Academy for Health Information Privacy and Security Training

This course differs from the typical HIPAA certificate program where you just pay the fee, print the certificate, and move on. This advanced HIPAA awareness program was created with the goal of giving healthcare workers something useful to take away from the instruction. In this course, HIPAA is introduced, each HIPAA regulation is explained in detail, and healthcare professionals can leave with useful information about how HIPAA affects their daily workflows. Additionally, the HIPAA Awareness and Virtual Communication Awareness training bundle will give medical professionals the fundamental skills necessary to comply with HIPAA rules and protect their organizations' healthcare facilities from outside threats to protected health information.

Security awareness training can lower the overall risk of a company experiencing breaches since human error is a major factor in the majority of HIPAA and data security breaches. If your staff members have not received enough training on HIPAA and how to manage PHI in their daily tasks, then each one of them represents a potential risk. A 2015 SecurityIntelligence report (securityintelligence.com/cost-of-a-data-breach-2015/) states that the average data breach costs over $150. As a result, the cost of any data security breach, let alone one involving PHI, is very high for healthcare organizations. per record, not including potential fines for HIPAA violations which can be as high as $50,000 per incident. Security awareness training is relatively inexpensive compared to the cost of data breaches and has the potential to greatly lower the risk of breaches ever occurring.

Yes, both the HIPAA Privacy Rule and the HIPAA Security Rule impose requirements on security awareness training. The HIPAA Privacy Rule training requirement is listed in 45 C.F.R. 164.530 and is regarded as an administrative requirement. The HIPAA Security Rule training requirement is considered to be an Administrative Safeguard and may be found in 45 C.F.R. § 164.538. All covered entities (CEs) are required by HIPAA to train their employees on the law's PHI-related policies and procedures. Within a reasonable time after being hired, all new employees must receive training. Employees must also receive training whenever there is a significant change to policies or practices. Under HIPAA, both Business Associates (BAs) and Covered Entities (CEs) are required to offer a program to employees on security awareness. With the exception of the HIPAA Security Rule, which mandates that employee training for protection against malware and password best practices be incorporated into any training program, HIPAA does not specify security topics or best practices that training must cover. The HIPAA awareness and training programs provided here go above and beyond the HIPAA requirements by incorporating industry standards and best practices. Organizations that are covered entities or business associates typically need HIPAA training. HIPAA training is only necessary to be given to staff members who have access to PHI/ePHI if your company is not a covered entity or business associate but engages in HIPAA-related transactions.

Only covered entities (CEs) are required to adhere to the Privacy Rule training standard in terms of HIPAA training requirements. Regardless of whether they have access to PHI or not, all employees of an organization are subject to the Security Rule training standard, which is applicable to both covered entities (CEs) and business associates (BAs).

The Privacy Rule Administrative Requirement standard states that: “A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart [the HIPAA Privacy Rule] and subpart D of this part [the Breach Notification Rule]. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance.” According to this standard, covered entities (CEs) must create and put into practice policies and procedures for every aspect of their operations that could involve the use or disclosure of PHI. Furthermore, the training standard of the Administrative Requirements states that: “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.” In these standards, “workforce” is defined as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.” (45 CFR § 160.103)

Compared to the Privacy Rule training standard, the Security Rule training standard is more straight forward - requiring that both covered entities (CEs) and business associates (BAs) “Implement a security awareness and training program for all members of its workforce (including management).” The Security Rule standard has four addressable implementation specifications: Periodic security updates Procedures for guarding against, detecting, and reporting malware Procedures fro monitoring login attempts and reporting discrepancies Procedures for creating, changing, and safeguarding passwords In addition, according to the Administrative Requirements, covered entities and business partners must "implement policies and procedures to prevent, detect, contain, and correct security violations" and "apply appropriate sanctions against workforce members who fail to comply with the covered entity or business partner's security policies and procedures." The absence of HIPAA-specific training requirements in these standards is significant because it is generally covered in the General Rules of the Security Rule (45 CFR 164.306), which mandates that covered entities and business partners must safeguard against any reasonably anticipated uses or disclosures that are prohibited by the Privacy Rule. This mandate implies that organizations should incorporate Privacy Rule training into HIPAA security awareness training programs, but leaves it to the discretion of the organizations.

While laws on training frequency vary, the majority of organizations strive to train all new hires at the time of hiring as well as all employees at least once a year. All employees must complete a security awareness training program in accordance with the HIPAA Security Rule. Although the industry standard practice is to train employees at least once a year, the Security Rule does not specify how frequently this should occur (for example, after policy changes, data breaches, or whenever a risk assessment indicates that additional training is necessary). In accordance with the Administrative Requirements, HIPAA training is necessary for every new employee within a reasonable amount of time after they join the workforce of a covered entity as well as when functions are affected by material changes in policies or procedures. The HIPAA Privacy Rule is more explicit about when policy and procedure training should be provided.

Yes, under HIPAA regulations, regulators may impose penalties for failure to comply with the Security Rule's requirements for employee awareness and security training. If your organization experiences a breach and the Office of Civil Rights (OCR) conducts an investigation, your organization may be held liable for willful neglect. Humans are always the greatest risk to information security, and training is a way to reduce that risk as well as the related financial costs and penalties. Second, insufficient awareness and security training may put your organization at higher risks for breaches in the future. Since every person is a potential risk conduit, there is no such thing as "zero risk," but the more people who receive HIPAA awareness and security training, the lower the overall risk will be.

The best way to avoid problems with the HIPAA training requirements as outlined in the HIPAA Privacy and Security rules is to give your company's staff a foundational understanding of HIPAA. If necessary, additional organizational policy and procedure training can be added to this training. Using this HIPAA training program, you can give every employee in your workforce a foundational understanding of HIPAA and security awareness that they can use regardless of their organizational role or function. This training can be easily repeated as often as necessary to reduce the likelihood of noncompliant practices and culture developing, and it reduces the administrative burden for organizations to provide different training courses based on roles within the workforce. Employees can receive HIPAA awareness and security training at any time without interfering with regular business operations because this course is designed to be completed independently and does not need to be delivered in a classroom setting, which can disrupt workflows in your organization.