Do you need HIPAA training?

Every organization that must comply with HIPAA must conduct employee training; if you work for such an organization, you must have regular HIPAA training.

What organizations have to comply with HIPAA? The short answer is any US-based organization that processes, stores, or transmits protected health information. Protected health information (PHI) is health-related data that is identifiable or health-related data that is combined with personally identifiable information (PII).

The long answer is a little more nuanced. Technically, PHI is created during the provision or delivery of a healthcare service. PHI always originates from one of three types of entities, which HIPAA calls Covered Entities:

1. health insurance companies;
2. healthcare providers; and
3. healthcare clearinghouses (basically companies that exchange healthcare insurance payments).
   

If you work for one of those types of organizations, you must comply with HIPAA and must receive HIPAA training.

In addition to Covered Entities, organizations that provide services or products to Covered Entities (or other Business Associates) must comply with HIPAA. These organizations are called Business Associates. Examples include EHRs, telemedicine platforms, clinical communications tools, and other technology vendors with Covered Entity customers.

What training does HIPAA require?

HIPAA defines training requirements in two places, one within the Privacy Rule and one within the Security Rule; these are the two major sections, or rules, of HIPAA. In both definitions, the specifics of the training are vague and largely up for interpretation. What is not up for interpretation is whether HIPAA mandates training for all workforce members - it does.

It’s important to remember that HIPAA applies to a wide variety of entities from individual medical providers to large insurance companies to modern technology companies. This is why the training required by HIPAA is vague (more on that later).

Here is the specific language around training from HIPAA.

• Privacy Rule - (1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.
• (2) Implementation specifications: Training.

• (i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows:

• (A) To each member of the covered entity's workforce by no later than the compliance date for the covered entity;
• (B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity's workforce; and
• (C) To each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.

• (ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.

• Security Rule - (i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
  

The two training sections are wordy but simple to interpret. HIPAA requires:

1. Training on compliance policies and procedures; and
2. Training on security awareness.
   

These are not the same, though in practice many organizations only have one HIPAA training, which often does not meet requirements. Compliance training, or training on policies and procedures, is different from security awareness training. Policies and procedures define the why and how while security awareness should be the practice implementation (concepts like password hygiene).

How often should HIPAA training take place?

HIPAA training should be conducted:

• at onboarding for new employees
• when changes are made to compliance policies and procedures
• when changes are made organizational security awareness
• and on a regular cadence, with annual being the longest acceptable interval

10 Features of Effective HIPAA Training in 2020

Most organizations fail at offering effective HIPAA training to their workforce. Current approaches to HIPAA training are outdated, generic, infrequent, and do not practically apply to the day-to-day work of employees in 2020. On top of that, HIPAA training does not cater to technology companies or technology groups in healthcare.

Employees represent the largest threat to corporate systems and data. Unfortunately, they’re also the most common cause of security incidents and data breaches. With remote workers and cloud-based technologies extending the human threat vector, it has never been more important to get HIPAA training right.

Effective privacy starts with privacy policies and procedures. Translating policies into day-to-day work, ensuring they are followed, and maintaining evidence of their execution is not easy.

At Haekka, our team has created and taken part in HIPAA training across every category of Covered Entity, Business Associate, and Sub-contractor. We’ve also participated in or have run over 1,000 privacy audits and assessments. In order to be successful with training, and to limit the risk to organizations, HIPAA training needs to be engrained into the culture of the organization. In our experience, the following ten elements are essential aspects of effective HIPAA training.

1. Make it understandable

Privacy policies should be the basis for the actions of employees. Training should help to educate employees on policies and procedures so they can apply them. Often policies are written in the fashion of regulations they are meant to address and regulations are often written by lawyers and legislators. Auditors should decipher the meaning and application of regulations, not your employees.

The ideal solution to this problem is to re-write policies in ways that make them easily readable and understandable. Verbose policies do not equal better or more complete policies. Unfortunately, since privacy policies anchor entire compliance programs, it is usually not feasible to rewrite them. That means training needs to do the heavy lifting of translating policies into content that can be easily understood and relatable.

This is harder than it seems. Translating 20-year-old regulations like HIPAA, or even recent regulations like GDPR, into training that is understandable is hard. Technical, regulatory, and legal jargon should not be used. And referencing paper processes, something some antiquated pieces of training do, will lose the learner’s attention.

The best advice is to not re-write or re-word the regulatory rules or your policies. Instead, try distilling your policies down into digestible pieces that simply state the intention of the policy without the regulatory jargon. 

2. Continual, with spaced repetition

In order to effectively implement privacy through training, employees should be engaged with training on a regular basis — not only during onboarding and annually, as is the bare minimum most auditors expect to see. The bare minimum simply checks the box and increasingly does not meet the regulatory requirements for continual workforce and compliance program improvement.

Spaced repetition, or repeating the same lessons at different intervals, is a well-established system to improve retention in learners. Onboarding is typically a stressful time with many things to learn, meaning retention of privacy-related training is low. After onboarding, when we then conduct privacy training on an annual basis, there is very little retention of the content as it is too widely spaced in time. Below is a great overview of spaced repetition for learning.

https://youtu.be/cVf38y07cfk

There is not a prescriptive approach in terms of the cadence to use for privacy training but there is research-based evidence for best practices. At the very least, we recommend a cadence of weekly. This assumes the content being taught weekly is bite-size. This cadence can be modified to extend the timeline to every other week or monthly. Any of these options are better than annual training, which is not training at all but simply doing what is required to hopefully pass an audit.

The additional benefit of continual training is it helps to keep privacy top of mind. User data privacy should be a part of day-to-day work for most of your employees, whether they are big impactful decisions like do I default access to this database to off unless necessary or smaller decisions like how best do I reply to this user request for information about our privacy practices.

3. Scenario-based

Similar to translating legal and regulatory language to understandable terms, training also needs to be delivered via scenarios. Using real-world scenarios helps to engage learners and promote mastery of the subject by connecting learners to the material and allowing them to see how it applied to their work.

Creating and maintaining a catalog of privacy-based scenarios is challenging and very few organizations do it. It requires an understanding of the regulation as well as the day-to-day work of specific employees and departments. That said, it is one of the most powerful ways to promote privacy across your organization and increase comprehension of the privacy regulations to which your organization must comply.

Below is an example HIPAA scenario from Haekka.

You work for a company that offers storage technology for medical records. For the last 2 years, you have tried to sell to health systems so they can offer your product to their patients, making it easier for them to access their medical records and make more informed decisions about their care.

Unfortunately, in all that time you have been able to connect to exactly zero health system databases. You have learned, painfully, that most medical records in 2020 reside in EHRs and that integrating with those EHRs is very hard. You also know that it doesn’t scale as pretty much every health system EHR is its own silo.

Your company has decided to offer your product directly to consumers. To get around the challenges of connecting to EHRs, you’ve put the onus on patients, your target users, to act as a go-between the EHR and your product. You have flexible import options for their health record, making onboarding customers relatively simple.

Which of the following is true? (choose all that apply)

1. Your company is a business associate and needs to sign business associate agreements with all the hospitals in which your customers pull medical records.
2. HIPAA requires health systems to provide medical records to patients who request them.
3. The process for requesting health records and format for those records is defined by HIPAA.
4. Your company is now a subcontractor of the EHRs where your customers get their records.
5. Your company is not covered under HIPAA because you are not a covered entity or business associate.
   

As you can see reading the above, scenarios make privacy and HIPAA engaging and relatable. HIPAA regulations, policies, and procedures need to be mapped to the situations in which employees find themselves and scenarios are the best way to do that.

4. Training in context

When training is done outside of the context of the environment in which work is done, it is not retained and it is not effective. If the goal of HIPAA training is to implement privacy across your workforce, scaling your compliance program, then the training itself needs to be delivered in the context of the work of your employees.

Privacy training is often given in classrooms or in groups. This training is wholly detached from the context in which people work, making the training highly ineffective. Sometimes training is done electronically, and learners need to go through long HIPAA courses of static content. None of this training fits with the tools, workflows, and processes that people use each day. Cognitively, these forms of privacy training are separate from work.
‍

HIPAA training should be delivered to learners where they are. This means within their physical and digital work environment. For many workers in healthcare, the work environment is not clinical yet most of the published HIPAA trainings are meant for clinical staff. If a learner is a call center worker, training should be done in the call center and shown with examples in the call center software. If a learner is a software developer, training should incorporate privacy settings and procedures for the software development tools used (on and on).

5. Adaptive

The roles that are concerned about HIPAA and PHI have grown immensely. It's not just employees in clinical settings.

HHS HIPAA training is geared toward healthcare providers. We’ve taken clinical HIPAA training before and, while it is at least targeted to the function of the providers, it does a poor job at promoting comprehension. The reality is that healthcare involves a lot of different roles that all need HIPAA training.

Training software developers on how to handle paper medical records is useless. Training doctors on a secure software development lifecycle is equally useless. Training customer support in designing compliance programs is useless. Specific training curriculum and snippets should be adapted to the specific roles of employees.

Adaptive training has been found to improve comprehension by over 20%. This is pretty astounding, and the reason why almost all modern educational platforms used in school are adaptive in nature. Yet, when it comes to privacy training, what we provide to employees is often static, one size fits all training.

Below is a video with examples and research about adaptive learning and adaptive technologies used in education.

https://youtu.be/nCy15W7jWCc

6. Bite-Size Content

A key enabler of effective training is breaking training down into digestible chunks. There is always going to be the need for primers and introductions to HIPAA, and these have a place with new hire onboarding. But, these monolithic trainings should be intended to be primers and not be seen as a means to effectively educate your employees about HIPAA and privacy.

Effective training is focused on and covers a limited set of topics. In the case of HIPAA, this means a limited set of the HIPAA rules themselves or of corporate privacy policies. Scenarios are a great way to focus content.

Bite-size training content also enables delivery within existing tools such as chat programs like Slack or via email. These programs are where a lot of work is done so the training is delivered and completed in the context of daily work.

The key to successfully breaking HIPAA training into bite-size content and delivering on a continual basis is with proper content management. Training needs to be organized and tagged in ways that make it easy to store, retrieve, and link to other training material. Traditional LMS systems fall short of this as their tagging and content management were not built for agile training but for organizing traditional, monolithic training.

7. Engaging

A goal for HIPAA training should be to continually engage learners. Engaging students in learning improves the experience of learning and increases comprehension of the subject. 

HIPAA and privacy training does not have to be dry. As un-fun as it can seem, complying with HIPAA rules and privacy policies is only growing in importance. We must find ways to creatively present the content. Scenarios, feedback, quizzes, and mixing the type of content are key ingredients for effectively engaging learners.

8. Remote work

Remote work is not new, even to healthcare. Doctors use home computers and mobile devices and have for many years. Increasingly, technology workers and customer support in healthcare operate in remote settings, if not part of the time then all of the time.

Work is done on computers in the office and on employee-owned phones at home. Even coffee shops for some workers who work should comply with HIPAA.

HIPAA training needs to take this into account and incorporate lessons that apply to all of these settings. The ways in which people connect, the ways they share data, the places they leave their devices, and the conversations they have in public or semi-public areas need to map to privacy policies and HIPAA rules. Employees need HIPAA training to understand how best to conduct work in remote settings.

9. Modern Technology

The reality of healthcare work today is that it involves modern technology. Doctors and nurses use smartphones. Healthcare companies build and support modern, cloud technologies while they also buy SaaS applications.

On the other side of healthcare, patients use the Internet to find information and access healthcare services, a trend that is exploding in the midst and aftermath of COVID-19.

HIPAA and privacy training would be incomplete if it did not cover the application of the HIPAA rules and corporate privacy policies to modern technology. This mapping of rules to modern technology takes time but is the only way to make HIPAA training relevant to the software and devices people use every day.

10. Feedback loops

Feedback is a two-way street. When it comes to privacy training, learners should get regular feedback on their progress and learners should be able to provide feedback on privacy training.

When it comes to feedback to learners, research shows that more feedback and less teaching is best. This is hard to do with privacy training, at least at scale. One effective way to do this is to leverage technology and gamification to show learners how they are improving, tell them where gaps in comprehension exist and provide clear learning pathways to fill gaps. At Haekka, we do this through intelligent employee profiles that build upon all interactions with privacy training - time spent on training, questions answered correctly, and categories of questions asked about corporate privacy policies.

On the flip side, one of the missed opportunities with privacy training is getting feedback from learners and using that feedback to continually improve training. Even if you try to apply all of the above features, there are bound to be areas for improvement or adaptation of training. Feedback should be continuous and encouraged, ideally in some way that makes storage and interpretation of feedback efficient.

How effective HIPAA Training builds a culture of privacy

Given the current regulatory landscape and public perception, privacy should be a board level, organizational-mission aligned initiative. The collection, storage, and usage of personally identifiable information (PII) and protected health information (PHI) is a liability, a liability every organization needs to address. To successfully minimize the risk associated with PHI, organizations need to build and maintain a culture of privacy. Security by design and default is not unique to GDPR, it is imperative for every healthcare organization.

Effective HIPAA Training helps to tactically turn privacy policies and procedures into execution. Following policies and procedures is the best way to mitigate risk to your organization and user data. It also makes auditing and security assessments much easier.

When assessing the maturity of your privacy and compliance program, the execution of your policies and procedures fall within the 3rd stage, Implementation. Most audits and compliance certifications in 2020, including HITRUST, require that the majority of your requirements are at the Implementation stage. Effective privacy training gets you much of the way there.

But, there will always be times when employees do not have a playbook or specific steps for the work they are carrying out. In these instances, your workforce is the bridge between your privacy policies and your technical implementations, your interactions with users, and your documentation. The way to succeed in implementing privacy when there is no playbook is to build a culture of privacy.

A culture of privacy is just that - a part of the culture of your organization. Much like “customer-first” or “move fast and break things”, privacy should be a part of decision making. Scaled decision making must align to the highest levels of an organization, which is why privacy must align with organizational mission and values.

Effective HIPAA training helps to build a culture of privacy. It empowers employees to make choices involving privacy. It helps measure the execution of privacy across your organization in a safe, low consequence way. It helps identify and target areas for improvement. And it helps to foster privacy champions that can scale privacy.

Privacy training, done right, takes privacy and compliance from a bolt-on or check-box to an integrated part of the way your organization lives and breaths. In so doing, it builds a culture of privacy that extends trust to your users, customers, and partners.

Haekka HIPAA Training

Haekka offers HIPAA training that ensures all of the above. Our training includes best practices for general privacy so your workforce can connect the dots between HIPAA and the broader privacy of end-user data. Our content is adaptive, meaning training is relevant to the roles and functions employees play. All training is continually refreshed so it remains relevant.

All Haekka training is logged, meaning you have everything you need come audit time or security assessment time with your partners and customers. This audit trail is highly granular and available to export anytime, saving you and your team countless hours responding to evidence requests.

In addition, we provide metrics to continually gauge and improve privacy training and execution. Haekka customers lean on us to help them build a culture of privacy across their entire workforce.

We are 100% focused on turning privacy into execution. We make sure all employees are properly trained and that your auditors have the proof they need.

Resources for HIPAA training

Below are some links to learn more about HIPAA training.

• https://www.hhs.gov/hipaa/for-professionals/training/index.html