HIPAA Compliance Training 101 | What Do Your Employees Need?

Posted by Brian Oderkirk on February 14, 2018

HIPAA, the Health Insurance Portability and Accountability Act, is a U.S. federal law enacted in 1996. Initially created to simplify healthcare and reduce costs, HIPAA has now become synonymous with one thing: patient privacy and security. HIPAA compliance training not only protects clients. It also empowers employees. Here’s your ultimate guide to HIPAA compliance training.

Why do I need HIPAA compliance training for my employees?

Beyond the two-step verification codes, complicated passwords, and tightened rules on employee downloads on the company server, why is HIPAA compliance training so important?

If your company handles sensitive client information – health records, addresses, diagnoses, and so on – you are required by law to protect that information. HIPAA compliance training ensures that you, your company, and all of your employees, are doing everything they can to keep your client’s private information safe.

Who needs HIPAA compliance training?

Anyone who handles personal health information (PHI) is required by law to undergo HIPAA compliance training.

This includes doctors, nurses, administrators, front desk personnel, residents on rotation. Anyone and everyone who handles patient information. Other types of companies that are required to undergo HIPAA training include:

  • Employer group health plans

  • Health insurance companies

  • Healthcare clearing houses

In short, if your employees are exposed to sensitive health information, they must participate in HIPAA employee training.

Is HIPAA training mandatory?

For certain organizations, the short answer is yes, HIPAA training is mandatory.

HIPAA compliance training must be implemented for every organization that requires it, regardless of size or annual budget. Everyone from multi-billion dollar healthcare budgets to conglomerates to a country doctor with one administrative worker must meet the HIPAA training rules.

Is HIPAA training required annually?

The rules for HIPAA training for employees state that HIPAA refresher training should be offered to all employees “periodically.” While this is open to interpretation, it is best practice for your company to provide annual HIPAA training. Governmental rules and regulations change annually, and your company is required to keep employees informed on the latest rules.

Online HIPAA training is a great way to provide a periodic refresher for all employees. With just-in-time updates on rules and regulations, you can get your employees the information they need.

What should be included in HIPAA compliance training?

HIPAA does not provide any specific parameters as far as how long a training should last, but there are guidelines for what should be included in training.

What’s protected under HIPAA

HIPAA compliance training starts with identifying what information is protected by the HIPAA Privacy Rule. This includes any sensitive patient health information.

Reasons for protection

Imagine your potentially embarrassing health diagnosis plastered on a billboard in Times Square. This may seem like an exaggeration, but the speed and scope of the online community can make a molehill-sized leak of patient information into a mountain.

More than embarrassment, patients can experience medical identity theft. Medical identity theft occurs when a patient’s personal information is stolen and used to submit false Medicaid or Medicare claims. This disrupts care and costs thousands of taxpayer dollars annually.

How to protect information

While your employees are not likely to share sensitive patient information intentionally, one of the most important HIPAA rules deals with inadvertent sharing. Physical safeguards used to be all about protecting paper records. These days, much more of the focus is on electronic records and access, with only a nod to those color-coded patient files of yesteryear. HIPAA training includes best practices on user IDs, emergency access protocols, and automatic log-off.

From the law itself: HIPAA compliance training must train employees to handle electronic patient health information (e-PHI) in such a way as to:

  1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;

  2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;

  3. Protect against reasonably anticipated, impermissible uses or disclosures; and

  4. Ensure compliance by their workforce.

This aspect of HIPAA compliance covers any type of electronic transmission of or access to patient records or data. Electronic transmission protections must cover everything from email to any in-house communications on a private server.

Employers are also legally obligated to evaluate their HIPAA-compliant security and privacy protocols to see that they are implemented. While the U.S. federal government does not specify a timeframe for this, they suggest that such evaluations are ongoing. This can help to identify potential weak spots in security and privacy and address them as soon as they are spotted.

What does this mean for your organization?

The good news is that although your company is required by law to spend time and money on HIPAA training, you may already have some HIPAA-compliant practices in place. Here are three steps to implement HIPAA compliance training.

Step 1: See where you are

Evaluate where your company is already compliant. Do you follow best practices when it comes to online security, even across employee emails and your in-house server? That’s a great place to start.

Even better is if you have a regularly-scheduled assessment of your online security and a system in place to onboard new employees with a standardized email and password setup.

Step 2: Design the training your company needs

Maybe you have a strong electronic security system in place, but your employees need more information on what’s protected and why.

Once you know what you need, design a training that includes e-Learning and microlearning to deliver new trainings and regulatory updates efficiently and effectively.

Step 3: Assess, pivot, and repeat

Assessing what you’ve implemented is key. Ultimately, the goal of HIPAA compliance training is to protect your clients, not just fill a regulatory requirement. Gamification can help you figure out how well your HIPAA training requirements are being met, and test employees on how much they know.

If employees have gaps in their knowledge or just need more, pivot to a strategy that fits the way they learn and what they need to know. Annual refreshers can help keep everyone up to date and in compliance.

EdgePoint Learning offers both fully-customized and off-the-shelf mobile and online eLearning HIPAA training for your employees. Let us help you find a solution that fits your needs (and your budget!).

Want even more eLearning news? Make sure to subscribe to our newsletter today!