Auditor Tips: HIPAA Training Best Practices

*This article was taken from our HIPAA Guide. For more information on this topic, download our free HIPAA Guide.

“By holding staff accountable, you can protect your patients and organization more effectively.”

Workforce members are not usually security and privacy experts. Most HIPAA breaches are caused by user errors in healthcare workforce members. Although most healthcare workforce members aren’t malicious, they often either forget security best practices, don’t know exactly what they’re required to do in a certain scenario, or make mistakes that stem from their natural desire to help others.

Unfortunately, it is common for hackers to take advantage of human error to gain access to sensitive data. For example, PHI records are easily stolen in dumpster dives if workforce members do not take the time to destroy PHI records first. Removable devices are easily stolen if they are not kept track of or stored in secured areas. Networks can be hacked if workforce members choose easy-to-guess passwords.

Workforce members need to be given specific rules and regular training to know how to protect PHI. Regular training will remind them of the importance of security and keep them up to date with current security policies and practices.

Here are some tips to help get employees prepared:

• ‍Set monthly training meetings: Focus each month on a different aspect of data security, such as passwords, social engineering, and mobile device security.‍
• Give frequent reminders: Security reminders can be sent out in an email, newsletter, during meetings, and/or HIPAA security webinars that include tips for employees.‍
• Train employees on policies ASAP: Newly hired employees should be trained on security and HIPAA policies as quickly as possible, as well as annually.‍
• Make training materials easily available: Online training is a great way to provide easy access to training and policy information for all workforce members.‍
• Leverage technology: Whenever possible, technical security controls should be put in place to provide a safety net in case training fails.‍
• Document training: It is important to provide records of training in the case of an audit or breach. Have workforce members sign acknowledgments as training is completed.
• Regularly test employees: Create an environment where employees aren’t afraid to report suspicious behavior.‍
• Create incentives: Reward your employees for being proactive in HIPAA compliance.