HIPAA Privacy and Security Training

Key Notes of Health Care Compliance From HIPAA Exams, Inc. May 2014

HIPAA Privacy and Security Training

If you are a HIPAA Covered Entity (CE), you must provide training to all new hire personnel, as well as, ongoing training for your entire workforce, and documentation of compliance.

  The Privacy Rule: requires a CE to train all members of its work force (employees, contract workers, volunteers, trainees, and management) on the policies and procedure with respect to PHI as necessary and appropriate for the work force to carry out their function within the CE.

  1. In addition to new hires, you must provide ongoing training when functions are affected by a material change in policies or procedures.
  2. Document evidence of compliance in written or electronic form and retain.
  3. You must have in place appropriate sanctions against workforce members who violate your privacy policies and procedures or the privacy rule itself.

The Security Rule: requires a CE to train the entire workforce, including management on security issues respective of organizational uniqueness. Security training updates based on technology and security risks must be offered periodically. What Should Your Privacy and Security Training Include? Privacy and Security training can be provided through your existing educational operations. Internet modular education program that is convenient for off site workers, contract personnel, and regular personnel, may be an appropriate way to meet compliance. Off site personnel who find it difficult to be at an onsite training session, can easily meet compliance through online training. However you wish to comply, your privacy and security training should include the following:

  • Education: knowledge and understanding
    • Cover PHI in all forms: verbal, written, electronic
    • Policies and procedures with respect to PHI
    • General confidentiality
    • Patient rights
    • Sanctions
    • Faxing
    • Complaints
    • Use of social media
    • General security policies
    • Physical and workstation security
    • Breaches: what is a breach and what is the ramification of breaches to the organization and the individual?
    • What is the Office for Civil Rights (OCR)?
      • Understanding of the agency's responsibility to enforce privacy and security regulations
      • E-mail procedures
      • Faxing procedures
  • Training: how-to Privacy
    • How to handle PHI in the office
    • How to report a potential privacy violation
  • Training: how-to Security
    • Procedures for guarding against, detecting, and reporting malicious software
    • Procedures for monitoring log-in attempts and reporting discrepancies
    • Procedures for creating, changing, and safeguarding passwords
  • Ongoing awareness
    • Maintain a reference area where your privacy and or security officer maintains printed current policies and procedures for privacy and security.
    • Have a process in place to evaluate your training program effectiveness and reliability.
    • Ensure that all users have completed security awareness training before receiving access to electronic PHI (ePHI).
      • This should be an ongoing effort and constantly reviewed and revised when necessary.
  • Address questions that arise from time to time.
    • Example: What should a HIPAA-compliant Fax form look like?
      • The HIPAA-compliant Fax Cover Sheet should contain all standard information: Date, To, From, Phone, Time, Fax number to, Fax number from, E-mail address, Number of pages including cover, and Message.  The cover sheet should also include a disclaimer similar to: "The information contained in this facsimile message is intended for the sole confidential use of the designated recipients and may contain confidential information. If you have received this information in error, any review, dissemination, distribution or copying of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and return the original message to us by mail or if electronic, reroute back to the sender. Thank you."
      • How should an e-mail transmission look to be HIPAA-compliant?
        • Your e-mail must contain a disclaimer similar to: "The information contained in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
        Note: The Federal Regulations for HIPAA Privacy and Security are: 45 CFR 164.530 and 45 CFR 164 308(a)(5)(i). HIPAA Exams is your source for all HIPAA Requirements! Stay current with Federal HIPAA requirements through up-to-date educational online learning through HIPAA Exams, Inc. Current educational modules are available for Covered Entities, Business Associates, Administrators, Health Care Providers, Nurses, Medical Office Staff, and other Health Care workers.  Call with questions or to discuss your needs. We can help with any compliance training!