HIPAA Security Awareness Training

HIPAA security awareness training gives employees an understanding of policies and procedures for preserving patient privacy.

Training employees about patient privacy is mandatory for entities handling protected health information (PHI) and their business associates.

In this guide, we’ll explain who HIPAA security awareness training applies to, what it entails, and why training alone isn’t enough to keep patient data safe. 

What Is HIPAA?

HIPAA, or the Health Insurance Portability and Accountability Act, is a federal US law. It is a series of standards that any organization dealing with people’s health data needs to have in place.

HIPAA was designed to protect health information and prevent it from being disclosed to third parties without authorization.

What Is HIPAA Security Awareness Training?

All healthcare providers, health plans, and clearing houses dealing with patient data (“covered entities”) and their associates must provide their workforce with a HIPAA-compliant security awareness training program.

The training involved depends on the role of the organization. In the case of covered entities, both HIPAA’s Privacy Rule training standard and the Security Rule training standard apply. Meanwhile, business associates of covered entities are only bound by the Security Rule training standard.

The Privacy Rule training standard requires employees with access to PHI to receive regular training in their organization’s data handling policies and procedures. 

The Security Rule, more broadly, requires implementing a security awareness and training program. 

There are no particular guidelines related to the length of HIPAA security awareness training, meaning organizations have some flexibility in how it is administered.

Organizations can face significant financial penalties for HIPAA violations. The severity of the penalty is generally based on the nature of complaints levied against the organization. If the HHS’s Office for Civil Rights (OCR) conducts an audit on the training course and finds noncompliance, no complaint is necessary for a fine to be imposed. 

HIPAA Privacy Rule training requirements

According to HIPAA’s Privacy Rule training requirements, covered entities must provide training to their workforce on the security policies and procedures for handling patient medical data and reporting breaches.

New employees must receive their initial privacy training “within a reasonable period of time” to avoid being out of compliance. 

Tenured employees must also receive training whenever their “functions are affected by a material change in policies and procedures” per HIPAA regulations. 

Additional training may be required “as necessary and appropriate” for proper compliance.

HIPAA Security Rule training requirements 

According to HIPAA’s Security Rule training standard, all members of the workforce of both covered entities and their business associates must have a security awareness and training program. 

Information security awareness and training programs are designed to give employees a better understanding of safety techniques when using computer networks, including how to spot phishing threats, avoid malware, and implement strong passwords. 

These training programs are essential for anyone who handles patient data, whether directly or indirectly. Once cybercriminals gain access to a network, they can potentially access any data within it.

Along with the basics of cybersecurity awareness, employee training should go over the entity’s HIPAA-compliant policies and procedures. These generally include additional physical, technical, and administrative safeguards.

There are no requirements as to the length or frequency of HIPAA training under the Security Rule.

HIPAA Awareness Training Modules 

There are no specific guidelines for what topics should be covered in HIPAA compliance training. Instead, the program should be developed following a risk assessment within each organization. 

The HIPAA Journal has a list of recommended modules divided into basic and advanced categories. 

Basic modules include:

• HIPAA overview.
• HIPAA patient rights.
• HIPAA disclosure rules.

Advanced modules include:

• Computer safety rules.
• HIPAA and social media.
• Recent HIPAA updates. 

The Importance of Phishing Training 

One particular module to pay attention to is phishing training. While it’s not mandatory under HIPAA security awareness training, the healthcare industry is particularly susceptible to social engineering attacks like business email compromise (BEC).

According to the Department of Health and Human Services, there were 4,419 reported breaches of medical data between October 1, 2009 and December 31, 2021. Of those breaches, 18% were caused by a phishing attempt or a hacked email account. 

Phishing attempts often lead to the most significant data breaches in healthcare, with 57% of respondents reporting as such in the 2021 HIMSS Healthcare Cybersecurity Survey. In 2023, the HHS’ Office for Civil Rights (OCR) imposed the first HIPAA penalty in a phishing attack investigation.

Phishing training should educate healthcare workers on how phishing attacks happen and highlight red flags to watch out for, like strange senders’ addresses, spelling and grammar mistakes, and a sense of urgency. Although phishing emails are particularly common, employees and other stakeholders need to be made aware that phishing can take other forms, including texts and social media messages. 

In addition to theoretical training, covered entities should also provide phishing tests and simulations, including those relevant to particular employees or groups of employees (for example, phishing tests targeting the HR department.) 

Going Beyond Security Awareness Training 

Security awareness training is important for HIPAA compliance but doesn’t necessarily diminish the risk of cyber attacks and breaches. 

As Bec McKeown, founder and principal psychologist at Mind Science, put it: 

“What people don’t realize is that psychologically there is no direct link between awareness and behavior change. Most people believe that if you make people aware, they will do something about it. That is not true.”

Not only can’t security awareness training change bad habits, but cybercriminals are also becoming more sophisticated, using the information they find about employees online to craft more convincing phishing emails and guess their passwords. 

To quote Jeff Hancock, Harry and Norman Chandler Professor of Communication at Stanford University: 

“Attacks are becoming more sophisticated because there is so much information about ourselves online now.” 

It’s not just public social media profiles that put employees and other healthcare stakeholders at risk of personalized attacks. Data brokers – companies that compile information about individuals and then sell it to anyone who wants it – are another common source of information for cybercriminals. 

Data broker profiles include information like names, email addresses (corporate and personal), phone numbers, education history, employment history, family details, and more. Here’s an example: 

Healthcare organizations can reduce the risk of these kinds of attacks by educating employees about their digital footprints and the necessity to shrink them as much as possible. Besides lowering an organization’s cyber risks, shrinking employees’ digital footprints can protect them against harassment, stalking, doxxing, and identity theft. 

Train employees on safe social media usage and consider enrolling at-risk employee groups in a data broker removal service like DeleteMe.