HIPAA training for healthcare workers is training that healthcare workers undertake to safeguard the privacy and security of Protected Health Information in line with their employer’s HIPAA policies and procedures. Unfortunately, gaps in knowledge and understanding can undermine the benefits of HIPAA training for healthcare workers.
Since 2009, HIPAA covered entities have been required to notify HHS’ Office for Civil Rights of disclosures and data breaches which risk compromising the privacy and security of Protected Health Information (PHI). Since 2013, the same requirement has applied to business associates of HIPAA covered entities regardless of how many records may have been lost, stolen, viewed impermissibly, or compromised.
In 2014 – the first full year for which comparable records are available – a total of 54,247 impermissible disclosures and data breaches were notified to HHS’ Office for Civil Rights. In 2022 – the most recent year for which comparable records are available – a total of 64,592 impermissible disclosures and data breaches were notified to HHS’ Office for Civil Rights – an increase of almost 20%.
An analysis of the two years’ reports shows that the increase in notified impermissible disclosures and data breaches is not attributable to the increasing sophistication of cybercriminals. More than two-thirds of notifications citing “Unauthorized Access/Disclosure (to PHI)” as the reason for the notification were attributed to unauthorized access to or disclosure of “Paper Records”.
As around three-quarters of notifications are submitted by healthcare providers, it is reasonable to assume that approximately thirty thousand notifiable events each year are attributable to the negligence of healthcare workers. One of the most rational explanations for the scale of negligence is the failure to provide effective HIPAA training for healthcare workers.
Why Might HIPAA Training for Healthcare Workers be Ineffective?
There are three primary reasons why HIPAA training for healthcare workers might be ineffective. The first is that HIPAA covered entities (and business associates “where provided”) are only required by the HIPAA Privacy Rule training standard to provide training on HIPAA policies and procedures with respect to PHI implemented by the HIPAA covered entity that apply to individuals’ functions.
This could result in gaps in healthcare workers’ HIPAA knowledge if the HIPAA covered entity does not implement adequate policies and procedures, or if a healthcare worker’s functions do not involve (for example) responding to patients’ requests for privacy protections. In these circumstances, it is easy to see why a healthcare worker might impermissibly disclose PHI in violation of the HIPAA Privacy Rule.
The second reason why HIPAA training for healthcare workers might be ineffective is that new members of the workforce are likely to have different levels of existing HIPAA knowledge. Consequently, even when HIPAA training for healthcare workers is comprehensive, some new members of the workforce may have difficulty in understanding and applying HIPAA policies and procedures.
The third reason is that HIPAA training rarely focuses on the real consequences of HIPAA violations in terms of operational disruptions, medical identity theft, and a loss of trust in the provider-patient relationship. If these consequences are included in HIPAA training – rather than corporate or workforce sanctions – it might make healthcare workers more careful when using or disclosing PHI.
The inclusion of the real consequences of HIPAA violations in HIPAA training can also make security awareness training more relatable. It is noticeable that the second most common reason for breach notifications is misdirected communications. If healthcare workers took more care when sending PHI by email, it could reduce the number of data breaches by up to five thousand per year.
How to Improve HIPAA Knowledge and HIPAA Understanding
The way to improve HIPAA knowledge and understanding among healthcare workers is to subscribe workforce members to a HIPAA basics training course. HIPAA basics training courses cover subjects that are applicable to all HIPAA covered entities and business associates so that all healthcare workers have a knowledge of (for example) what PHI is, what uses and disclosures of PHI are permitted, and when the minimum necessary standard applies.
While the provision of a HIPAA basics training course does not fulfil the requirement to provide HIPAA policy and procedure training, it ensures members of the workforce will go into policy and procedure training (and security awareness training) with a base level knowledge of HIPAA and HIPAA terminologies that makes in-house training more understandable. If in-house training is better understood, it is more likely to be complied with.
HIPAA basics training courses are widely available on the Internet and it is advisable to evaluate those accredited by a recognized training assessor (i.e., AHIMA), that align with in-house training, and that award a certificate of completion when members of the workforce pass an end-of-course test. The certificate of completion can be used to demonstrate a good faith effort to be HIPAA compliant in the event of a compliance audit or investigation.
With regards to making HIPAA training for healthcare workers more relatable and encouraging carefulness, it is recommended to review reports into the impact of data breaches and medical identity theft and ask trainees “how would you feel if your carelessness led to the misdiagnosis, mistreatment, or death of a loved one?”. This tends to be more effective than threatening healthcare workers with sanctions such as warnings and further HIPAA training.
Workforce Responsibility for HIPAA Knowledge and Understanding
It is easy to blame avoidable HIPAA violations by healthcare workers on training regulations that are too broad, on the failure of employers to foresee reasonably anticipated threats, and/or the lack of incentives to support workforce compliance. However, healthcare workers also have a responsibility to safeguard the privacy and security of PHI beyond policies and procedures implemented by a HIPAA covered entity or business associate.
For this reason, HIPAA basics training courses can also be subscribed to by individuals. As mentioned above, healthcare workers should evaluate accredited training courses that align with workplace policies and procedures and that award a certificate of completion. Some also award Continuing Education Units (CEUs) that contribute towards the renewal of professional licenses – although it is best to check the CEUs are recognized by each licensing body.
Existing members of a HIPAA covered entity’s or business associate’s workforce who feel their HIPAA knowledge and understanding would benefit from taking a HIPAA basics training course are advised to speak to their employer’s HIPAA Privacy Officers. Individuals looking for a course that could improve their employment prospects are advised to seek out HIPAA basics training courses that offer a free trial before requiring a subscription to access the rest of the course.