The decision is up to you. 

We invite you to share your views with our readers. Please leave your thoughts in the comments section below. Our readers would be really happy to reply to your comments. 

Jessica Holland

Jessica Holland

Like this post? Subscribe to receive updates directly in your inbox.