Confidentiality, Privacy and Security

HIPAA related training - 3 areas on your list

  • 1.  HIPAA related training - 3 areas on your list

    Posted 11 days ago
    I'm interested to hear what people have to share about the following given that HIPAA does not require training to be done on a recurring basis such as annually...but certainly organizations often include it in their annual training schedules.

    What are three areas within HIPAA that you include or would like to see included in whatever scheduled training your organization has for HIPAA, particularly as it relates to your department.

    For example, in no particular order:
    1. Awareness on how to identify and what to do when a suspicious email is received (Ex. Phishing)
    2. Sending PHI encrypted or unencrypted and when each type of sending is allowed
    3. Who and how to report issues (Privacy Security Officer, Chain of Command, hotline) that people become aware of.




    Posted: Sunday

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------


  • 2.  RE: HIPAA related training - 3 areas on your list

    Posted 11 days ago
    Gosh, it's been awhile since I've been on; I always appreciate these forums.

    I'd prefer a t least top ten list!  ;)

    The three big buckets, IMO are
    1) preventing misdirection (documents- handoff/mailing, emails, faxes)
    2) correct use of identifiers (ensure accurate registration & insurance/working in the correct chart) and
    3) security (phishing/encrypt emails, computer hygiene- Lock/log off/no sharing of passwords)

    Be Well Everyone!

    ------------------------------
    Julie Bennett
    Privacy Compliance Analyst
    ------------------------------



  • 3.  RE: HIPAA related training - 3 areas on your list

    Posted 11 days ago
    Thanks so much for kicking this off...those are 3 impressive buckets!



    Posted: Sunday

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------



  • 4.  RE: HIPAA related training - 3 areas on your list

    Posted 10 days ago
    Hi Julie,

    I feel like a "Top 10" is warranted, as well!  :)

    Actually, if you (or others) are looking for a great online training/awareness resource that has some video-based, freely-available material for ten HIPAA-related / overall privacy and security concerns (focusing on cyber-issues, doesn't address issues like patient identification), then one of the best I've seen is Health-ISAC's online Health Industry Cybersecurity Practices video training collection.  (Their guidance is more for smaller/mid-sized organizations that don't have entire teams dedicated to these functions -- but it's also good for IT professionals who are new to the healthcare industry that might need healthcare-specific guidance.)

    https://h-isac.org/health-industry-cybersecurity-practices/
    #1 – Intro & Email Protection Systems
    #2 – Endpoint Protection Systems
    #3 – Access Management
    #4 – Data Protection & Loss Prevention
    #5 – Asset Management
    #6 – Network Management
    #7 – Vulnerability Management
    #8 – Incident Response
    #9 – Medical Device Security
    #10 - Cybersecurity Policies

    Even though all this isn't required specifically by HIPAA, I think it has become "necessary" 'in-the-real-world' for organizations to go above-and-beyond the minimum requirements of HIPAA, which is also likely why many organizations do more comprehensive training annually.  Not only is reinforcement is really needed and beneficial, especially with staff turnover, but also now that EHRs and other areas of HIM/HIT (APIs & other entities / third-party business associates which do business online) have proliferated, this has increased the threat exposures that healthcare organizations face.  I have frequently seen organizations bundle their HIPAA, OSHA, and general cybersecurity training materials into annual modules for ease of tracking and ease of documenting their compliance efforts for potential audits (and for better employee adherence).  Some of their training modules are for those dedicated to this work while some of the other modules are appropriate for all HCWs.

    There's also a great companion PDF available from H-ISAC, which incorporates recommendations made by divisions of the U.S. Department of Health & Human Services (HHS), the Office for Civil Rights (OCR), the Food and Drug Administration (FDA), the Office of the Assistant Secretary for Preparedness and Response (ASPR), the Office of the Chief Information Officer (OCIO), the Centers for Medicare and Medicaid Services (CMS), and the Office of the National Coordinator for Health Information Technology (ONC), as well as guidelines and leading practices from the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS).

    It can be found here --> https://h-isac.org/wp-content/uploads/2019/09/405-vol1-508.pdf

    ​With all of the recent ransomware and other types of malware cyberattacks against healthcare increasing, organizations are really stepping up their business practices to respond, which is good to see.

    ------------------------------
    A. Andrews Dean, CPHIMS, CHPS, CHDA, CPHI, CPPM, CPC
    Health IT Regulatory Affairs & Healthcare Compliance Consultant
    ------------------------------



  • 5.  RE: HIPAA related training - 3 areas on your list

    Posted 10 days ago
    My goals for 2021 will be
    Awareness training for suspicious e-mail as we are only as safe as our weakness e-mail user.
    Sending and receiving encrypted PHI
    Reminding staff about cell phone use and photographs in the facility.

    ------------------------------
    Esta Farmer
    Director Health Information Management
    ------------------------------