HIPAA Security Awareness Training

/ Categories Compliance and Regulations / by

HIPAA security awareness training should have the objective of showing members of the workforce why it is important to protect the confidentiality, integrity, and availability of individually identifiable health information as well as explaining cybersecurity best practices to prevent unauthorized uses and disclosures of electronic PHI.

HIPAA security awareness training is sometimes confused with general cybersecurity training, and although HIPAA does not require security awareness and training programs to be HIPAA-centric, there are good reasons for focusing as much on HIPAA awareness as cybersecurity best practices – even for members of the workforce with no access to electronic PHI.

What HIPAA Says about Security Awareness Training

Several sources discussing HIPAA security awareness training head straight for the HIPAA Security Rule standard §164.308(a)(5) which states: “Implement a security awareness and training program for all members of [the] workforce (including management)”. The sources then proceed to focus solely on general cybersecurity training and best practices.

However, the opening line of §164.308(a) states “a covered entity or business associate must, in accordance with §164.306…”. The reference to §164.306 is important because this standard requires covered entities and business associates to:

(1) Ensure the confidentiality, integrity, and availability of all electronic PHI the covered entity or business associate creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part [the HIPAA Privacy Rule].

The standard also requires covered entities and business associates to ensure workforce compliance with the HIPAA Security Rule (how this is done is explained later), and to “review and modify the security measures implemented under [the HIPAA Security Rule] as needed to continue provision of reasonable and appropriate protection of electronic PHI”.

These “General Rules” mean it is necessary to provide HIPAA security awareness training in the context of HIPAA and that, not only is it important to base the content of the training on a risk analysis (as required by §164.308(a)(1)), but it is also important to factor in workforce knowledge of applicable Privacy Rule standards and reassess the content of the training periodically to account for workforce compliance with the applicable standards.

Note on the HIPAA Security Awareness Training Requirements

While it is necessary to implement a security and awareness program for all members of the workforce that takes into account reasonably anticipated threats to the security of electronic PHI and workforce knowledge of applicable Privacy Rule standards, the nature of threats and the range of Privacy Rule standards that are applicable to workforce members may vary greatly.

For example, all members of a healthcare provider’s workforce must be trained on what Protected Health Information (PHI) is and what uses and disclosures of PHI are permissible because any member of a healthcare provider’s workforce could identity a celebrity patient entering the healthcare facility and impermissibly disclose the event on social media.

Conversely, some business associates have “no view persistent access” to PHI because the PHI is encrypted and the business associate does not have the decryption key. While it is advisable to explain to members of the workforce what PHI is (because this is why they are taking HIPAA security awareness training), it is not necessary to explain permissible uses and disclosures.

Nonetheless, it is important all workforce members understand why healthcare data is highly sought by cybercriminals and what healthcare professionals in particular need to do to avoid making mistakes and exposing PHI. In Verizon’s 2024 Data Breach Investigations Report, more than 70% of investigated healthcare data breaches were attributable to human errors by workforce members.

Why is it Important to Protect Health Information

It is important to protect health information because it is highly sought by cybercriminals to directly or indirectly commit medical identity theft (indirectly by selling the information). Medical identity theft can lead to individuals obtaining health care, prescription drugs, and medical devices to which they are not entitled. It can also lead to false claims being made to insurance carriers or false tax returns being submitted to the IRS.

Medical identity theft not only incurs costs for healthcare providers and insurance carriers. An unentitled individual’s health and treatment information can be mixed up with the victim’s health and treatment information – potentially resulting in misdiagnoses and adverse reactions to prescribed drugs. In some cases, it can take years until the theft is identified or the victim queries entries on their Explanation of Benefits statement.     

Impact on Patients

Even when a patient is not a victim of medical identity theft, the receipt of a breach notification letter can negatively impact a patient’s trust in their healthcare provider. If a patient believes confidential information shared with the healthcare provider will not remain confidential, they may be less willing to disclose personal information about their health. They may also be less likely to comply with medical advice and treatment plans.

When patients withhold information, it is harder for healthcare providers to make accurate diagnoses and prescribe effective courses of treatment. This – and a lack of patient compliance – can lead to a continuation of the patient’s ill health, an increase in physician visits or hospital readmissions, and increased costs – both for the healthcare provider and the patient if they are contributing towards the cost of their healthcare.

Impact on Workforce Members

Returning to the standard that requires covered entities and business associates to ensure workforce compliance with the HIPAA Security Rule, covered entities and business associates are required to apply sanctions against workforce members who fail to comply with security policies and procedures. This means that, if a workforce member shares a password “to get the job done”, they could be sanctioned – even if no data breach results.

More importantly, §164.530(e) of the HIPAA Privacy Rule requires covered entities and business associates (where applicable) to apply sanctions on workforce members who violate any standard of the HIPAA Privacy or Breach Notification Rules – even if those standards have not been included in HIPAA training. This makes it even more important that HIPAA security awareness training factors in “reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part [the HIPAA Privacy Rule].”

Impact on Regulated Entities

The failure to provide effective HIPAA security awareness training that factors in all applicable “General Rules” can have a negative impact on regulated entities if a patient complaint or breach notification leads to a compliance review by HHS’ Office for Civil Rights. Compliance reviews can be disruptive and may result in enforced changes to working practices, which will necessitate further HIPAA security awareness training.

Although HHS’ Office for Civil Rights has never issued a civil monetary penalty solely for the failure to provide effective HIPAA security awareness training, the agency can – and has – increased the penalty for a data breach when no security awareness training has been provided. It is also important to be aware that compliance with the HIPAA requirements can be used as the standard for reasonable care in class action lawsuits following a data breach.

Best Practices to Safeguard Electronic PHI

There is no one-size-fits-all set of best practices to safeguard electronic PHI, and the content of HIPAA security awareness training must be designed to address the unique requirements of individual covered entities and business associates. General guidance provided by HHS suggests that the following ten topics should be included as a minimum. (This may depend on whether the topics have already been included in policy and procedure HIPAA training):

  1. A definition of Protected Health Information (with examples) and an overview of patients’ HIPAA rights.
  2. The importance of protecting health information and the potential consequences of data breaches.
  3. Permissible uses and disclosures of electronic PHI – including an explanation of the minimum necessary standard.
  4. Password management, automatic logoffs, physical security measures, and workstation placement.
  5. The physical and technical security of personal devices (if personal devices are used to access electronic PHI).
  6. An explanation of the different types of malware and how they are commonly deployed on workstations and mobile devices.
  7. Phishing awareness, taking care to ensure electronic PHI is only sent to intended recipients, and incident reporting.
  8. An explanation of why devices and software with access to electronic PHI are configured the way they are.
  9. A warning not to circumnavigate configurations or download unsanctioned apps or use unsanctioned services “to get the job done”.
  10. An explanation of the sanctions for failing to comply with the organization’s security policies and procedures.

Help for Developing a HIPAA Security Awareness Training Program

To help covered entities and business associates design a HIPAA security awareness training program, HHS has published a page of Security Rule Guidance Material. However, possibly of more value to covered entities and business associates is HHS’ own cybersecurity awareness training program. Although out of date and HHS-centric, the program can be adopted to be the basis for most HIPAA security awareness training programs. Organizations who require help applying the HHS program to their needs are advised to seek independent compliance advice.

HIPAA Security Awareness Training: FAQs

What are the HIPAA security requirements?

The HIPAA security requirements are that covered entities and business associates must ensure the confidentiality, integrity, and availability of electronic PHI, protect against reasonably anticipated threats of hazards to the security and integrity of electronic PHI, and protect against impermissible uses and disclosures of electronic PHI.

To comply with the HIPAA security requirements, covered entities and business associates must implement all applicable Administrative, Physical, and Technical Safeguards, provide HIPAA security awareness training to all members of the workforce, and ensure Business Associate Agreements are in place with all third parties to whom electronic PHI is disclosed permissibly.

How often should HIPAA security awareness training be conducted?

HIPAA security awareness training should be conducted according to the results of a risk analysis, whenever a new technology is introduced, or whenever it is necessary to apply a sanction for non-compliance. If none of these events occur, it is a best practice to conduct HIPAA security awareness training quarterly and send security reminders monthly.

What is the difference between HIPAA awareness training and HIPAA security training?

The difference between HIPAA awareness training and HIPAA security training is that HIPAA awareness training focuses on compliance with the HIPAA Privacy Rule, while HIPAA security training often consist of generic cybersecurity training. The best type of security awareness training combines both types of training so that workforce members have context with which to apply security training.  

Can healthcare organizations develop their own HIPAA training programs?

Healthcare organizations must develop their own HIPAA policy and procedure training and HIPAA security awareness training programs because these programs must be based on the unique operating circumstances of each organization and the risks that exist.

The only time healthcare organizations should take advantage of “off-the-shelf” HIPAA training programs is when a program offers foundation HIPAA training that can provide members of the workforce with a better understanding of the organizations HIPAA policies and procedures.   

Can healthcare organizations face penalties for failing to provide HIPAA training to their employees?

Healthcare organizations can face penalties for failing to provide HIPAA training to their employees, however it most often the case that the penalties for a primary sanction (i.e., a data breach) are increased if there has been a failure to provide and document HIPAA Privacy Rule training and/or HIPAA security awareness training.

How can healthcare organizations measure the effectiveness of their HIPAA security awareness training programs?

Healthcare organizations can measure the effectiveness of their HIPAA security awareness training programs by conducting post-training assessments to assess knowledge retention among workforce members. Organizations can also track security incident reports to identify if there is a correlation between gaps in training and security incident reports.

Image credits: peopleimages.com, Adobestock

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Elizabeth Hernandez

Elizabeth Hernandez is a news writer on Defensorum. Elizabeth is an experienced journalist who has worked on many publications for several years. Elizabeth writers about compliance and the related areas of IT security breaches. Elizabeth's has focus on data privacy and secure handling of personal information. Elizabeth has a postgraduate degree in journalism. Elizabeth Hernandez is the editor of HIPAAZone. https://twitter.com/ElizabethHzone
Twitter

Related News

Stay Connected

  • Twitter
  • LinkedIn
  • Reddit
  • Mastodon

Subscribe

*Our Privacy Policy and Terms & Conditions