What is the Importance of Healthcare HIPAA Training?
Why should your practice provide effective healthcare HIPAA training? Our Certified HIPAA Professional, Jim Moore, explains why HIPAA training is so important in your healthcare practice.
But first, what is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996. It is a federal law that protects patient health information. Protected Health Information (PHI) can’t be disclosed without the patient’s consent.
Many criminals are after PHI. Many criminals would rather steal your PHI than your social security number or credit card, because your PHI is worth more. As a healthcare practice, you are at risk for criminals trying to steal your patient data.
HIPAA breaches lead to costly fines. The maximum penalty for a HIPAA violation in the highest tier is $1.711 million per year.
Healthcare Insiders Responsible for 30% of HIPAA Data Breaches
In healthcare, insiders are responsible for more healthcare data breaches than hackers.
An insider threat comes from within a practice, usually when an individual can access healthcare resources, including EMRs, healthcare networks, email accounts, or documents containing PHI.
Insider threats are not limited to employees. Any individual who is given access to networks, email accounts, or sensitive information in order to complete certain tasks can take actions that could negatively affect an organization. This widens the range of insider actors to include business associates, subcontractors, researchers, volunteers, and former employees.
The consequences of insider breaches can be severe. Healthcare organizations can receive heavy fines. Insider breaches can damage the practice’s reputation, cause a loss of patient confidence, and leave organizations open to lawsuits.
Healthcare Employees ‘Lack Security Understanding’
A recent report from Wombat Security reveals that healthcare employees lack an understanding of common security threats.
Respondents were asked about best practices to avoid ransomware attacks, malware installations, and phishing attacks.
Overall, the healthcare industry performed second worst for security awareness, just ahead of the hospitality industry. The survey highlighted several areas of weakness that cybercriminals could exploit to access healthcare networks and sensitive data.
Respondents from the healthcare sector performed poorly in several areas, registering a relatively high percentage of incorrect answers related to:
- Identifying phishing emails
- Securely disposing of sensitive information
- Protecting mobile devices and sensitive information
Healthcare practices are at a high risk of being targeted, yet healthcare employees are not prepared to face security challenges.
Healthcare HIPAA Training Deficiencies Highlighted in Email Threat Survey
A study conducted by HIMSS Media reveals that 90% of healthcare organizations have experienced at least one email-based threat in the past 12 months. One in four said the attacks were very or extremely disruptive.
61% of respondents said impersonation of trusted vendors were very or extremely disruptive, 57% rated credential-harvesting phishing attacks very or extremely disruptive, and 35% said data leaks and threats initiated by cybercriminals stealing users’ log-in credentials were very or extremely disruptive.
Email security solutions can block the majority of threats, yet only 79% of respondents said that had email security controls in place or were planning to introduce them.
Only 73% of surveyed organizations believed security awareness training was an essential part of their defenses against email-borne cyberattacks. This can partly be explained by the way that training is provided. 40% of respondents said they provide security awareness training less than quarterly and 27% only provide training once a year.
Cut HIPAA Breach Chances by 50%: Train employees and Business Associates
Want to cut your chance of a data breach in half? Train employees on HIPAA and ensure your Business Associate Agreements are up-to-date.
Business Associates typically sign Business Associate Agreements to indemnify your practice. Current BAAs incorporate language to the effect that the BA is ‘directly subject to the HIPAA Security Rule,’ and require BAs to provide HIPAA training to employees. If your existing BAA doesn’t explicitly mention these two things, then it’s not current and not compliant with Federal law.
Help Healthcare Employees Understand HIPAA with Training
Let’s be clear on this one point: HIPAA training is undoubtedly mandatory. Training is an Administrative Requirement of the HIPAA Privacy Rule and an Administrative Safeguard of the HIPAA Security Rule. The HIPAA Privacy Rule stipulates that training should be provided “as necessary and appropriate for members of the workforce to carry out their functions.” According to the HIPAA Security Rule, Covered Entities and Business Associates should “implement a security awareness and training program for all members of the workforce.”
This is why Smart Training offers different types of employee HIPAA training: Our HIPAA 101 module is designed for healthcare employees, while our Business Associate training is designed for employees of Business Associates and contractors. Texas-specific versions of each address patient privacy requirements and sanctions peculiar to the Lone Star State. We also created a breach prevention tutorial designed to help office staff understand the risks posed by ransomware and other intrusions.
Let Smart Training assist you in reaching HIPAA compliance.