HIPAA and Privacy Act Training
Oct24

HIPAA and Privacy Act Training

When a federal agency provides healthcare services, there may be circumstances in which employees need to undergo both HIPAA and Privacy Act training. In addition, as an increasing number of states enact their own privacy laws, there may also be occasions when employees of state agencies require HIPAA and Privacy Act training. The Privacy Act of 1974 governs the collection, use, storage, and sharing of personally identifiable information maintained by federal agencies. Under the Act, U.S. citizens have the right to request a copy any data held about them and request that any errors are corrected, federal agencies must only collect data “relevant and necessary” to accomplish the purpose for which it is being collected, and sharing data between agencies is restricted and allowed only under certain conditions. People acquainted with the Health Insurance Portability and Accountability Act will find these privacy provisions familiar as they closely resemble Patients´ Rights under HIPAA, the Minimum Necessary Standard, and Business Associate Agreements. Indeed, there are many...

Read More
HIPAA Training for Employees
Oct24

HIPAA Training for Employees

The regulations relating to HIPAA training for employees are deliberately flexible because of the different functions Covered Entities perform, the different roles of employees, and the different level of access each employee has to Protected Health Information (PHI). The degree of flexibility can create misunderstandings about which employees require training, what training should be provided, how training should be provided, and when training should be provided. This blog aims to clarify the regulations relating to employee training. Which Employees Require HIPAA Training? The first issue to resolve is straightforward. Both the HIPAA Privacy Rule (45 CFR § 164.530) and the HIPAA Security Rule (45 CFR § 164.308) stipulate training should be provided to all members of the workforce. That means not only employees, but also agency staff, consultants, and contractors regardless of the level of interaction with PHI – even if they have no contact with PHI at all. However, whereas the HIPAA Security Rule applies to Covered Entities and Business Associates, the HIPAA Privacy Rule only...

Read More
Survey Reveals 24% of Healthcare Employees Have Had No Security Awareness Training
Oct05

Survey Reveals 24% of Healthcare Employees Have Had No Security Awareness Training

Entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) are required to provide security awareness training to the workforce, but a new report suggests training is lacking at many HIPAA-regulated entities. The security awareness training and phishing simulation platform provider KnowBe4 commissioned Osterman Research to conduct a survey on 1,000 U.S. employees to determine their level of knowledge about security threats and how much training they have been given. The findings of the survey were published in the KnowBe4 2021 State of Privacy and Security Awareness Report. The survey revealed employees are generally confident about password best practices but lacked confidence in other areas of cybersecurity such as identifying social engineering attacks. Only a minority understood threats such as phishing, even though phishing is one of the most common ways that hackers gain access to business networks and corporate data. Worryingly, less than half of respondents believed clicking a link in an email or opening an attachment could result in their mobile...

Read More
Compliance Training for Medical Staff
May27

Compliance Training for Medical Staff

Because of the many different roles in the healthcare industry, there is no one-size-fits-all compliance training for medical staff. Furthermore, the nature of healthcare compliance training modules can vary according to location, specialty, or responsibility. Nonetheless, it is a legal requirement that all medical staff undergo HIPAA compliance training. If a Covered Entity is located in Texas, the nature of the privacy and data security training provided for medical staff will be a lot different from the training provided for medical staff located in New York. This is due to the Texas Medical Record Privacy Act (and subsequent amendments in Texas HB 300) which has tougher privacy protections for health data than HIPAA. Similarly, if a medical professional works in an area of healthcare in which they are likely to be exposed to HIV, HBV, or HCV, their compliance training will include compliance with the OSHA Bloodborne Pathogens Standard, while a person with responsibility for health and safety on a general ward should be trained on OSHA´s Incident Reporting procedures. Despite...

Read More
What is Texas HB 300?
Apr03

What is Texas HB 300?

What is Texas HB 300, who is required to comply with the legislation, and what are the penalties for noncompliance? This article answers these and other important questions about Texas HB 300. What is Texas HB 300? The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets minimum privacy and security standards for healthcare organizations. HIPAA naturally covers healthcare organizations based in Texas, but they also must comply with state laws. Texas has some of the most stringent laws in the United States as far as health data is concerned which are detailed in the Texas Health and Safety Code. In June 2011, Texas HB 300 was passed by the Texas legislature. HB 300 amended four areas of Texas legislature: The Texas Health and Safety Code (Chapters 181 and 182), the Texas Business and Commerce Code (Sections 521 and 522), the Texas Government Code (Chapter 531), and the Texas Insurance Code (Chapter 602) and introduced tougher privacy protections for health data than HIPAA. Who is Required to Comply with Texas HB 300? Compliance with Texas HB 300 is...

Read More
How Often is HIPAA Training Required?
Mar20

How Often is HIPAA Training Required?

HIPAA-covered entities and their business associates must ensure that all members of the workforce that encounter protected health information (PHI) in any of its forms need to be provided with training, but how often is HIPAA training required and how flexible are the HIPAA Rules when it comes to providing employee HIPAA training? What Does HIPAA Say About Employee Training? Both the HIPAA Privacy Rule and HIPAA Security Rule have training provisions. The HIPAA Privacy Rule states: “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and training should be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.” The HIPAA Security Rule training standard states: “Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).” The Privacy Rule does not specify the content of training courses, and scant information is provided in the Security Rule as to...

Read More
How Often Do You Need HIPAA Training?
Mar19

How Often Do You Need HIPAA Training?

The question of how often do you need HIPAA training does not have a definitive answer because the HIPAA training requirements are deliberately flexible in order to adapt to different types of Covered Entities and Business Associates, and the functions they perform. However, the failure to provide adequate HIPAA training can have serious consequences. OCR is Cracking Down on Noncompliance! It can be difficult to fit training into busy workflows; but, if adequate training is not provided, it is possible for Covered Entities and Business Associates to be fined for non-compliance with HIPAA – even if there is no unauthorized use or disclosure of Protected Health Information. This is because HIPAA training is a requirement of both the HIPAA Privacy and Security Rules. The HHS’ Office for Civil Rights has stepped up enforcement of HIPAA compliance. In 2020, the number of investigations conducted by OCR increased by 18%, nineteen financial penalties were imposed, and 1,357 organizations were required to take corrective action to resolve non-compliance issues following patient complaints,...

Read More
Is HIPAA Training Required Annually?
Mar12

Is HIPAA Training Required Annually?

The frequency of HIPAA training sessions needed to comply with the HIPAA Privacy Rule is a source of confusion, with many healthcare providers interpreting the HIPAA text to mean HIPAA training is required annually, even though annual training sessions are not explicitly stated as a requirement anywhere in the HIPAA text. Similarly, the frequency of security awareness training is not stated, other than HIPAA requiring ‘periodic’ retraining. To help ensure you get your HIPAA training right, we have listed some of the best practices below which will ensure you do not fall afoul of regulators and attract a fine for noncompliance. Is HIPAA Training Required Annually? The HIPAA text does not provide a deadline for providing training and incorporates flexibility to make it easier for healthcare organizations to fit training into busy workflows. The HIPAA Privacy Rule states that “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and training should be provided “as necessary and appropriate for the...

Read More