Are your employees exposed to ongoing HIPAA Security Training?
In December we found out about an employee that stole a hard drive with 10 years’ worth of medical records and sold it online. You can read more about it here . The information was clearly stolen to commit identity theft. If you think that can’t happen to you, you are dead wrong – employee theft of patient information is one of the leading causes of HIPAA breaches. Employees can be tempted to misappropriate medical records for many reasons – financial gain, snooping on a friend or neighbor or just plain boredom and curiosity. Whatever the reason, it is never acceptable and should not happen, but sometimes it will.
Given that this is the world we live in, what are the implications of this for any HIPAA covered organization?
Plenty. Let’s suppose that an employee steals medical records and sells them on the black market (see above). If management has not provided proper oversight, the organization can be held liable. This is a rathole that no one wants to go down. Are you 100% sure that none of your employees will ever commit a HIPAA breach? Either intentionally or unintentionally? Of course not, because you can never be 100% sure. Even if your organization does not have an employee breach, lack of training could be flagged in an audit or an investigation. The bottom line is that you need to make sure that your staff is trained and aware of the consequences of causing a HIPAA violation or breach.
The best course of action is to provide meaningful and impactful HIPAA Security training. In fact, this is a HIPAA requirement.
STANDARD § 164.308(a)(5) Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
We provide HIPAA Privacy and Security training for your employees. It is easy to implement, and provides you the documentary proof you need to show any auditor or investigator that you are properly discharging your responsibility to train your employees.
It should be mentioned that many data breaches are caused by the unintentional acts of employees. By now you are familiar with all the ransomware incidents that are occurring. Many of these ransomware issues are caused by an employee unwittingly clicking on a link in an email. Before you know it, your whole IT network can be down (yes, this really does happen and more than you think). Our Security Training provides in-depth, practical advice and testing on ransomware, phishing, password protection and many other basic IT security skills that your employees need to know in order to prevent unwanted cybersecurity issues within your organization.
Our training is online and is available 24 hours per day. Training usually takes about an hour to complete. Our training is designed to be engaging and easy to understand. Your staff can start a training session, stop and later resume the session from where they left off. They can take the training during work hours or complete the training at home after hours.
Once your staff has completed the online training, they will take a short 20 question online quiz to demonstrate their knowledge of HIPAA. If they receive a score of 80% or higher, they will receive a certificate with their name that acknowledges that they have successfully completed the HIPAA Security Training. If they do not receive an 80% score on the quiz they can retake it as many times as they need to.
The platform is updated annually. The training features extensive use of multimedia, graphics and animation to make the training engaging and fun. The 2018 format is centered around Case Studies and Lessons Learned showcasing how other people became a cybercrime victim and steps to avoid a similar fate.
The Case Studies include topics such as:
- Patty the Practice Manager falls for a phishing scam that cost her company $100,000 and Patty her job
- Sally the Salesperson learns a painful lesson on the dangers of password reuse across multiple websites
- Barbara the Biller goes around company policy and copies customer data onto a laptop and takes it home with her. The laptop is stolen from her car and the result is a large data breach
- Charlie the Counselor’s poor choices on social media led to a patient complaint and an OCR investigation
Do my employees have to take training every year?
Yes, your employees should take yearly training.
When should my employees take training?
It’s up to you when the employees take the training, it can be anytime during the year.
How do I know if my employees have taken training?
With our system, all managers have access to a training report that shows each employee that has taken training and his/her test score.
Do physicians have to take training?
What if I hire someone after my staff has completed training?
You should have all new hires take training as part of your employee onboarding process. It is advised that you do not let someone start working until they have completed training.
What do I need to do to get going on training this year?
Just send an email to your staff instructing them to login to the portal and take the training. If you need assistance, please contact us (see below).
What types of training do you offer?
We provide both HIPAA Privacy and Security Training. All Covered Entities should take both training classes. In general, Business Associates only need to take HIPAA Security Training, but Privacy Training is available upon request.
What if I have questions about training or don’t know how to get my employees going on it?
Easy. Just contact us. We will be happy to help you out. Send an email to email@example.com