Did you know that over 41 million patient health records were breached in 2019, almost triple the total number of records breached in 2018?
According to the Protenus 2020 Breach Barometer, insiders were responsible for nearly 20% of the breaches in 2019, which includes both human error (accidental disclosures) and wrong-doing, like theft of information or snooping in patient files. Phishing attacks also continue to target healthcare and those that are successful lead to compromised systems and/or credentials. When healthcare employees don’t understand how their individual actions can impact information security, it can and does lead to healthcare data breaches.
The number of insider incidents has been gradually decreasing since 2016, however, the numbers are still staggering. The decrease has been largely attributed to increased employee education, but what exactly are the training requirements under the Health Insurance Portability and Accountability Act (HIPAA)?
All employees must receive training under the HIPAA Privacy Rule and the HIPAA Security Rule. The HIPAA Privacy Rule requires covered entities to train workforce members on the privacy policies and procedures that govern the use and disclosure of PHI, as necessary and appropriate for employees to perform their job duties. The HIPAA Security Rule requires covered entities to provide security awareness and training to all workforce members, including management. Both Rules stipulate that training is required for each new staff member, within a “reasonable” period of time after the person joins the workforce. Training must also be provided when a staff member’s job role is affected by a material change in the covered entity’s policies or procedures, within a reasonable period of time after the material change becomes effective.
The HIPAA Rules are flexible and scalable to accommodate the range in types and sizes of entities that must comply. Covered entities can tailor their cybersecurity training programs to the specific risks and needs of the particular organization as identified through a risk assessment process. As cybersecurity risks and threats are constantly changing, organizations should adapt and evolve their cybersecurity training programs and policies. A key element to a good awareness training program is explaining why staff are being asked to complete the training and why protecting health information is so important. Reviewing the recent HIPAA violations on the OCR website is a good way to learn about the types of incidents that are occurring and incorporate these real-world stories of breaches into your program as lessons learned. Sharing details of penalties applied and emphasizing how violations can and will result in significant financial consequences (both for the organization and individuals) can help employees understand the importance of their actions.
Organizations can customize their training materials to include specific issues they may have seen within their departments over the last year. Tailoring materials for specific roles is also key as the training for an administrator will look a lot different than it might for a staff member or IT worker. Keeping the training updated to reflect current risks and best practices is important, and will help keep employees engaged year-over-year.
It is also a requirement for organizations to document the HIPAA training program, including dates and types of training, training materials, and evidence of workforce participation. The training records should be retained for at least six years, as in the event an organization is investigated or audited for a potential healthcare data breach, the documentation will be requested.
Regardless of the technology and security controls that have been put in place, it only takes one careless employee to bypass policies and cause a major data breach. Something that is evident in the fact that there continues to be at least one health data breach per day since 2016. Training and then reinforcing that training again and again is the best way to ensure your staff understand their role in protecting patient records.
Additional guidance from our Security Advisor team below:
[King]: Developing and managing an effective training HIPAA program takes some effort, but will pay off in reducing risk of data incidents and breaches exponentially. As the article states, 20% of data breaches were an inside job, but most of those were accidental rather than intentional. It is our experience that many staff members have questions on actual risk and how they should be safeguarding data. A training program gives staff the information they need to make sound decisions in their daily work with protected data, therefore protecting the organization’s data assets and reputation.