Now Reading
Training Employees in HIPAA

Training Employees in HIPAA

by Erik KangasJanuary 18, 2016

shutterstock_334486298The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. This act protects workers from losing their health insurance coverage when they change jobs; reduces health care fraud; provides industry standards for electronic billing and other health care information; and requires confidentiality when handling health care information.

It’s important to educate workers in industries such as health care to ensure they’re complying with the standards set by HIPAA. It’s also crucial that your employees know how to handle sensitive data if your organization is under review. Here’s what you need to cover when training your employees in HIPAA.

Why Privacy is Important

First and foremost, employees have to understand why privacy is such a significant part of HIPAA. If they don’t understand the importance, it’s easier for employees to become lazy.

Start by explaining that patients and clients trust you with this data. If data is not protected, it will diminish your organization’s credibility and put your reputation — and possibly your entire business — on the line. Patients have a right to their privacy, and it’s the employees’ job to handle their information confidentially.

Continue the conversation by detailing that patient privacy is the law as part of HIPAA and that a breach in privacy can result in fines up to $1.5 million. Try to find real-life stories of privacy breaches and the fines those organizations incurred because of it.

What Is Expected of Employees?

When training your employees, it’s important that you’re specific about what is expected of them. It’s not enough to say, “Keep patient information private.” Detail what type of information your organization stores, which information is protected under HIPAA, and who is allowed to review that information (the patient, the patient’s doctor, etc.).

Educate your employees about the specifics of your organization. Where is the information stored? What types of security measures are in place to secure that data? Which doors should be locked/unlocked during business hours? What’s the company’s visitor policy?

Your employees should also know what to do in the event of suspicious activity or a breach. Is there an anonymous method in place for filing a report? Discuss the specifics of how to do this.

What Document Expectations Are in Place?

Once you’ve covered expectations on how to physically handle sensitive information, cover what is expected of documentation practices. First, go over your document retention policy with them, and explain that through HIPAA, organizations must have at least a 10-year document retention policy.

Other questions you’ll want to answer in your training include:

  • How do employees go about filing documents?
  • Who can access these documents, and what should employees know about accessing them?
  • How do you dispose of documents once the retention period has passed?
  • How do you dispose of computers that contain sensitive digital information?
  • Where should you store data, and where should you never store data (such as shared folders)?

How Should Employees Use Computers?

With so much sensitive data stored on computers, it’s crucial that your employees are practicing safe procedures online. Data breaches can commonly occur due to poor computer practices, such as weak password credentials, which accounts for 76 percent of network intrusions.

Detail what employees can and can’t use work computers for (such as for work-related email but not for Facebook). Explain your policies regarding passwords, document sharing, document access, use of removable media like USB drives, etc. You’ll also want to cover how to spot phishing scams or other viruses. Finally, detail what to do if an employee notices suspicious activity.

After you’ve completed HIPAA training, be sure you maintain detailed records of who has completed the training and whether or not they understand the procedures you covered. Consider offering a quiz at the end of the training to ensure trainees were paying attention. Also make sure to repeat training annually, although you may choose to offer employees a pre-quiz so they can test out of the training.

About The Author
Erik Kangas
Erik Kangas
Erik Kangas started his own company, LuxSci, a software-as-a-service company specializing in email and web security. Erik has architected and developed LuxSci's offerings, leading the company through its 15-year history to its current position as a well-respected provider of extremely high quality and robust email services. Erik has taught computer programming and database design at a number of organizations in the Boston area, such as Volpe and MIT. He consults on email best practices, secure web site architectures, and HIPAA compliance to organizations around the globe. Erik received his PhD in computational biophysics from MIT and also worked at Akamai Technologies as a senior software engineer in web applications.