What is the HIPAA Staff Training Requirement?
by Dr. Jeff Brown
The greatest threat to patient data is your staff. While malicious intent is possible, it is uncommon. Careless staff, however, are common and often the root cause of a security breach.
With good reason, the HIPAA Security Rule is riddled with references to staff training and makes mention of specific topics your training program must include.
It should be noted that a well documented security policies and procedures manual is a precursor to training. This is because staff training must be derived from your policies manual; therefore, without compliant policies you cannot possibly be compliant with training.
So, what are the annual HIPAA staff training topics?
Glad you asked. Here are the topics that must be covered:
Sanction policy training
Closely mirror your actual Sanction Policy document, of which all employees, contractors, and volunteers should sign upon hiring. A sanction policy contains many examples of violations and associated disciplinary actions.
The simple act of educating employees about violations, and the consequences should a violation occur, is arguably the easiest and most effective HIPAA safeguard to implement.
Breach notification training
It’s perfectly reasonable to simply read your practice’s breach notification policy to workforce members; however, some content is relevant only to your privacy officer and practice owner(s), so feel free to skip material beyond definitions and the importance of reporting a possible breach to the privacy officer.
With that said, to reinforce why security must be taken seriously, you may choose to outline the reporting process your practice is required to follow in the event patient data is compromised.
Password management training
The HIPAA requires staff be informed about their responsibilities regarding your practice’s password management policy. Given you have a password policy, this training session will be a quick. Training content must cover:
- Number of unsuccessful logon attempts before system is locked
- Passwords requirements regarding:
- Avoid common words, names, initials, birthdays, or phone numbers
- Refuse offers by software and Internet sites to automatically login
- Password confidentiality
Emergency operations training
Discuss procedures for managing and documenting patient encounters when EHR and PM systems are unavailable due to planned or unplanned outages, and your plan for restoring systems and recovering data following an emergency.
You guessed it, all you’ll do is review with staff your written emergency operations plan (a.k.a. contingency plan) and data backup plan, both of which should be a part of your policies and procedures manual.
Workstation use training
There are two learning objectives, the first of which is employee responsibilities. Examples of employee responsibilities include: challenge unrecognized personnel, workstation configuration (e.g., inhibit incidental screen viewing by non-employees), home use of practice assets, and a clear desk, clear screen policy.
Malware basics training
Considering the proliferation of ransomware, this topic is of great interest. Content must include email phishing schemes, what to do if you suspect an infected workstation, and malware prevention. Sufficient training here will greatly reduce the likelihood a virus wreaks havoc on your system.
This article won’t be complete without discussing training documentation requirements. You’ve heard the saying "if it wasn’t documented, it didn’t happen." The same is true with HIPAA compliance; if you don’t document your efforts, then it’s going to be tough proving you did anything at all.
At a minimum, training records should include a date, what topics were covered, and who was in attendance. It’s that simple.
Remember, relevant and regular staff training will do more to protect patient information than any other HIPAA safeguard. Plus, it’s free to implement if you do it yourself (or use a service like HIPAAMATE).
DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.