HIPAA Training - Everything You Need to Know

Posted by Nabin Shaw on September 9th, 2019

HIPAA is a complex healthcare legislation. It is vital that employees have a knowledge base if the fundamentals such that they can understand not only the HIPAA rules but also how they affect the healthcare environment and the consequences of the failure to comply.

It is important to note which groups should be compliant with the HIPAA rules. Organizations and even individuals may be subject to HIPAA compliance, and in such a case, they may be referred to as a covered entity. The HIPAA rules define a covered entity to include:

  • Healthcare clearinghouses
  • Healthcare providers that work with electronic transmission of patient information
  • Health plans

Business associates are organizations that conduct some of the businesses of a covered entity. These business associates become liable to HIPAA regulations if the business they perform requires that individually identifiable health information is used or disclosed. As such, providing services such as consultation, management, data analysis, accounting, and financial services may make you liable to comply with the HIPAA regulations.

The business associate and covered entity must sign the Business Association agreement form that stipulates that the business associate must follow HIPAA rules. The agreement also helps to ensure that there are steps taken to ensure that protected health information is not violated.

The HIPAA has up to 18 identifiers that are used for the identification, contact, and location of the individual. PHI is a collective term for these identifiers and they include:

  • Social security numbers
  • Names
  • Device identifying numbers
  • Email addresses
  • Photographic images
  • Account numbers
  • License numbers
  • Biometric information
  • IP numbers
  • Health Plan numbers
  • Web URLs

HIPAA rules should be thoroughly taught in employee training courses as they are central to addressing security requirements; for instance, the responses that should be implemented when data breaches occur. They include:

  • Privacy Rule. The privacy rule informs the parties involved in signing the Business Agreement form of PHI and what responsibilities they have towards protecting data. There is also the Minimum Necessary rule under the privacy rule. This rule stipulates that only the minimum amount of data should be provided if data has to be handed over to a third party.
  • Breach Notification Rule. This rule specifically addresses the steps that are to be taken should a data breach occur. These steps that are taken always ensure that minimal damage is done to patient data and includes information regarding when and how employees should bring in the media and OCR.
  • Omnibus Rule. The Omnibus rule is a general rule for many privacy-related areas, for instance, encryption requirements.
  • Enforcement Rule. This rule has guidelines relating to fines and penalties that should be levied in the eventuality of the data breach.
  • Security Rule This rule outlines administrative, physical and technical minimum administrative safeguards that can be used to protect data.

Unfortunately, HIPAA rules tend to be worded vaguely and are not related specifically to any technology to prevent the information from becoming obsolete. A more specific approach should be taken within organizations to ensure full understanding of what is required. Employees in different departments should, therefore, be trained in-depth on aspects of HIPAA that relate to their roles.

Best Practice Against Data Security Threats

To understand how to protect the information, it is vital to be aware of the threats it faces. Cybercriminals today are largely targeting the healthcare industry as they sell this data in the black market. One of the commonest ways of attacks is through phishing and in the worst case scenario, millions can be affected.

Phishing involves mainly sending emails to a mass of individuals with the hope that some will fall prey to the attempt. In places such as organizations, only one person needs to download a file or hand over login information and compromise the entire network. Many organizations train employees such that they can recognize a basic potential phishing attack.

It is, however, important to realize that phishing attempts become more complicated as technology advances. Regular training that builds upon the basic training and updates employees on proper IT practices should be embraced.

Also, data security can be compromised when devices such as mobile phones are lost. Many people use mobile phones, laptops ad tablets for work. As such, these gadgets may contain high amounts of personal health information. If information is protected by a weak password and the gadget is lost, the information can easily be accessed by unauthorized persons.

The use of strong passwords is a common recommendation among many companies. However, hackers can usually guess passwords in minutes. Two-factor authentication is, therefore, the best practice, especially when it comes to mobile devices. A one-time generated passcode is given to the user each time they log in. The code is sent to their email address or phone number. This is the additional layer that helps ensure that only authorized people access the information.

Like it? Share it!


Nabin Shaw

About the Author

Nabin Shaw
Joined: May 7th, 2018
Articles Posted: 225

More by this author