It’s not just healthcare providers who handle protected health information (PHI), but also a growing number of companies in the broader health and wellness space, such as health technology companies, medical device companies, and the companies that partner with them (such as SaaS companies) to process, store, and transmit data. The Health Insurance Portability and Accountability Act (HIPAA) is a 1996 law which covers any entity collecting, storing, or using PHI. While medical professionals and the healthcare industry in general are held to rigid standards, any company that handles PHI must comply with HIPAA’s stringent requirements to ensure the security and confidentiality of PHI.
If you are a tech vendor providing services, hosting, and other products used in the medical field – HIPAA likely pertains to you. If your company relies on cloud services, Threat Stack’s Cloud Security Platform® can help you remain secure and compliant by offering visibility into who is accessing what information where and when to proactively identify threats and keep PHI secure. Learn more about how your company can achieve HIPAA compliance with Threat Stack.
The Security Rule requires training for all individuals who deal with PHI. While the specifics about the training and even timing of the training are loose, training is mandatory for all companies subject to HIPAA requirements. Finding resources is more difficult than most anticipate, but several free and paid courses, webinars, and written guides exist. But which ones are effective? Which training materials are too much for your team or too little to provide meaningful education?
To help you cut through the clutter, we spoke with a few experts to compile a list of 50 HIPAA training resources for health tech vendors. All training resources are listed in alphabetical order by the name of the organization that produced them and are not ranked in any way.
1. The Nuts and Bolts of Achieving HIPAA Security Rule Compliance through Effective Risk Assessment (Course + Quiz)
This short, free audio lesson (a bit more than 10 minutes) is paired with a quick quiz. You’ll also have access to additional resources such as frequently asked questions and a “HIPAA Toolkit.” The “nuts and bolts” risk assessment guide is perfect for tech vendors to learn quickly, and the quiz allows a bit more assurance for you and your clients.
Inside the course and quiz, you and your team will learn:
- The ability to “explain what is included in the three core compliance areas of HIPAA”
- Figuring out how to review and update compliance plans
This is one of the few resources devoted to tech vendors, specifically for tech startups. As the introduction states, “Explosive growth in digital health over the last few years means there are many developers and managers who haven’t worked under HIPAA before.” With the tailored approach, this is one of the best “need to know” guides.
All key items are covered, a few of which are:
- Who is impacted by HIPAA requirements?
- Who will check if we are HIPAA compliant?
- How do we become HIPAA compliant?
In this guide, Backupify provides an overview of the top concerns facing IT directors and CTOs working in the healthcare industry. It covers everything from a basic overview of HIPAA to how to determine if your organization is bound by HIPAA, the most common HIPAA non-compliance issues and how to mitigate those risks, and tips and strategies for making HIPAA compliance an ongoing process within your organization.
In a short and effective quiz, Barton Associates allows for anyone under the umbrella of HIPAA to see how well they understand the legislation. There are only about a dozen questions, and each one is carefully thought out to highlight the importance of privacy and confidentiality. With violations resulting in fines from $100 to more than a million dollars — it’s a great idea to have everyone even remotely close to patient data take this quiz.
This guide covers the Administration Simplification standards adopted by HHS under HIPAA and provides an easy-to-use questionnaire to help determine if a person, business, or government agency is classified as a covered entity under HIPAA. It includes questionnaires for providers, clearinghouses, and health plans, including private benefit plans and government-funded programs. There’s also a detailed glossary of definitions at the end that will be useful for any tech company learning the ins and outs of HIPAA.
If your organization prefers a more visual form of learning, the Compliancy Group has put together a free, hour-long training video. The training is full of examples to show how the legislation affects businesses and individuals. This resource is great to ensure awareness of HIPAA requirements and protocols for even employees not directly responsible for patient data.
- A HIPAA 101 overview
- Avoiding social media violations
- Policy and procedure overview
This resource is not a training guide, per se. However, the Compliancy Group has created an entire policy for those who have workers who telecommute. Whether some of your team works “in the field” or your organization is remote, this policy guides everyone to safe and compliant standards when not in the office. The resource will likely need some tweaks to customize it to your organization’s unique needs and is only one part of a comprehensive HIPAA compliance plan, but it’s a good place to start if your organization is in need of a similar policy.
Like the HIPAA telecommuting policy above, this resource covers just one facet of a compliance program. With so many companies switching to Gmail for their suite of tools, it’s likely you do use it (or want to). While GSuite tools can be made HIPAA compliant, it’s not an “out of the box” solution. This guide will show you the tips and tricks for ensuring compliance in your organization’s inboxes.
9. HIPAA Quiz
This no-nonsense quiz helps to evaluate the readiness of your organization. Immediately upon clicking the link, you’ll be taken to the first question. It’s not a list of questions about the particulars of HIPAA, but a series of queries about what you’ve done in your company to be compliant with the legislation.
- Which required audits and assessments have you completed
- Specifics about your remediation plans
- The training you give to your employees
This slide deck from Control Case covers healthcare compliance under HIPAA and HITRUST, including an overview of each regulation and key healthcare compliance drivers, including customer requirements and internal audits. It delves into fines and penalties for non-compliance, specific requirements under the Privacy Rule and Security Rule, breach notification requirements, and more.
Calling something “ultimate” is a tall order. That said, this massive guide covers so many details, it’s worthy of the designation. In addition to detailed, yet common sense explanations of everything HIPAA requires, there are also details about certification and checklists to help you get into compliance.
Most people use mobile devices the same way desktops were used in the 90s and early 2000s. But with security issues being rampant in cell phones, it’s dangerous to use them for any private information. The Government Accountability Office released this report for controlling information on mobile devices.
The report covers:
- Threats facing phones (e.g., malware)
- Controls and practices identified and explained
This guide from Luke Harries, an entrepreneur and software engineer, is designed for health tech startups that want to launch a MVP while complying with HIPAA regulations. While Harries notes that he is not an attorney or an expert on HIPAA regulations, this guide provides a detailed, useful step-by-step synopsis of how to launch a MVP at little to no cost while securely handling PHI within HIPAA guidelines.
At 61 pages long, this guide is all about keeping protected health information (PHI) secure in an organization. While the document is intended for medical practices, the advice within directly pertains to any entity under the requirements of HIPAA — especially tech vendors protecting data. Overall, there are 6 chapters covering the security of electronic health information.
The guide covers:
- Understanding HIPAA rules
- Information regarding patient rights
- Sample approach for implementing secure data management
Health technology companies are often the first line of defense for private health data. Understanding security risk is a key component of protecting any information meant to be confidential. HealthIT.gov offers three separate introductory-style videos discussing the topic of securing data, titled “Security 101.”
These videos include:
- Security Risk Analysis
- Contingency Planning
- Security Risk Analysis Tool Tutorial
Training games are an effective method for fostering information retention. The HealthIT.gov training games provide anyone who deals with PHI the chance to test their skills without stress. This gamification “requires users to respond to privacy and security challenges often faced in a typical small medical practice.” Playing these provided games allows you and your team to understand the situations your clients see every day.
Part of a larger resource, this is a selected chapter specifically dealing with “patients’ rights” when it comes to health information. Tech vendors are dealing with medical practices and practitioners. Understandably, you care about their concerns. And by understanding the concerns of your clients’ patients, you’ll be better able to meet your clients’ needs.
This guide covers:
- Patient access to information
- Accounting of disclosures
- Rights to restrict information
18. SAFER Guides
HealthIT.gov provides nine guides across three categories: foundational guides, infrastructure guides, and clinical process guides. Many tech vendors aren’t going to need resources for clinical processes, but both the infrastructure and foundational guides are great resources for any business that must comply with HIPAA.
The individual guide titles you’ll want to look at include:
- Organizational responsibilities
- Contingency planning
- System configuration
- System interfaces
HIPAA for Professionals is a very cut and dry resource. When you need to find key HIPAA documents, this is a hub of everything in a concise format. There are brief explanations for each linked document to give readers a synopsis and choose whether or not the resource is what they’re looking for. Keeping a page like this in your curriculum allows for needed context during training.
A few of the documents linked include:
- The Privacy Rule
- Security and Enforcement Rules
- The Final Omnibus Rule
There are a number of threats to private information. Malware, phishing scams, and operator mishaps are all prevalent. And ransomware (a type of malware) is its own threat, particularly to medical data. When a hacker fraudulently collects this data, they encrypt it, holding it for ransom. Doctors and tech vendors are high-value targets due to the fact that patient data is valuable, potential fines are high, and the medical industry is (in some cases) lucrative.
No matter how well data is secured, breaches are possible. It’s for this reason 45 CFR §§ 164.400-414, or the Breach Notification Rule, was enacted. The HHS, in this resource, gives a brief on everything to do with the rule, including:
- Defining a breach
- Notices required (individual, media and to the HHS)
- Other requirements during and after a breach
There’s always a delicate balance between protecting information and providing access to it. To help companies maintain that delicate balancing act, the Office of the National Coordinator for Health IT (ONC) released the “21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule.” This webinar resource will explain exactly how the rule better enables data sharing.
This course, from HIPAA Exams, is a good resource for tech vendors. And the “HIPAA for Business Associates” course is specifically designed for technology vendors and other businesses who serve the medical industry. Those who complete the video and audio training will be tested and receive a certificate.
A portion of what the course covers includes:
- Accountability issues for information
- Breach notifications
- Real life examples of breaches
Protecting the private health information of the individuals served by your clients requires proper infrastructure. The original HIPAA legislation was written in a different time, and the advancement of technology is continually evolving. This “IT Infrastructure Guide” contains needed guidance for avoiding vulnerabilities and violations.
In this 18-page guide, you’ll find:
- Cost of HIPAA-compliant infrastructure
- Mandates for data transmission
- Summarized steps for compliance
- References with links
HIPAA Journal’s Disaster Recovery Guide “aims to serve as a client reference point; it is an overview of the disaster recovery plan (DRP) and the processes established to ensure a smooth transition into DR operations.”
In this guide, you’ll learn about:
- The disaster recovery process
- Establishing a command center
- Monitoring recovery progress
If you’re a health tech vendor, getting your clients set up with the proper hardware may be something you handle. Chances are, your tool(s) utilize the cloud. If so, this guide is crucial to compliance and success as a business. This short guide helps in determining if your own hosting solutions are compliant when handling patient information.
Inside the guide, you’ll find:
- Explanations of HIPAA responsibility
- Various cloud computing in relation to the law (private, public and hybrid cloud)
- Launching a compliant system
HIPAA training is mandatory for companies subject to the regulation. While there are no specific guidelines, the legislation does specify that covered entities and business associates must “implement a security awareness and training program for all members of the workforce.” This overview from HIPAA Journal explains what your training process may look like.
For organizations that need to ensure their team has comprehensive knowledge of HIPAA, paid resources may be the best route. We’ve included only a few paid options on this list, and HIPAA Training is one of them. Their courses are built for “any single individual who works for an organization involved in direct medical treatment of patients.”
The two primary courses are:
- HIPAA Awareness Training for Healthcare Providers
- HIPAA Security Training
This resource specifically covers best practices for business associates, or the companies that partner with or provide services to covered entities. Over the course of 45 minutes, HIPAAOne will impart tips and tricks to ensure compliance, save time, and pass audits.
Specific tool guides are invaluable, if you use the tool in question, of course. There aren’t many software solutions more commonly used than Microsoft Office 365. This guide from HIPAAOne gives a step-by-step plan for ensuring HIPAA compliance using Office 365. Written by highly experienced experts, the short book is separated into three parts.
- Updates to HIPAA regulations and GDPR
- Microsoft’s Office 365 and Teams
- Teams and HIPAA traceability
There are actually two webinars on this one page full of helpful information, including information for tech vendors. One focuses on securing data and ensuring compliance. The other video describes what to expect in a security risk analysis. An included transcript can help businesses with continued research.
Many tech vendors find themselves needing to protect private health information. A security risk analysis is something that requires a lot of upfront attention and precision. This beginner’s resource is a simple, step-by-step guide that’s useful even for those who don’t have an in-depth understanding of HIPAA’s various requirements.
The guide includes:
- How to scope the assessment
- Identifying potential vulnerabilities and threats
- Assessing risk impact and risk probability
33. HIPAA Quiz
This quiz evaluates test-takers’ knowledge of HIPAA compliance and of the law itself. It’s a full 50 questions designed to highlight weaknesses in your team’s knowledge. There are also an additional 80 free healthcare quizzes available from HITNOTS. This particular quiz includes the most recent legislation and requirements. Once completed, results will be given so that they can be kept as part of your training documentation.
As stated previously, the HIPAA Security Rule mandates that all employees receive training for protecting patient information. HSN provides free security training, which may be enough for some tech vendors. While it is free training, you will need to provide basic information about your company to access it.
Included in the training:
- Security compliance testing
- Online and interactive training
- Focus on phishing and ransomware scams
The two most common ways data is compromised is either by negligence (someone making mistakes) and malicious data breaches (often large scale attacks). It’s vitally important for tech vendors to understand every type of “breach” according to the law. InfoSec Institute is one of the best when it comes to digital security, and this guide specifically goes over data breaches in the healthcare industry, taking HIPAA and other pieces of legislation into consideration.
JotForm is a software-as-a-service (SaaS) company which provides services to the healthcare industry. Some of their resources are devoted to HIPAA compliance due to the nature of their products. This is great for other tech vendors, since their perspective is similar to yours. In this highly visual and detailed guide, you’ll learn about everything needed for most companies.
In this compliance resource, you’ll find:
- The crucial need of compliance
- Infographics for easy consumption
- Description of all types of HIPAA forms
Mass Digital Health
This robust toolkit from Mass Digital Health includes 34 resources. There are links to other webpages as well as downloadable PDFs across a broad spectrum of topics. The tools include multiple guides for startups, cybersecurity practices, and small business cyber plans. All of the resources are compiled from around the web.
Breaches are always possible. In the event your organization loses sensitive patient data, a plan must be in place. Not only should your leadership team understand the plan, but they also should have access to the tools needed if a breach occurs. This HIPAA Breach Toolkit from MGMA provides a framework for breach response for their members.
A conversational tone and an easy-to-read style make this resource unique. There aren’t many “blog posts” in our list, because these are training resources. However, this post is a helpful resource for your leadership team and just about anyone else to quickly and easily understand HIPAA and your organization’s role with the legislation.
This post explains things like:
- What HIPAA is and why you should care
- Details about the legislation
- Ensuring compliance in your organization
There are a number of excellent free and paid courses regarding HIPAA, but the paid route typically allows for some sort of certification. OSHAcademy provides its modules and training materials free, and if you want to have your employees certified, there is a nominal fee.
In the course, students learn:
- HIPAA law components
- Good privacy practices
- Training requirements
- And more
This is a valuable HIPAA training resource with videos concerning certain subjects within the law, as well as a full video course. While not a comprehensive instruction, the teaching is perfect for those not already familiar with compliance issues. In total, it’s less than an hour long and has an optional certification for a nominal fee.
The course allows for:
- On-demand learning
- Mobile access for the team to learn anytime
- Refresher videos for retention
This training course is also put on by the experts at ProHIPAA, but on another popular HIPAA site, called ProTrainings. It’s a short video training on all necessary elements of the law. If you’d like your team to receive a printable certificate upon completion, there is a fee.
Some of the topics included in the course are:
- Explanation of who is required to comply with HIPAA
- Privacy rights and protected health information
- Breaches and why criminals want private data
The term “business associates” is one that you’ll find directly in HIPAA and other privacy legislation. Medical practitioners often rely on a large number of third-party vendors. Sometimes, these relationships involve patient data. The Supremus Group provides a custom training course for individuals in any business considered a business associate to a covered entity. The course is online and self-paced, but typically takes about an hour. The cost is $25 and includes a certificate that’s valid for two years.
Tech vendors are great innovators and often utilize emerging technologies. Connected devices, IoT, drones, and a number of other technologies are discussed. Many of these advancements introduce vulnerabilities (sometimes significant ones). In this 62-slide presentation from Synerzip, you’ll see the types of disruptive tech emerging to help the medical field, as well as risks and protections.
If your business falls under HIPAA as a “covered entity,” the ability to prepare for an audit is an important understanding to have. In this webinar, Jason Karn and others discuss the essential steps to prepare for a HIPAA audit.
TotalHIPAA has been around since 2003 with the goal of helping any organization falling under HIPAA to enter and maintain compliance. For new organizations or businesses that recently started serving those handling PHI, this webinar helps outline the steps to compliance. In the training, Jason Karn will also show “how MACRA and HIPAA work together and the steps to take to achieve and maintain HIPAA compliance.”
47. Health Insurance Portability and Accountability Act (HIPAA) Privacy & Security Workforce Training
This is an information-packed webinar from UCLA Health. While the primary focus of the organization is to provide “leading-edge patient care, research, and education,” protecting the privacy of patients is a big component of trust. For that reason, they’ve created this resource for helping other covered entities to better understand how to protect personal information.
This is a hands-on and practical resource from UCLA Health. Clicking the link will take you to a spreadsheet checklist that can help you secure information in your organization. The sheet covers a number of locations, equipment, and practices among your staff. Taking the time to run through these items regularly will go a long way toward keeping your company HIPAA compliant.
Items on the list include things such as:
- Safe printer/fax/copier items
- Physical data storage items
- Exchanging PHI practices
- Personnel issues to check
Winston & Strawn LLP
This slide presentation deals directly with the HIPAA legislation, and as the title suggests, how it applies to you. With 52 slides in all, and this slide deck is full of valuable information about a number of topics.
Topics covered include:
- Overview of HIPAA
- How HIPAA affects business associates
- HIPAA enforcement
- Best practices for creating compliance infrastructure
This resource from Yalantis speaks directly to the specific needs of health technology vendors. There are pretty harsh warnings, as well, to ensure readers take compliance as seriously as possible. In addition to what is required of tech vendors and what’s at stake, there are a number of specific items for actually keeping the data safe.