Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a landmark piece of legislation in the healthcare industry. HIPAA introduced strict requirements for the protection of patient privacy and security of sensitive healthcare data. In particular, HIPAA has many rules in place to mitigate the risk of a data breach occurring that would compromise the integrity of protected health information (PHI).
Covered entities may attempt to create robust cybersecurity infrastructures to protect against unauthorised individuals accessing patient data. However, employee error is still a leading cause of data breaches. For example, employees may fail to follow basic IT safety practices which could result in an organisation falling victim to a phishing email, thereby allowing unauthorised individuals to gain access to vast numbers of patient files.
The most effective way to reduce the chance that employee errors will cause a data breach is to provide HIPAA compliance training. Employees must understand their responsibilities under HIPAA and how to ensure that patient data remains secure.
Employees should be aware of the basic definitions presented in HIPAA’s text. Outlining the fundamentals helps prevent confusion later on when more complex ideas are being discussed.
Covered entities: Defined in the HIPAA rules as 1) health plans, 2) health care clearinghouses, and 3) health care providers who electronically transmit any health information in connection with transactions for which the US Department of Health and Human Services has adopted standards. These organisations are required to comply with HIPAA.
Business Associates: Defined as organisations which conduct specific functions on behalf of a CE. BAs are subject to HIPAA compliance if the activity they perform on behalf of the CE requires the use or disclosure of individually identifiable health information. Must sign a Business Associate Agreement (BAA) before working with a CE.
PHI: “HIPAA Identifiers” that can be used to identify, contact or locate an individual, or be used with other sources to identify an individual; these identifiers are collectively known as PHI. These identifiers include names, social security numbers, device identifying numbers, addresses, medical record numbers, web URLs, dates, health plan numbers, IP addresses, phone numbers, account numbers, biometric identifiers, fax numbers, certificate/license numbers, photographic images, email addresses, vehicle identifying numbers, and other unique characteristics.
Understanding HIPAA’s rules are central to compliance. An employee may not be required to know all of the rules in detail to perform their role, so more specific, tailored training sessions should be provided to employees who require it.
Privacy Rule – defines PHI and informs CEs and BAs of their responsibilities to protect patient data. The Minimum Necessary Rule is also part of the Privacy Rule, and stipulates that should PHI be handed over to a third party, only the minimum amount of data necessary to complete the specific task should be handed over.
Security Rule – outlines the minimum physical, technical, and administrative safeguards needed to protect electronic PHI.
Breach Notification Rule – outlines procedures that must be followed in the aftermath of a breach to ensure that the risk of damage to patients is minimal. Employees must be informed on how and when to notify the OCR and the media.
Enforcement Rule – contains guidance on the fines and penalties that may be levied against a CE should a data breach occur. (OCR and Department of Health and Human Services can alter punishments at their discretion.)
Omnibus Rule – covers a wide range of privacy-related areas, from the length of time a patient’s records can be held to the encryption requirements of PHI.
As HIPAA covers many different types of organisations, the wording of HIPAA’s text is often vague such that it can be applied to many different circumstances. It is recommended that instead of using such vague terminology, you present how Rules are being applied in your organisation, and how they affect the employees. For example, instead of listing what HIPAA’s Security Rules requirements for adequate physical safeguards, inform your employees of the specific safeguards being used, such as locked desk drawers or filing cabinets.
Best Practices Against Threats to Data Security
Employers should inform their employees of the most significant threats to the security of healthcare data. These include, but are not limited to, phishing attacks, ransomware campaigns, Trojan malware software, or stolen mobile devices.
Particular attention should be paid to cyber attacks. The healthcare industry is a potentially lucrative target for hackers due to the high black market value of PHI. Even if one employee falls for a phishing campaign, the whole network is compromised, and the hacker may access vast numbers of patient files before the organisation even notices it is under attack. Training courses should be explicitly offered about avoiding phishing attacks and recognising suspicious emails.
Employees should be informed of IT security best practices, such as two-factor authentication on mobile devices and private email accounts.
HIPAA Training in Practice
All employees at an organisation which handles the sensitive healthcare information of patients should be familiar with at least the basic requirements of data security outlined in HIPAA. Individual employees may require further training due to their roles in the organisation or how they interact with patient data.
It is recommended that training is held regularly, in short sessions. Employees are likely to lose interest if the session runs for longer than an hour. Employers should try to make the sessions engaging and interactive, using techniques such as multimedia presentations or audience participation.
HIPAA mandates employee training, so it is essential to keep a record of training sessions, such as who attended, what the session covered, and how regularly they occur. Auditors may request to see records that HIPAA training has occurred.