Creating a HIPAA Compliant Data Privacy and Security Training Program
Data Privacy and Security Training in the Current Threat Landscape
The healthcare threat landscape is constantly evolving with new threats to data privacy and security. New threats to protected health information (PHI) emerge or resurface each year, and now include drug diversion, identity theft, fraud, and cybersecurity attacks. These threats require covered entities and business associates to adjust their data privacy and security training to secure PHI and maintain the quality of patient care.
A key part of a healthy privacy and security program in healthcare is employee training. Yet 80 percent of health information technology leaders list employee security awareness as their top data security worry, according to HIMSS.
Training is essential because, in the 2018 threat landscape, your employees can either be your greatest security asset or your greatest vulnerability. In fact, 58 percent of breaches involve insiders, according to the Verizon Protected Health Information Data Breach Report. This doesn’t mean that all insiders have engage in malicious behaviors, they can be inadvertent actors or careless users that can put your organization at risk.
Not only is employee security awareness/culture an integral part of comprehensive cybersecurity program to prevent breaches, but it’s also required by HIPAA.
HIPAA Requirements for Data Privacy and Security Training
HIPAA requires both covered entities and business associates to provide HIPAA training to members of their workforce who handle PHI. Under the HIPAA Privacy Rule and the HIPAA Security Rule, training is required as an administrative safeguard.
HIPAA Privacy Rule:
The HIPAA Privacy Rule training topics include the identification of ePHI, the minimum necessary rule, how and when PHI may be disclosed, confidentiality, avoiding snooping, and the need to keep an accounting of disclosures. Below are the administrative requirements regarding training under the HIPAA Privacy Rule:
- 45 CFR § 164.530 Administrative requirements.
- (b) (1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.
- (2) Implementation specifications: Training.
- A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows:
- To each member of the covered entity’s workforce by no later than the compliance date for the covered entity;
- Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce; and
- To each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.
- A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.
HIPAA Security Rule:
The HIPAA Security Rule outlines the security awareness and training program that is required. Care workers need to understand the big role they play in data security, and therefore the overall health of patient care. They should learn about insider threats, phishing, social engineering, the use of portable devices, drug diversion, and more. Below are the administrative safeguards under the HIPAA Security Rule:
- 45 CFR § 164.308 Administrative safeguards
- A covered entity or business associate must, in accordance with § 164.306:
- (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. . . .
- (5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
- (ii) Implementation specifications. Implement:
- Security reminders (Addressable). Periodic security updates.
- Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.
- Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.
- Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.
It’s important that you understand the HIPAA requirements while you develop your training program. This will provide you an idea of what you need to include in the foundation of your program’s framework so that you can meet your compliance needs.
Data Privacy and Security Violation Scenarios
HIPAA violations can result in substantial fines. Anyone handling PHI in a care setting can expose an organization to a breach, whether maliciously or inadvertently. There are often multiple actions associated with each security or privacy incident, some of which may not be directly be the case, but nevertheless a contributing variable. Below are eight common HIPAA violations by Becker’s Hospital Review, around which training could be built:
- Employees disclosing information. It’s a HIPAA violation for employees to gossip or discuss patients with friends or coworkers. Employees must be mindful of their environment and restrict their conversations regarding patients to private places, and avoid sharing information with friends or family.
- Medical record mishandling. Care workers can engage in the improper use of medical records, whether it’s viewing patient information that is not necessary to one’s care, snooping on a VIP, or even obtaining patient data to engage in fraud. Digital health records must be monitored for inappropriate access so organizations can pinpoint areas where training can be improved or reinforced.
- Lost or stolen devices. Over 90 percent of nurses and physicians will use mobile devices by 2022. These devices now hold patient information and can easily be lost or stolen. There needs to be a mobile device policy in place with protocols for both the digital and physical security of the device.
- Texting patient information. Care providers have to work quickly, so it may seem like second nature to quickly relay information to another care provider via text message. However, cybercriminals can easily access information on an unapproved device. You should ensure that only secure mobile devices are used with encryption.
- Social media. Posting patient photos on social media is an explicit HIPAA violation. Even if it is well intended and no names are mentioned, someone may recognize the patient. Make sure you implement a clear social media policy.
- Employees illegally accessing patient files. Patient information may be illegally accessed for a number of reasons, from curiosity and fraud to identity theft and drug diversion. Individuals who sell PHI can be subject to fines and prison time; health systems can incur regulatory fines, unwanted media attention, and reputational damage. Ensure that you have a monitoring program in place to detect, investigate, mitigate, and remediate inappropriate access to PHI.
- Authorization requirements. Written consent is required for the use or disclosure of any individual’s personal health information that is not used in treatment, payment, or healthcare operations or permitted by the Privacy Rule.
- Lack of training. One of the most common and causes for HIPAA violations is an employee who is not familiar with the HIPAA laws, as well as your privacy and security program’s policies and procedures. Training and re-training is necessary to proactively create a culture of privacy and security.
With a wide-ranging possibility of HIPAA violations across multiple digital and physical environments, it’s important that you have a well-rounded training program bolstered by both technology and re-education.
What Should I Include in My Data Privacy and Security Training Program?
When it comes to data privacy and security, employees are either your greatest vulnerability or your best line of defense. Implementing a culture of security and accountability will help secure your organization. Based on the suggestions of the ONC and the OCR, here are four additional ways to integrate privacy and security into your organization:
- Define Your Culture: Hospitals that promote and adopt a proactive culture of compliance rather than a passive compliance plan can more effectively protect themselves against privacy and security incidents. Designate members of your team to foster culture throughout your organization with education materials, training, and re-training.
- Train Employees and Maintain Acceptable Use Policies: Organizations can implement myriad technologies and procedures to secure ePHI and avoid OCR sanctions, but without proper training and acceptable use policies for employees, these innovations can easily be undermined. A clearly defined culture of privacy and security should be driven through any organization handling PHI. Train users on acceptable use policies and procedures through LMS to help boost internal compliance.
- Strengthen Identities and Monitor Protecting your organization against insider threats means monitoring employee access and activity. This gives you the ability to take proactive action when suspicious behavior is detected. Coupling user activity monitoring with other data security safeguards will give you a well-rounded approach to securing your most sensitive information. Part of running a business means trusting your employees, but organizations must verify that employees aren’t misusing data. The idea is to move toward preventing security issues rather than discovering problems when the damage has already been done To determine what users can access, perform Access Rights Review and Management, including a user inventory of employees, affiliates, and vendors.
- Sanction, Train, and Re-Train: With monitoring in place, you can now identify employees who need training or re-training – and, in some cases, sanctioning. Training through LMS systems on your acceptable use policies, monitoring technology, current cyber threats, and sanctioning will aid in defining a strong culture of security.
Insider threats and cybercriminals will continue to evolve as time progresses. A moat mentality to security is no longer relevant in our interconnected world of insider access and patient care. Coupling training with monitoring technology and accountability will help drive your culture through your organization to help make your insiders your biggest privacy and security asset.