What kind of training does your organization need to support HIPAA compliance? A good way to start answering this question is to reference the Department of Health & Human Services (HHS)’s own words:
“The HIPAA Rules are flexible and scalable to accommodate the enormous range in types and sizes of entities that must comply with them. This means that there is no single standardized program that could appropriately train employees of all entities.” [Emphasis added. Ed.]
The standards for training are flexible. But training itself is mandatory: Training is an Administrative requirement of the HIPAA Privacy Rule (45 CFR § 164.530) as well as an Administrative Safeguard of the HIPAA Security Rule (45 CFR § 164.308).
In light of this, planning, delivering, and maintaining HIPAA training presents an interesting challenge. On the negative side, HIPAA does not provide many specific guidelines, so there’s a risk of failing to adequately identify training requirements. On the positive side, each organization has as much flexibility as it needs to develop training that’s tailored to the specifics of its own technology, policies & procedures, and people who handle its PHI and ePHI.
There is no one-size-fits-all approach, so it’s up to each organization to determine many of the key elements of training, including scope, contents, and frequency. Moreover, since HIPAA regulations as well as an organization’s technologies and its policies & procedures for handling PHI and ePHI are all subject to change over time, there is no such thing as a one-and-done approach. To be effective, training needs to be tailored to the organization, and it needs to be ongoing so existing employees are kept up to date on material changes related to PHI and ePHI and new hires are trained as appropriate, when they are brought on board.
This blog post is not intended as a detailed checklist on HIPAA compliance training. Rather, it is a discussion of some of the elements you should consider when setting up an effective HIPAA compliance training program. Our goal is to get you thinking about areas that are most important to your people, processes, and technology and which, if not accounted for, could result in a failure of compliance or a breach in security.
1. Build a strong foundation before you start to plan your training program.
As we pointed out in two earlier blog posts (Foundational Knowledge and Developing Effective Policies & Procedures), having a strong understanding of HIPAA issues is essential, as is having a governance scheme based on effective policies & procedures.
So before you plan any training, make sure you’re building on a strong technological and operational foundation. Strengthen your security systems and operations through appropriate technology, systems automation, and effective policies & procedures.
As one example, consider the use of TLS to secure your data at rest and in transit. Using TLS certificates with very strong TLS termination policies can help you protect your stored data. You should also consider using encryption at the application level to augment TLS. The good news is that AWS allows you to easily encrypt data using AES-256 encryption.
Other common issues you can address with significant results include weak security groups and policies, failure to patch systems, and authentication missteps such as weak passwords. The best approach is to review your environment to see where improvements can be made.
Once you have strengthened your security and compliance posture, you’re ready to start building a training program that addresses your organization’s human factors. Specifically, you’re ready to introduce training that enables your employees to increase their awareness, knowledge, skills, and abilities and take responsibility for making security and compliance a part of their daily behaviors. Beyond teaching granular, task-related skills, you will be helping to create a pervasive awareness of compliance and security throughout your organization.
2. Determine the scope and contents (What and Who) that should be covered.
Start by doing an inventory to discover personal health information. Determine what parts of your system have personal health information, and how you are keeping it secure. These parts are going to be covered by HIPAA compliance. Determine as well, who (what roles and positions) are responsible for handling PHI, and take this into account in the design of your training.
Remember that there is no one size fits all, and training should be designed so each person who has contact with PHI or ePHI is trained on protecting this information. Training needs to be aimed at the specific roles and functions of the various individuals who have contact with PHI or ePHI. As you sketch out your training program, it should take shape as a number of modular mini-courses rather than a single omnibus course that tries (and fails) to include everything.
3. Make training a collective responsibility as well as a personal responsibility.
In addition to training individuals who are directly responsible for handling PHI, you also need to create a more general level of awareness and training targeted at employees who do not deal with PHI directly, but who could have an inadvertent or unintentional impact on PHI.
Through training, make them aware of the nature of the Health Insurance Portability and Accountability Act, what PHI is, where it’s stored, and the systems that are used to transmit it. This training should be designed to increase general knowledge and to create a culture of awareness throughout your organization that includes everyone, whether they’re directly involved with PHI or not.
4. Make training a regular practice.
HIPAA states that training should occur on a regular, periodic basis. This is often interpreted as annually, but the frequency could certainly be shorter. Training should also be delivered when changes occur to the Act (externally) or when job functions have been impacted by a material change in your technology or policies and procedures (internally). And finally, provision should be made to ensure that new hires are trained within a reasonable period after coming onboard.
5. Keep records for reference and audits.
Make sure you document your training. If there is an OCR investigation or an audit, you must be able to produce the training along with details about when it was delivered, where, by whom, to whom, and when/how frequently it was administered.
Training records will also help you improve as your program evolves (see below).
6. Monitor, evaluate (measure), and improve.
Invest in the effectiveness of your training by monitoring, evaluating (both empirically and anecdotally), and improving your training. Whether you use metrics to measure effectiveness (for example, follow-up questionnaires or assessments that drive correctness scores higher) or collect feedback through employee training evaluation forms, be sure to collect information systematically and mine it for ways of making ongoing improvements.
Tip: Keep a “forward file” of issues that need to be addressed through training, changes to technology, or modifications to policies & procedures. A forward file is simply a place to record issues and ideas on the fly. Without one, it’s too easy to forget about issues when you’re planning the next training update.
It’s crucial for healthcare providers and business associates to understand the HIPAA regulation and its requirements and take an active role in ensuring ongoing compliance. To help you ensure that your organization is doing everything possible to remain HIPAA compliant, protect client data, and avoid potentially devastating fines, you must assume responsibility.
In addition to securing your environment and data and establishing robust policies and procedures, we recommend making HIPAA training an ongoing, living part of your organization as a significant way to reduce risk, add effective governance, and strengthen both security and compliance. A well-designed training program will not only help you address current needs, but will also help you capture changes, make improvements, and ensure that all employees (including new hires) are kept up to date with changes that affect PHI. Like many aspects of security and compliance, it’s a good idea to bake training into numerous areas of your organization until it becomes part of the organizational culture and matures as the company grows and evolves.
If you’re interested in speaking with us to learn how Threat Stack can help you with your cloud security and compliance requirements, be sure to sign up for a demo. Our experts will be happy to speak with you about your organization’s specific needs.