Training: Your Practice's HIPAA Compliance Program | MicroMD
Phone: 1-800-624-8832 | Email: | Help Center
Jun 06

Training is an Important Part of Your HIPAA Compliance Program

Health Insurance Portability and Accountability Act (HIPAA) privacy regulations direct your medical practice to protect your patients’ Protected Health Information (“PHI”).  HIPAA security regulations require that PHI in electronic form (“ePHI”) be securely stored and processed by your medical practice.

PHI is health information that identifies an individual and is created, used or disclosed by your medical practice. PHI and ePHI are key components in modern medical practices.  They are used to treat patients, create and use medical records, obtain payment for treatment and in numerous other aspects of the operations of the medical practice.  Simply put, a medical practice could not exist without PHI or ePHI.

Medical practices should implement a HIPAA compliance plan covering at least all of the following basic requirements:

  • Training;
  • Assessments (Security and Privacy);
  • Policies and Procedures (and other written documentation); and
  • Regular compliance plan reviews.

HIPAA Training Requirements

Training — the first element of a HIPAA compliance program — is required by the HIPAA privacy[1] and security regulations.[2]

HIPAA Privacy Rule

The HIPAA privacy regulations requires privacy training for all members of your work force,[3] as necessary and appropriate for them to perform their jobs within your medical practice.  The training should at least cover the privacy policies and procedures that have been prepared to support your practice’s HIPAA compliance program. Our Medical Guardian product contains over 40 policies and procedures and 42 compliance tools and forms, so there are plenty of training topics to choose from.  Some of these may include:

  • Notice of Privacy Practices
  • Patient rights and how to protect them
  • Permitted Uses and Disclosures (not requiring a patient authorization)
  • Uses and Disclosures that do require an authorization (and authorization content and procedures to obtaining one)
  • Sanctions
  • Prohibition of retaliatory act against workforce members

The Privacy Rule requires medical practices to implement appropriate administrative, technical, and physical safeguards to protect the PHI. Training on security measures used by the medical practice to protect PHI are good training topics in addition to the security safeguards itemized in the Security rule to protect ePHI.

Security Rule

The Security Rule requires medical practices to implement a security awareness and training program for all work force members including management personnel. The security topics include:

  • How users can guard themselves from malware (including ransomware), including detection and reporting.
  • Procedures for monitoring log-in attempts and reporting discrepancies;
  • Password management;
  • Periodic reminders on security best practices; and
  • All other security practices to protect PHI (as described above).

Malware training includes methods on telling the difference between a regular email and a fake “phishing” email used to deliver malware software. Also included in malware training are the procedures to be followed in the practice to properly report email phishing and possible malware attacks.

The Medical Practice will also train employees on monitoring computer log-in attempts and how to report discrepancies.

Password management training considers best practices when procedures for creating, changing, and safeguarding passwords.

Periodic reminders are short training programs or notices to raise security awareness.  They can be included in periodic updates during office meetings, on the startup page of workstations or in regular updates in a blog or in a posting in the office kitchen.

Violations and Enforcement Actions

Medical practices that do not provide training will be in violation of HIPAA.  This may subject the medical practice to fines and resolution agreements (which may require for annual government audits for 3 years).  Please see last quarter’s eNote for a complete discussion of HIPAA enforcement.

[1] 45 C.F.R. §164.530(b)(1) (Privacy).
[2] 45 C.F.R. §164.308 (a)(5) (Security).
[3] The HIPAA definition of “workforce” means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. 45 C.F.R §160.103.

Call today for a conversation with a real information/cyber security professional about the needs of your practice.

800-624-8832Request Info

Return to the eNotes home page →


Do you know about the Help Center?

The MicroMD Help Center features a full functioning ticketing system where you can track your support requests and more!

Visit Help Center

Have you seen our blog?

blogMD features articles on regulatory issues in the healthcare industry, patient related topics and urgent care business.

Visit blogMD

About The Author

Leave a reply

Your email address will not be published.