The Health Insurance Portability and Accountability Act (HIPAA) are the laws an regulations in the United States for the health care industry. Composed of many parts or titles, the title that applies to IT Security is Title II Administrative Simplification Rules. This section covers HIPAA IT and compliance requirements to ensure the privacy and security of health information. Whether the information is in electronic, written, or oral form the protection rules cover the data when it is sent, received, handled and in use and stored.
A health care organization from a full service hospital or small family clinic the HIPAA rules applies to all employees, contractors and partners that process health information. The challenge is that not everyone in the organization is an IT security expert yet HIPAA’s intention is that all people know and abide by the regulations.
How do you train for that? How to you keep the employees up to date on changes to the regulations, threat and business processes that are aligned to HIPAA? In the world of security, training and awareness is vital to a successful and efficient program, no matter the regulations or policies that are in place.
HIPAA training can be broken out into two main areas of focus that align with the HIPAA regulations themselves. Those are the Privacy Rule and the Security Rule.
HIPAA requires that employees at every level within the organization, as well as the business associates, receive HIPAA training. Having a well trained and educated workforce would increase the response action in the case of a security incident or breach, prevent it, report it and limit the damage.
Below are high level topic areas under each training section. These are not absolute and you can go as deep as you want but there is a balance between keeping the employees aware and overloading them with forgettable techie lingo.
HIPAA Privacy Rule Training
- What is Protected Health Information (PHI)? How to identify it? Who within the organization can access it?
- PHI disclosure: When? How? Who can disclose it?
- What is CIA (Confidentiality, Integrity and Availability) and how does it pertain to PHI?
- What are the patient’s rights?
- What is a Business Associate? What is a Business Associate Agreement (BAA)? What are the Business Associate’s obligations?
- What happens when the rule(s) are violated?
HIPAA Security Rule Training
- Threat awareness. Dangers of password sharing, risks of social networks, leisure websites, email use, mobile devices, etc…
- Threat protection. Use of encryption, multi-factor tokens, endpoint security, intrusion detection, anti-virus scanning, vulnerability management, etc…
- Information security policies, standards and guidelines.
- Security updates.
- Audits, assessments and governance programs.
- Consequences and corrective actions for security rule violations.
- How to report a security incident. Steps to take when an incident occurs.
Information security is not optional, it’s critical and vital to an organization’s sustainability. Unfortunately security practices still lag behind to where they should be, especially in the health care industry, and opening the news shows this every day s new breaches are reported.
The HIPAA privacy and security rules are in place to provide a roadmap for organizations to make their environments more secure but HIPAA is data centric, there are other practices that need to be in place as well. Regardless of your policies and technology, everyone that touches PHI data, not just the IT and security teams, need to be aware of all the rules and regulations that blanket their work.
As I always tell my clients after a training session
“I don’t expect you to master this, just be aware. Because hesitating and asking a question is far better than clicking on something and being wrong.”
– Binary Blogger
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.