Health Insurance Portability and Accountability Act (HIPAA) privacy regulations direct your medical practice to protect your patients’ Protected Health Information (“PHI”). HIPAA security regulations require that PHI in electronic form (“ePHI”) be securely stored and processed by your medical practice.
PHI is health information that identifies an individual and is created, used or disclosed by your medical practice. PHI and ePHI are key components in modern medical practices. They are used to treat patients, create and use medical records, obtain payment for treatment and in numerous other aspects of the operations of the medical practice. Simply put, a medical practice could not exist without PHI or ePHI.
Medical practices should implement a HIPAA compliance plan covering at least all of the following basic requirements:
- Training;
- Assessments (Security and Privacy);
- Policies and Procedures (and other written documentation); and
- Regular compliance plan reviews.
HIPAA Training Requirements
Training — the first element of a HIPAA compliance program — is required by the HIPAA privacy[1] and security regulations.[2]
HIPAA Privacy Rule
The HIPAA privacy regulations requires privacy training for all members of your work force,[3] as necessary and appropriate for them to perform their jobs within your medical practice. The training should at least cover the privacy policies and procedures that have been prepared to support your practice’s HIPAA compliance program. Our Medical Guardian product contains over 40 policies and procedures and 42 compliance tools and forms, so there are plenty of training topics to choose from. Some of these may include:
- Notice of Privacy Practices
- Patient rights and how to protect them
- Permitted Uses and Disclosures (not requiring a patient authorization)
- Uses and Disclosures that do require an authorization (and authorization content and procedures to obtaining one)
- Sanctions
- Prohibition of retaliatory act against workforce members
The Privacy Rule requires medical practices to implement appropriate administrative, technical, and physical safeguards to protect the PHI. Training on security measures used by the medical practice to protect PHI are good training topics in addition to the security safeguards itemized in the Security rule to protect ePHI.
Security Rule
The Security Rule requires medical practices to implement a security awareness and training program for all work force members including management personnel. The security topics include:
- How users can guard themselves from malware (including ransomware), including detection and reporting.
- Procedures for monitoring log-in attempts and reporting discrepancies;
- Password management;
- Periodic reminders on security best practices; and
- All other security practices to protect PHI (as described above).
Malware training includes methods on telling the difference between a regular email and a fake “phishing” email used to deliver malware software. Also included in malware training are the procedures to be followed in the practice to properly report email phishing and possible malware attacks.
The Medical Practice will also train employees on monitoring computer log-in attempts and how to report discrepancies.
Password management training considers best practices when procedures for creating, changing, and safeguarding passwords.
Periodic reminders are short training programs or notices to raise security awareness. They can be included in periodic updates during office meetings, on the startup page of workstations or in regular updates in a blog or in a posting in the office kitchen.
Violations and Enforcement Actions
Medical practices that do not provide training will be in violation of HIPAA. This may subject the medical practice to fines and resolution agreements (which may require for annual government audits for 3 years). Please see last quarter’s eNote for a complete discussion of HIPAA enforcement.
[1] 45 C.F.R. §164.530(b)(1) (Privacy).
[2] 45 C.F.R. §164.308 (a)(5) (Security).
[3] The HIPAA definition of “workforce” means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. 45 C.F.R §160.103.
