What Kind of Security Training Does HIPAA Say I Need to Provide?
Patient health records are highly sought after by cyber-criminals because they can exploit them in a multitude of ways. On the “dark web,” stolen medical data can sell for 10 to 20 times more than credit card data. The healthcare records of terminally ill, and even deceased, patients are paper gold mines for fraudsters, as these patients are often not in a position to even notice that their identities may have been stolen. Healthcare organizations are under constant threat and the HIPAA (Health Insurance Portability and Accountability Act of 1996) was designed to enforce patient confidentiality and patients’ right to privacy.
Let’s first take a look at the potential costs to your business if you don’t implement HIPAA training at your company. Then we’ll review HIPAA training requirements for organizations covered by the act. While the act sometimes seems rather vague (e.g., it never mentions the word “firewall” but instead mentions the need to “implement technical security measures to guard against unauthorized access…”), what is clear is that security breaches of personal records in healthcare organizations have the government coming down on offending parties like the proverbial ton of bricks. Read about some of the penalties for HIPAA violations meted out over the past year on the website. Your organization does healthcare, so the chances are pretty good that your security is adequate and your medical services are top-notch, but you probably don’t have full-time staff proficient in the intricacies of HIPAA. Security awareness training and expert consultants can help.
The HSS “Hall of Shame” will give you an idea of how prevalent HIPAA violations are. A perusal of the list will give you an idea of how important a risk assessment of your organization is and in what areas, and why security awareness training is so vital for staff.
What Is HIPAA?
The HIPAA is United States legislation that mandates data privacy and security provisions for safeguarding medical information. It requires the HHS to develop regulations protecting the privacy and security of certain health information. HIPAA legislation applies to so-called “covered groups”: health care providers, health plans, and health care clearinghouses. It also requires covered entities that work with HIPAA business associates to produce a contract safeguarding any personal health information (PHI) the business associate uses or discloses. Examples of business associates include accounting or consulting firms that work with covered entities, such as hospitals or doctors, or any number of other organizations that have or could have access to PHI through the organization.
PHI includes a patient’s personal details, such as name, address, birth date and Social Security Number, as well their condition and treatment. Information such as employment records or education is not considered PHI, although this information may be covered by other acts, e.g., the Family Educational Rights and Privacy Act. Take note: This information is something your employees need to know.
But, for companies whose electronic data includes protected health information (PHI), HIPAA adds an extra layer of unwanted complexity for data security compliance; for some an onerous burden, for others a helpful tool in implementing data security compliance and avoiding potentially litigious events.
The Cost of Non-Compliance
Possible class action, HHS fines and being named and shamed in the news or on the “Wall of Shame” list kept by HHS are among the costs of non-compliance.
Fines: A recent HIPAA settlement involved Metro Community Provider Network (MCPN), a federally qualified health center based in Colorado. It was reported that, in order to settle potential noncompliance with HIPAA, the network will pay $400,000 and implement a corrective action plan. The news-making incident was due to a phishing attack in which a hacker managed to get access to over 3000 individual email accounts and their electronic protected health information (ePHI). The settlement was based on the fact that MCPN failed to adequately safeguard this information. While the attack was launched in December 2011, MCPN did not conduct a proper risk analysis of the incident until February 2012, and, somewhat startlingly, not before the incident either.
For MCPN, perhaps the onerous burden of complying with the act doesn’t seem quite so onerous anymore.
Class actions: In 2016 Advocate Health Care agreed to pay $5.55 million to settle multiple data protection violations over the previous three years, marking the largest HIPAA settlement HHS has ever received. Also troubling for medical organizations is the fact that Advocate was faced with a number of class actions at the time as well.
Loss of trust: The 2015 Triple-S Management Corp. case (settlement, $3.5 million) was the result of multiple, extensive violations involving several subsidiaries. One notable violation related to two former employees whose access rights to a restricted database were not terminated when they left the company. The two later accessed the internet Independent Practice Association (IPA) database, which contained members’ diagnostic and treatment codes, while being employed by a competitor. Embarrassing.
Benefits of Training
In all the above examples, the OCR required the medical practice to revise their security policies and procedures and/or provide staff with further HIPAA training.
What Kind of Training Does HIPAA Say I Need to Provide?
According to the HHS, there are seven fundamental steps to HIPAA compliance:
- Implementing written policies, procedures and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offenses and undertaking corrective action.
You also need to perform a risk analysis, without which you won’t be able to assess how vulnerable you are or what safeguards you realistically have to put in place. In the event of a breach, the first thing you will be asked is to provide a copy of the security risk analysis in effect at the time of the breach. A risk analysis is a preventive measure and will save money in the long run by ensuring that you have the security measures you need in place.
At this point, you can start assessing your employees training needs, role by role.
Training depends on an employee’s role but all employees should know the basics:
- An HIPAA overview
- Compliance reporting procedures
- Patients’ rights
- Organizational privacy and security policies
While your organization may not have the staff in-house to manage all HIPAA training, there are many organizations who can help that covers HIPAA training relevant to specific roles, such as:
- Record handling,
- Department security procedures,
- Federal and state laws,
- Appropriate access by staff, and
- Business associate agreements.
Who Needs HIPAA Training in My Organization?
HIPAA training is mandatory for anyone who comes into contact with protected health information (PHI). This includes doctors, dentists, nurses, psychologists, human resource officers, receptionists, part-time employees/interns, network administrators and security personnel, and researchers. And if your business associates, suppliers, or partners come into contact with PHI, they need to be properly trained too. HIPAA training applies to all staff, including management, volunteers, and trainees, and to any outsourced personnel.
- New employees must be trained within a reasonable time period after they join the organization,
- Employees must be re-trained whenever there is a change to policies or procedures that affect their job, and
- Periodic refresher training is also required.
All HIPAA training needs to be documented. This can be achieved using:
- Training program sign-in sheets,
- Signed confidentiality statements acknowledging receipt of training, and
- Computer-based training completion or quiz results.
What Are the HIPAA Privacy and Security Rule Training Requirements?
There is some confusion about the privacy and security rules. The privacy rule refers to the (fairly broad) requirements to protect the confidentiality of PHI in all its forms, including oral, e.g., discussing a patient by name with a friend is a violation of the patient’s privacy. The security rule is specifically concerned with protecting the confidentiality (which, yes, is the privacy), integrity, and availability of electronic PHI.
Steve Spearman, founder and chief security officer for Health Security Solutions, provides an excellent example in an interview on the Manage My Practice website: “A traditional fax machine is generally considered under the rules to be an analog device. So, if a practice takes a patient fact sheet and faxes it to another practice that also has a traditional line-to-line fax machine, it would fall under the privacy rules. However, if one practice has a traditional fax machine and is faxing the document to a practice that has either a fax server or a fax service (like eFax), then the data is digitized before it is processed on the receiving end. That second practice’s fax would be covered under the security rules because the data is digitized.”
The privacy rule lays out certain administrative requirements that covered entities must have in place, including employing training on policies and procedures, such as:
- Identifying what is PHI and when it may be disclosed,
- Getting patient authorization where necessary and being aware when and where patients may revoke authorization,
- Understanding confidentiality (and the consequences of violating patient confidentiality),
- Keeping a record of disclosures,
- The consequences of violating the privacy rule, and
- Knowing that this rule also gives patients the right to receive a notice of privacy practices (NPP), a document that lets them know what steps are taken by their healthcare providers to protect their privacy.
Note: A privacy official must be appointed who is responsible for developing and implementing policies and procedures at your organization.
The list of scenarios where privacy can be violated is long. For instance, while the security guard in a healthcare institution needs to know the name and room number of patients to guide visitors, diagnosis or treatment, may not be disclosed, i.e., a nurse may not chat with all other organization employees about a patient’s file.
Without security awareness training, humans are the biggest security risk at any organization to cyber-attacks. And while HIPAA doesn’t suggest what technologies you should use to safeguard digital data, best practices suggest that your security architecture include firewalls, two-factor authentication, offsite backup, SSL certificates, and an SSL VPN, within a privately hosted environment. Security is not limited to the technology department. Security standards in various departments may include procedures for monitoring couriered items and managing temporary external personnel such as maintenance crews.
Security training should include:
- How to protect personal information from malicious software and procedures for guarding against, detecting, and reporting malicious software and viruses, and phishing attacks,
- Best practices for data access and password management,
- Risk assessments,
- Training about vulnerabilities of electronic health information and how to protect that information, and
- Incident reporting.
What Are the Policies and Procedures that Need to Be Trained on with Respect to PHI?
Organization policy: According to the HSS, any organization or group covered by the HIPAA privacy or security rules must “develop and implement written privacy policies and procedures consistent with the rule.” These policies describe security safeguards and privacy policies and should be the foundation of your training programs. According to Mary Butler, associate editor of the Journal of AHIMA, emphasizing privacy through HIPAA has had unintended consequences to patient access. Increasingly, patients are asking to see electronic copies of their health information, but providers are worried doing so will unintentionally lead to a HIPAA violation. How your organization handles these types of situations should be documented in your HIPAA policy directive.
Sanctions: The HSS requires organizations to create and utilize “appropriate sanctions against workforce members who violate policies and procedures” and for employees to be trained in accordance with their roles and be aware of possible sanctions if privacy or security infringements take place. Staff should be aware that penalties for violating HIPAA policies may include fines (up to $1.5 million) and jail time (up to 10 years). According to Iowa’s The Gazette, the University of Iowa fired a student health center employee in 2015 for violating the privacy of a pregnant female student and her boyfriend, a well-known student-athlete, when the employee carelessly discussed the results of the student’s pregnancy test with a female co-worker.
Data safeguards: Covered groups are required to maintain technical and administrative safeguards “to prevent the intentional or unintentional use or disclosure of protected health information.” This means that organizations are obliged to formally train employees and other stakeholders to use and apply appropriate data protection protocols, from shredding sensitive documents to regularly changing passwords, and from wiping obsolete computing equipment to the physical location of documents. Advocate Health Care was listed on the HHS “Hall of Shame” after the theft of an unencrypted laptop in 2009 carrying 812 patient records.
Patient privacy: Employees must know that they can release a patient’s information for medical treatment and care, to allow for payment of services, for operational needs (including education and reviews), and if a patient requests the information. Patients can refuse to give authorization or can limit the amount of information released or to whom. The Office for Civil Rights (OCR), the arm of the HSS responsible for enforcing the law, receives more than 30,000 . In some cases, patients mistakenly received another patient’s file. In others, nosy nurses snooped for information about friends or family members and then gossiped about their findings. Carelessness costs money: numerous complaints are made annually about medical records being sent to the incorrect fax or email address.
Disclosures: Covered entities are not required to obtain individual’s authorization for certain disclosures, e.g.:
- Disclosures made to avert imminent threat to health or safety of a person or public,
- Disclosures made to law enforcement,
- Disclosures related to public health,
- Disclosures that are required by law,
- Disclosures to coroners and medical examiners,
- Reports to government agencies of abuse, neglect, or domestic violence.
Physical security boundaries: Staff should understand the basic security procedures implemented at your organization, e.g., the visitor policy and why it is important to wear a badge. They should be trained never to leave their computers unattended with sensitive data on the screen and how to spot phishing emails.
Digital security awareness: HIPAAJournal.com recently published figures on healthcare data breaches in 2017. In both January and February of 2017 there were 31 reported healthcare data breaches, but March saw the figure jump to 39 incidents. “The Protenus report shows insiders were the biggest cause of the healthcare data breaches reported in March, accounting for 44% of the total. There were 10 insider incidents reported in March that involved insider error and seven were the result of insider wrongdoing. Hacking incidents made up 28% of the total and resulted in the theft or exposure of 600,270 records. 21% of incidents involved the loss or theft of physical records and devices containing ePHI. While loss and theft was responsible for the fewest data breaches, those incidents resulted in the exposure of the most records in March.”
How Often Does Training Need to Take Place? Does It Need to Be Updated?
HIPAA requires organizations to provide training for all employees, new workforce members, and periodic refresher training. The definition of “periodic” is left open to interpretation. Since the rules themselves are updated annually, it is recommended that employees are given refresher courses annually too. Also, people tend to forget about previous training exercises; regular refreshers go a long way toward keeping people aware of security threats to your organization.
Many organizations are somewhat slack about security training for employees, often ignorant themselves. Outsourced training companies are often better equipped to deal with HIPAA training and usually offer certifications too. The Infosec Institute Read more here.