HIPAA training is important because if workforce members fail to comply with HIPAA policies and procedures due to a lack of knowledge, understanding, or care, it can result in operational disruptions, medical identity theft, and the loss of trust in patient-physician relationships – any of which can have adverse consequences for patients.
HIPAA covered entities and business associates (“HIPAA-regulated entities”) are required to comply with the HIPAA training requirements. The requirements are that HIPAA-regulated entities must develop policies and procedures with respect to Protected Health Information (PHI) that are designed to support HIPAA compliance and train members of the workforce on policies and procedures that apply to their functions.
In addition, HIPAA-regulated entities must provide a security awareness and training program for all members of the workforce. The program must be designed in accordance with the General Requirements of the HIPAA Security Rule (§164.306(a)) in order to protect against any reasonably anticipated threats to the security of electronic PHI and any reasonably anticipated uses or disclosures of PHI not permitted by the HIPAA Privacy Rule.
Why is HIPAA Training Important?
HIPAA training is important because the objective of HIPAA training is to train members of the workforce on best practices to safeguard the privacy and security of PHI. When members of the workforce are not trained – or not trained effectively – the privacy and security of PHI can be compromised due to a lack of knowledge, understanding, or care. Sadly, the consequences of HIPAA training failures go beyond sanctions and financial penalties.
When the privacy and security of PHI is compromised, it can have significant adverse consequences for patients – and not only for patients whose PHI has been compromised. In 2019, researchers found that remedial efforts following a HIPAA data breach resulted in delays to the timeliness of care, a deterioration in the quality of care, and an increase in the hospital mortality rate for three years following the triggering event.
Patients whose PHI has been compromised and misused commonly suffer adverse consequences due to inaccuracies in their medical records. In a 2013 survey, 21% of Medicare respondents were misdiagnosed, 25% suffered delays in treatment, and 9% were prescribed the wrong pharmaceuticals due to somebody else misusing their PHI to obtain health care, medical devices, and prescription drugs in their name.
A subsequent survey into the consequences of medical identity theft asked respondents whether they had loss trust in the patient-physician relationship when the misuse of their PHI was attributable to their healthcare provider’s negligence. 35% of respondents said that being the victim of medical identity theft had diminished some trust in their healthcare provider. 50% of respondents said it had significantly impacted their trust.
How to Reduce HIPAA Training Failures
Most impermissible disclosures and data breaches in healthcare involve an inside human element. Most commonly, inside human elements have been responsible for data breaches due to a lack of knowledge (i.e., interacting with a phishing email), a lack of understanding of workplace policies (i.e., denying patients access to their medical records), or a lack of care (i.e., snooping on medical records and sharing PHI via social media).
The most common response to these events – as per HHS’ Breach Report Archive – is retraining. This implies that the workforce members’ initial training was ineffective or was not refreshed frequently enough. The way to make HIPAA training more effective is to ensure that all members of the workforce have a basic knowledge of HIPAA so they can better understand – and better comply with – workplace policies and procedures.
There are many online basic HIPAA training courses that cover subjects such as permissible uses and disclosures of PHI, patients’ rights, and how to use healthcare technologies in compliance with HIPAA. These can be a good foundation for policy and procedure training and security awareness training because they explain why PHI is targeted by cybercriminals and how cybercriminals exploit human vulnerabilities to deploy cyber-attacks.
With regards to the lack of care issue, HIPAA-regulated entities can use reports of recent cyber-attacks to emphasize why care is important. For example, due to an employee of Ascension Health “accidently” downloading a malicious file in May 2024, at least one patient died and dozens more experienced medication errors due to healthcare professionals being unable to access EHRs, test results, and routine safety checks.
What Individuals Can Do To Improve HIPAA Knowledge
Individuals who believe they need to improve their HIPAA knowledge can also subscribe to online basic HIPAA training courses. In many cases the courses award a certificate on completion of the course which can be used to demonstrate a good faith effort to be a HIPAA compliant employee. Some courses also award Continuing Educational Units (CEUs) which can contribute to state licensing requirements.
Individuals interested in subscribing to an online basic HIPAA training course are advised to ensure the course is accredited by a recognized training assessor and to request a free trial of the course before committing to a subscription in order to ensure the content of the course aligns with the content of workplace policies and procedures. If you require further advice about online HIPAA training courses, you should speak with your HIPAA Privacy Officer.