HIPAA Compliance Training: Empowering Healthcare Staff with Cybersecurity Awareness

Addressing the human factor in healthcare cybersecurity, this post explores the importance of ongoing training and education for healthcare personnel to mitigate risks and uphold HIPAA compliance standards. It aims to spark thoughts on ways to improve the effectiveness of current procedures, create new ones, and protect your patients’ privacy.

The technology world has no shortage of vendors and experts that work tirelessly to strengthen compliance in processes and products. Hornetsecurity’s 365 Permissions Manager product serves as a powerful example. However, we must always remember one standout word in the HIPAA acronym: “Accountability”. This applies to people, not technology.

Technological HIPAA solutions can work wonders for the “Portability” bit of the acronym. They also facilitate the vital “privacy” component of the law. Software can prevent unauthorized users from viewing sensitive information. A program can require all its communications to use encrypted channels. Unfortunately, nothing can prevent all accidental, negligent, or malicious activity.

The previous paragraph deliberately sorted “malicious” after “accidental” and “negligent”. Attackers draw everyone’s attention with mass havoc, but smaller HIPAA leaks with no ill intent occur almost constantly. As a patient leaves the building, a receptionist may exclaim, “I hope that rash clears up quickly, Susan!” loudly enough for everyone in the waiting room to hear. A provider might leave their appointment calendar open on a screen within a patient’s line of sight. A harried office worker might place a printed document with protected information where anyone standing at the front desk can view it. A group of doctors might discuss an interesting patient case using the patient’s name – in a crowded restaurant. You have no doubt witnessed multiple HIPAA violations that went unnoticed and unaddressed.

Technology will never stop those small leaks. It also can’t help when someone triggers HIPAA’s “Accountability” provisions. To ward that off, healthcare organizations must focus on staff training.

The following criteria were used to score the Olympic federations and committees, and build our rankings:

• Has Email Security Gateway: Having an email security gateway is crucial because it acts as a barrier against various email-borne threats such as impersonation attempt, phishing, malware, etc… and can ensure the continuity of email services.
• Has SPF record: An SPF record is important because it helps prevent email spoofing and protects against phishing attacks by specifying which mail servers are authorized to send emails on behalf of a domain.
• SPF record is good: Here, we’re considering SPF records effectiveness, for instance whether they are configured with a “softfail” option, which is weak.
• Has DMARC record: DMARC is crucial for preventing email spoofing and phishing by authenticating emails and specifying how to handle those that fail authentication, ensuring only legitimate emails reach recipients.
• DMARC record is good: We consider DMARC records to be good when they receive a positive mark on a scan, such as from https://tools.sendmarc.com/.
• Immune to bypass: Email security bypass is an old trick, but it is still working these days. This means that an organization has not restricted access to their email server, and as such, an attack can completely bypass their email security solution and directly reach their email server.  A recent paper on the topic: https://sumanthvrao.github.io/papers/rao-www-2024.pdf

Using the above criteria we created a very simple grading system. We built two different scales,  one for countries which had an email security gateway, one for those who did not, and attributed different weightings of the scoring criteria depending on our assessment of the respective contribution to email security.

Your People Mean Well

Many HIPAA violations happen simply because people don’t associate their actions with privacy breaches. People are helpful and trusting. It seems logical to expect that the average person that chose a career in healthcare has an even more helpful and trusting personality than the average person in another line of work. They know their patients and feel comfortable with them; why would they worry about that open file? A good provider would never dream of exploiting personal health information for their own gain; why would they suspect any regular person of it? To get the best help for a patient, a doctor might need the counsel of other doctors; why would anyone eavesdrop? The office won’t flow well if nurses don’t deliver information as quickly as possible; who would ever take advantage of an uncovered paper document? The idea of attackers as shady looking characters has pervaded the public consciousness to the point that few of us see threats in people that look “normal”. That’s especially true when those people are also our customers and patients.

Your People Have a LOT to Do

We must also remember that healthcare workers are busy people. Regulations and training place an additional burden on them. No one wants to take the extra moment to cover or uncover a document when they have dozens or more to handle along with all their other high priority duties. Insisting otherwise or trying to shame people into changing their behavior doesn’t help.

HIPAA Compliance Sounds Complicated

The overwork problem goes beyond daily activity. Healthcare workers also deal with substantial requirements for periodic credential renewals. Adding in HIPAA training can feel like another time-consuming annoyance of buzzword-filled box-checking busywork. Acronyms and the word “compliance” only make it all worse.

Viewers and readers struggle to absorb material that does not capture interest, content that does not make things easier, and activities that they do not feel use their time in a valuable way. HIPAA training that does not take this into account will have little effect on preventing breaches.

Account for Human Nature in Training Material

You cannot build an effective HIPAA training program that does not take these factors into account. Acknowledge that people frequently do not understand that a particular action qualifies as a HIPAA violation. Realize that the attitude of “I’m too busy, it will be OK just this once,” infects everyone.

Fundamentally, you can make the most improvements to training procedures by understanding the barriers to learning. The preceding sections looked at those, and you likely have ideas of your own. Next, you must face the challenge of implementation. The following subsections outline a few suggestions to augment your plans.

I believe that “Keep It Short and Simple” has become the modern, inoffensive expansion of the age-old “KISS” principle. Whatever words you prefer, the basic meaning holds. You know that people don’t want to sit in training. You know that they don’t like acronyms and buzzwords. Prepare accordingly. Avoid long-winded explanations. Don’t show blocks of legal text.

You might develop some sort of short saying, such as “Protect Patient Data the Way You Protect Patient Lives.” Of course, people often react to pithy mantras with eye rolls and exasperated sighs, but they still remember them. If the knowledge sticks, the training worked.

Instead of trying to “teach HIPAA compliance”, envision what you want people to understand and embody, and explain that. A few examples (some restatements of the same ideas):

• No one other than the patient and their care team should know anything about the patient
• The patient’s business is nobody else’s business
• No release form, no information
• What happens in the exam room stays in the exam room
• The bad guys are always listening

Remember to address this topic from the angle that healthcare workers want to help.

Healthcare workers work in healthcare, not the law. Don’t dazzle them with legalese. They do need to know the basics of what HIPAA means. They must also understand common acronyms, like PHI (personal health information). When you introduce such terms, immediately link them to something that anyone can understand.

• For HIPAA, you might include a statement along the lines of, “if we lose control of patient information, we lose patient trust”.
• With PHI, you can include something like, “Jill does not want everyone in town knowing that she was treated for hemorrhoids”.

While you have a legal obligation to obey HIPAA, it happens to align with most people’s morality about private information.

Corporate and professional training does not need to follow sterilized tradition. Elements that perk up the presentation help to grab and maintain interest. You don’t need Hollywood-grade production value to make an impact.

However, if you have access to product design resources, use them. You might have talented individuals in your marketing department that can help. Numerous online and college courses exist to help with modern business communication. You can use these tools for much more than a HIPAA class.

Two things help: humor and shock. Both require awareness and finesse (drab corporate presentations arose from failure to employ these intelligently and respectfully). Humor can involve a mascot figure delivering your sayings. Shock can come from examples of HIPAA fines and violations. Since not everyone understands that a seemingly innocuous activity could lead to a breach, you should have little trouble finding ample material. Again, lean on internal and external resources with experience for help.

Your technological toolbelt contains more than prepackaged, purpose-built applications. You likely have control over the lock screens and screensavers of office systems. You might also have overhead monitors for information presentation. Use these to rotate in HIPAA reminders. A few examples:

• The first rule of PHI is that we do not talk about PHI.
• Your patient can’t see this, can they?
• Has anyone other than you seen your calendar?
• Did you remember to turn that document face down?
• Who overhead that diagnosis?

Many offices have routine internal communications, such as newsletters. Use all delivery methods at your disposal to disseminate small reminders.

Because compliance depends so greatly on moment-to-moment behavior, it may require a shift in “normal” behavior. Changing that requires more than an hour in a training room. Small, frequent, pervasive reminders help. Recruiting informal “HIPAA Ambassadors” to model behavior works in some environments. Periodic recognition for activities such as avoiding or correcting HIPAA violations create positive incentive. Avoid responses that shame as they typically cause more resentment and rebellion than positive change.

You can leverage the “Accountability” component with most people. Legally, it primarily means that violations can result in fines. However, the word also means that healthcare workers have a duty to patients to keep personal health information private. This gives a “shared and individual responsibility” aspect that resonates with most people.

Throughout all your HIPAA training and culture modification efforts, remember that the “bad guys” are real. If patient information wasn’t valuable, no one would be trying to steal it. You want staff to remember that they can’t recognize an information thief through everyday interactions. This hearkens back to things already discussed, such as reminders of, “No release form, no information.” The knowledge that someone out there might have nefarious reasons to ask too many questions or listen a bit too closely can put enough of an edge on those reminders to help staff retain them.

Therefore, it’s time to take it seriously, as your organization could face a situation similar to that of Change Healthcare.

Like humor and shock, this topic needs mindful presentation. You do not want to build an environment of constant fear and mutual distrust. Most people in a healthcare setting want to help others get better or receive treatment.

As the proverb goes: “Familiarity breeds contempt.” Repeatedly presenting the same material, no matter how well made, will eventually cause staff to stop taking it seriously. Don’t create a bit of material and consider the task finished. Start with something simple. Refine it continually. Reword phrases. Replace sayings for a time and reintroduce them later.

If you can build a solid HIPAA-compliant culture, this becomes somewhat less important. People will always need reminders and refreshers, of course.

While we all wish for a single, magical HIPAA training course that we can deliver once to everyone and they retain forever, that will not happen. Accept that you will need to create and maintain material that keeps up with people in a way that they can understand.

Most importantly, remember that effective HIPAA training depends on simple and relatable presentation. Appeal to what your healthcare employees do best: care for the patient.

365 Permission Manager is a powerful tool that can streamline HIPAA compliance and make it easier for healthcare organizations to manage permissions and protect patient data. It offers automated permission management with simplified access control, ensuring only authorized personnel can view patient data, thereby reducing the risk of unauthorized access. Furthermore, regular audits keep permissions updated for ongoing HIPAA compliance. 365 Permission Manager’s intuitive dashboard makes it easy for staff to manage access levels, while real-time alerts notify administrators of unusual access attempts.

Enhanced security features protect patient data, preventing data breaches and ensuring confidentiality, in line with the principle, “Protect Patient Data the Way You Protect Patient Lives.”