HIPAA Compliance News

Clinical Laboratory Settles HIPAA Security Rule Violations with OCR for $25,000

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with Peachstate Health Management, LLC, dba AEON Clinical Laboratories to result multiple violations of the HIPAA Security Rule.

Peachstate is a CLIA-certified laboratory that provides a range of services including clinical and genetic testing services through its publicly traded parent company, AEON Global Health Corporation (AGHC).

OCR launched a compliance investigation on August 31, 2026 following a breach of unsecured protected health information reported by the U.S. Department of Veterans Affairs (VA) on January 7, 2015 involving its business associates, Authentidate Holding Corporation (AHC). The VA had contracted with AHC to manage the VA’s Telehealth Services Program. The aim of the OCR investigation was to assess whether the breach was the result of the failure to comply with the HIPAA Privacy and Security Rules.

During the course of the investigation, OCR learned that AHC had entered into a reverse merger with Peachstate on January 27, 2016 and had acquired Peachstate. OCR then conducted a compliance review of Peachstate’s clinical laboratories to assess Privacy and Security Rule compliance. During that investigation OCR identified multiple potential violations of the HIPAA Security Rule.

Peachstate was discovered not to have conducted an accurate and thorough assessment to identify risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI), as required by 45 C.F.R. § 164.308(a)(1)(ii)(A) and had failed to reduce risks and vulnerabilities to a reasonable and appropriate level by implementing appropriate security measures, as required by 45 C.F.R. § 164.308(a)(1)(ii)(B).

Hardware, software, and procedural mechanisms had not been implemented to record and examine activity in information systems containing or using ePHI, in violation of 45 C.F. R. § 164.312(b). Policies and procedures had not been implemented to record actions, activities, and assessments demanded by 45 C.F. R. § 164.312(b), which was in violation of 45 C.F.R. § 164.316(b) of the HIPAA Security Rule.

Peachstate agreed to settle the case and pay a $25,000 penalty and will implement an extensive corrective action plan to address all areas of noncompliance identified by OCR during the course of the investigation. Peachstate will be closely monitored by OCR for 3 years to ensure compliance.

“Clinical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule. The failure to implement basic Security Rule requirements makes HIPAA regulated entities attractive targets for malicious activity, and needlessly risks patients’ electronic health information,” said Robinsue Frohboese, Acting OCR Director. “This settlement reiterates OCR’s commitment to ensuring compliance with rules that protect the privacy and security of protected health information.”

The post Clinical Laboratory Settles HIPAA Security Rule Violations with OCR for $25,000 appeared first on HIPAA Journal.

Is it a HIPAA Violation to Ask for Proof of Vaccine Status?

Posted by HIPAA Journal

There has been a lot of confusion about whether asking someone if they have had a COVID-19 vaccine constitutes a HIPAA violation, specifically in relation to employers asking their employees to provide proof of being vaccinated against COVID-19 to avoid wearing a face mask in the workplace.

The Health Insurance Portability and Accountability Act (HIPAA) includes provisions related to privacy and uses and disclosures of protected health information (PHI), which includes an individual’s vaccination status. The HIPAA Privacy Rule limits uses and disclosures of individuals’ PHI to those required for treatment, payment, or healthcare operations. Other uses and disclosures generally require consent to be provided by the individual in writing before their PHI can be used or disclosed. So how does HIPAA relate to requests for proof of vaccine status?

HIPAA and Proof of Vaccine Status

Vaccination information is classed as PHI and is covered by the HIPAA Rules; however, HIPAA only applies to HIPAA-covered entities – healthcare providers, health plans, and healthcare clearinghouses – and their business associates. If an employer asks an employee to provide proof that they have been vaccinated in order to allow that individual to work without wearing a facemask, that is not a HIPAA violation as HIPAA does not apply to employers.

It would also not be a HIPAA violation for an employer to ask an employee’s healthcare provider for proof of vaccination. It would however be a HIPAA violation for the employee’s healthcare provider to disclose that information to their employer, unless the individual had provided authorization to do so.

Just as an employer can require all employees to wear a uniform in the workplace, an employer can have a policy that requires employees to wear a facemask during a pandemic to protect other members of the workforce and to refuse entry to the workplace if a mask is not worn.

Asking about vaccine status would not violate HIPAA but it is possible that other laws could be violated. For instance, requiring employees to disclose additional health information such as the reason why they are not vaccinated could potentially violate federal laws in some instances, although this would not be a HIPAA violation. It is also possible for states to introduce laws that prohibit employers from asking employees about their vaccine status.

On May 18, 2021, Rep. Marjorie Taylor Greene, (R-Ga) was asked by reporters whether she had been vaccinated, as she had refused to wear a mask on the House floor. In breach of House rules, several GOP members had refused to wear a mask, even though they had not been vaccinated. Greene told reporters that asking her about her vaccine status was a HIPAA violation, but this was not correct as reporters are not covered by HIPAA.

Disclosure of an Individual’s Vaccine Status by a Healthcare Provider

Healthcare providers can ask if a patient has been vaccinated as asking the question in no way violates HIPAA. It would be permitted for the healthcare provider to share vaccine status information with another covered entity or business associate, provided the disclosure was permitted under the HIPAA Privacy Rule – for treatment, payment, or healthcare operations – or if authorized to do so by a patient.

Authorizations would not be required when sharing vaccine status information for “public health activities.” For instance, a disclosure would be permitted to “a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events,” and also for “the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority.”

The post Is it a HIPAA Violation to Ask for Proof of Vaccine Status? appeared first on HIPAA Journal.

Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes

Posted by HIPAA Journal

Several healthcare groups have expressed concern about the HIPAA Privacy Rule changes proposed by the Department of Health and Human Services (HHS) in December 2020 and published in the Federal Register in January. The HHS has received comments from more than 1,400 individuals and organizations and will now review all feedback before issuing a final rule or releasing a new proposed rule.

There have been calls for changes to the HIPAA Privacy Rule to be made to align it more closely with other regulations, such as the 21st Century Cures Act, the 42 CFR Part 2 regulations covering federally assisted substance use disorder (SUD) treatment programs, and for there to be greater alignment with state health data privacy laws. Some of the proposed HIPAA Privacy Rule changes are intended to remove barriers to data sharing for care coordination, but the changes may still conflict with state laws, especially in relation to SUD treatment. There is concern that poor alignment with other regulations could be a major cause of confusion and could create new privacy and security risks.

Another area of concern relates to personal health applications (PHA). The HHS has defined PHAs, but many groups and organizations have voiced concern about the privacy and security risks associated with sending protected health information (PHI) to these unregulated apps. PHAs fall outside the scope of HIPAA, so any PHI that a covered entity sends to a PHA at the request of a patient could result in a patient’s PHI being used in ways not intended by the patient. A patient’s PHI could also easily be accessed and used by third parties.

PHAs may not have robust privacy and security controls since compliance with the HIPAA Security Rule would not be required. There is no requirement for covered entities to enter into business associate agreements with PHA vendors, and secondary disclosures of PHI would not be restricted by the HIPAA Privacy Rule.

“Personal health applications should be limited to applications that do not permit third-party access to the information, include appropriate privacy protections and adequate security and are developed to correctly present health information that is received from electronic health records,” suggested the American Hospital Association in its feedback to the HHS.

The College of Healthcare Information Management Executives (CHIME) has voiced concerns about the proposal for covered entities to require PHAs to register before providing patient data, and how covered entities would be required to respond when a patient requested their health information to be sent to a PHA that does not have appropriate privacy and security protections. For instance, if a patient requested their PHI be sent to a PHA developed by nation state actor, whether providers would still be required to send PHI at the request of a patient. Concern has also been raised about the growing number of platforms that exchange PHI that fall outside the scope of HIPAA.

One of the proposed changes relates to improving patients’ access to their health data and shortening the time to provide that information from 30 to 15 days. The Association for Behavioral Health and Wellness (ABHW) and CHIME have both voiced concerns about the shortening of the timeframe for honoring patient requests for their healthcare data, as this will place a further administrative burden on healthcare providers, especially during the pandemic. CHIME said it may not be possible to provide PHI within this shortened time frame and doing so may well add costs to the healthcare system. CHIME has requested the HHS document when exceptions are allowed, such as in cases of legal disputes and custody cases. ABHW believes the time frame should not be changed and should remain as 30 days.

It is likely that if the final rule is issued this year, it will be necessary for organizations to ensure compliance during the pandemic, which could prove to be extremely challenging. ABHW has recommended delaying the proposed rule for an additional year to ease the burden on covered entities. CHIME has suggested the HHS should not issue a final rule based on the feedback received, but instead reissue the questions raised in the proposed rule as a request for information and to host a listening session to obtain more granular feedback and then enter into a dialogue about the proposed changes.

The post Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes appeared first on HIPAA Journal.

NIST Seeks Comment on Planned Updates to HIPAA Security Rule Implementation Guidance

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) is planning on revising and updating its guidance on implementing the HIPAA Security Rule and is seeking comment from stakeholders on aspects of the guidance that should be changed.

NIST published the guidance – NIST Special Publication (SP) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule – in October 2008. During the past 13 years, cybersecurity has evolved and the threat landscape has changed considerably. NIST’s cybersecurity resources have also evolved during that time and an update to the guidance is now long overdue.

NIST will be updating the guidance to reference its new cybersecurity resources, will amplify awareness of non-NIST resources relevant to compliance with the HIPAA Security Rule, and will update its implementation guidance for HIPAA-covered entities and business associates.

Specifically, NIST has requested comment from stakeholders on their experiences applying and using the resource guide, including the parts of the guidance that have been helpful and those that have not, with the reasons why.

NIST wants to hear from covered entities and business associates that have used the guidance and have found key concepts to be missing, and for stakeholders who found the guidance not to be applicable to their organization to provide information on how it can be made more useful, relatable, and actionable to a wider range of audiences.

Covered entities and business associates have complied with the HIPAA Security Rule in a range of different ways. NIST is seeking information on any tools, resources, and techniques that have been adopted that have proven useful, and for covered entities that have enjoyed successes with their compliance programs to share information on how they manage compliance and security simultaneously, assess risks to ePHI, determine whether the security measures implemented are effective at safeguarding ePHI, and how they document demonstrating adequate implementation. NIST also wants to hear from any covered entity or business associate that has implemented recognized security practices that have diverged from compliance with the HIPAA Security Rule.

Stakeholders are invited to submit comment through June 15, 2021 for consideration ahead of the proposed update. Submitted comments will be considered and implemented as far as is practicable.

The post NIST Seeks Comment on Planned Updates to HIPAA Security Rule Implementation Guidance appeared first on HIPAA Journal.

March 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 38.8% increase in reported healthcare data breaches in March. 62 breaches of 500 or more records reported to the HHS’ Office for Civil Rights, with hacking incidents dominating the breach reports. The high number of reported breaches is largely due to an increase in data breaches at business associates.

Healthcare data breaches in the past 12 months

The number of breached records also increased sharply with 2,913,084 healthcare records exposed or impermissibly disclosed across those 62 incidents; an increase of 135.89% from February.

Breached healthcare records in the past 12 months

Largest Healthcare Data Breaches Reported in March 2021

The table below shows the 25 largest healthcare data breaches to be reported in March, all of which were hacking/IT incidents. 76% involved compromised network servers with the remaining 24% involving breaches of email accounts. 60% of these breaches involved business associates.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Health Net Community Solutions Health Plan 686,556 Hacking/IT Incident Network Server
Health Net of California Health Plan 523,709 Hacking/IT Incident Network Server
Woodcreek Provider Services LLC Business Associate 207,000 Hacking/IT Incident Network Server
Trusted Health Plans, Inc. Health Plan 200,665 Hacking/IT Incident Network Server
Apple Valley Clinic Healthcare Provider 157,939 Hacking/IT Incident Network Server
Saint Alphonsus Health System Healthcare Provider 134,906 Hacking/IT Incident Email
The Centers for Advanced Orthopaedics Healthcare Provider 125,291 Hacking/IT Incident Email
Cancer Treatment Centers of America at Midwestern Regional Medical Center Healthcare Provider 104,808 Hacking/IT Incident Email
SalusCare Healthcare Provider 85,000 Hacking/IT Incident Email
California Health & Wellness Health Plan 80,138 Hacking/IT Incident Network Server
Mobile Anesthesiologists Healthcare Provider 65,403 Hacking/IT Incident Network Server
Trillium Community Health Plan Health Plan 50,000 Hacking/IT Incident Network Server
PeakTPA Business Associate 50,000 Hacking/IT Incident Network Server
Sandhills Medical Foundation, Inc. Healthcare Provider 39,602 Hacking/IT Incident Network Server
ProPath Services, LLC Healthcare Provider 39,213 Hacking/IT Incident Email
BioTel Heart Healthcare Provider 38,575 Hacking/IT Incident Network Server
Healthgrades Operating Company, Inc. Business Associate 35,485 Hacking/IT Incident Network Server
The New London Hospital Association, Inc. Healthcare Provider 34,878 Hacking/IT Incident Network Server
La Clinica de La Raza, Inc. (La Clinica) Healthcare Provider 31,132 Hacking/IT Incident Network Server
Arizona Complete Health Health Plan 27,390 Hacking/IT Incident Network Server
Health Net Life Insurance Company Health Plan 26,637 Hacking/IT Incident Network Server
Colorado Retina Associates, P.C. Healthcare Provider 26,609 Hacking/IT Incident Email
Haven Behavioral Healthcare Business Associate 21,714 Hacking/IT Incident Network Server
Health Prime International Business Associate 17,562 Hacking/IT Incident Network Server
CalViva Health Health Plan 15,287 Hacking/IT Incident Network Server

 

Causes of March 2021 Healthcare Data Breaches

43 breaches – 69.35% of the month’s total – were the result of hacking/IT incidents such as compromised network servers and email accounts. Hacking incidents accounted for 98.43% of all records breached in March – 2,867,472 records. The average breach size was 66,685 records and the median breach size was 26,609 records.  17 unauthorized access/disclosure incidents were reported in March (27.42% of breaches) and 44,395 records were breached in those incidents – 1.52% of the month’s total. The average breach size was 2,611 records and the median breach size was 1,594 records. There was one theft incident reported involving 500 healthcare records and one loss incident that affected 717 individuals.

causes of March 2021 healthcare data breaches

Many of the reported breaches occurred at business associates of HIPAA covered entities, with those breaches impacting multiple healthcare clients. Notable business associate data breaches include a cyberattack on Accellion that affected its file transfer appliance. Hackers exploited vulnerabilities in the appliance and stole client files. A ransom was demanded by the attackers and threats were issued to publish the stolen data if payment was not made. The two largest data breaches of the month were due to this incident.

Several healthcare organizations were affected by a ransomware attack on business associate Netgain Technology LLC, including the 3rd and 5th largest breaches reported in March. Med-Data suffered a breach that affected at least 5 covered entities. This incident involved an employee uploading files containing healthcare data to a public facing website (GitHub).

 

The most common location of breached protected health information was network servers, many of which were due to ransomware attacks or other malware infections. Email accounts were the second most common location of breached PHI, which were mostly accessed following responses to phishing emails.

March 2021 healthcare data breaches - location PHI

Covered Entities Reporting Data Breaches in March 2021

Healthcare providers were the worst affected covered entity with 40 reported breaches and 15 breaches were reported by health plans, with the latter increasing 200% from the previous month. While only 5 data breaches were reported by business associates of covered entities, 30 of the month’s breaches – 48.39% – involved business associates but were reported by the covered entity. That represents a 200% increase from February.

March 2021 healthcare data breaches - breached entity

Distribution of March 2021 Healthcare Data Breaches

There was a large geographical spread of data breaches, with covered entities and business associates in 30 states affected. California was the worst affected state with 11 data breaches reported. There were 5 breaches reported in Texas, 4 in Florida and Massachusetts, 3 in Illinois and Maryland, 2 in each of Arkansas, Arizona, Michigan, Minnesota, Missouri, Ohio, and Pennsylvania, and one breach was reported in each of Alabama, Colorado, Connecticut, Georgia, Idaho, Kansas, Louisiana, Montana, New Hampshire, Nevada, Oregon, South Carolina, Tennessee, Utah, Washington, Wisconsin, and West Virginia.

HIPAA Enforcement Activity in March 2021

The HHS’ Office for Civil Rights announced two further settlements to resolve HIPAA violations in March, both of which involved violations of the HIPAA Right of Access. These two settlements bring the total number of financial penalties under OCR’s HIPAA Right of Access enforcement initiative to 18.

Arbour Hospital settled its case with OCR and paid a $65,000 financial penalty and Village Plastic Surgery settled its case and paid OCR $30,000. Both cases arose from complaints from patients who had not been provided with timely access to their medical records.

The post March 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

HHS Information Blocking and Interoperability Regulations Now in Effect

Posted by HIPAA Journal

The new information blocking and interoperability regulations developed by the Department of Health and Human Services as part of the 21st Century Cures Act took effect on Monday this week. It has been over a year since the final rule was released, and now the benefits of the information blocking and interoperability provisions can now be realized.

The final rule defines information blocking and stipulates the penalties for providers that engage in activities that interfere with access, exchange, and use of electronic health information (EHI). The final rule also gives patients new rights over their healthcare data and allows them to request it be sent to the application of their choosing.

The compliance date was April 5, 2021, after which healthcare providers, certified health IT developers, and health information exchanges must comply with the provisions of the final rule. For the first 18 months from April 5, 2021, the information blocking provision only applies to a subset of EHI detailed in the US Core Data for Interoperability (v1). Core EHI includes clinical notes, immunization records, lab test results, medications, and other EHI. The initial 18-month period is intended to help the regulated community get used to the information blocking regulation before the full scope of the regulation’s definition of EHI comes into effect on October 5, 2022. Covered entities and business associates are encouraged to share all EHI if possible, and not restrict sharing to the data represented by the USCDI until the final compliance date in 18 months.

Under the final rule, the deadline for data sharing has been changed from 30 days from the request being received to “without unnecessary delay.” There is an expectation to make EHI immediately available via the platform of the connected covered entity to allow that information to be downloaded. It is important for policies and procedures to be reviewed and updated to ensure that EHI can be obtained as soon as possible, and not to continue to operate on the 30-day deadline, which could now be viewed as information blocking.

The final rule also gives patients further rights over their healthcare data and requires covered entities and business associates to provide patients with their electronic health information, on request, to an application of the patient’s choosing. Patient health information can be sent to these applications without much manual effort by clinicians through secure, standardized application programming interfaces (APIs). As with requests from other healthcare providers, for the first 18 months it is not necessary to provide full records to patients’ chosen applications, only data represented by the USCDI.

Under the HHS HIPAA Right of Access enforcement initiative, the HHS has imposed 18 penalties for failures to provide patients with a copy of their requested medical records in a timely manner. The HHS may well start enforcing compliance with the requirements of the final rule to allow patients to have their EHI send to a health application with similar vigor.  The HHS Office for the National Coordinator for Health IT (ONC) will be working with the HHS Office of Inspector General to enforce compliance with the information blocking provisions, although the final enforcement rule is still pending.

The post HHS Information Blocking and Interoperability Regulations Now in Effect appeared first on HIPAA Journal.

New Jersey Plastic Surgery Practice Pays $30K to OCR Settle HIPAA Right of Access Case

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has announced a settlement has been reached with Ridgewood, NJ-based Village Plastic Surgery to resolve potential violations of the HIPAA Right of Access. Under the terms of the settlement, Village Plastic Surgery will pay a $30,000 penalty and will adopt a corrective action plan that requires policies and procedures to be implemented related to access to protected health information (PHI). OCR will also monitor Village Plastic Surgery for compliance for 2 years.

OCR launched an investigation into Village Plastic Surgery following receipt of a complaint from a patient of the practice on September 7, 2019. The patient had requested a copy of the medical records held by the plastic surgery practice but had not been provided with those records within the maximum time allowed by the HIPAA Privacy Rule. OCR intervened and, during the course of its investigation, Village Plastic Surgery did not provide the patient with the requested records.

OCR investigators determined that the delay in providing the records, which exceeded the 30 allowed days for acting on patient requests for their medical records, was in violation of the HIPAA Right of Access, as detailed in 45 C.F.R. § 164.524. As a result of OCR’s intervention, the patient did receive a copy of the requested records. The case was settled by Village Plastic Surgery with no admission of liability.

“OCR’s Right of Access Initiative continues to support and enforce individuals’ vital right to receive copies of their medical records in a timely manner,” said Acting OCR Director Robinsue Frohboese. “Covered entities must comply with their HIPAA obligations and OCR will take appropriate remedial actions if they do not.”

This is the 18th financial penalty to be imposed by OCR to resolve violations of the HIPAA Right of Access under its Right of Access enforcement initiative that was launched in late 2019. This is the 6th HIPAA penalty to be imposed in 2021, and the 5th to resolve a HIPAA Right of Access violation.

The post New Jersey Plastic Surgery Practice Pays $30K to OCR Settle HIPAA Right of Access Case appeared first on HIPAA Journal.

Massachusetts Mental Health Clinic Settles HIPAA Right of Access Case for $65,000

Posted by HIPAA Journal

Arbour Hospital, a mental health clinic in Boston, MA, has settled a HIPAA Right of Action investigation with the HHS’ Office for Civil Rights (OCR) and has agreed to pay a $65,000 penalty.

OCR was informed about a potential violation of the HIPAA Right of Access on July 5, 2019. A patient of Arbour Hospital alleged he had requested a copy of his medical records from the hospital on May 7, 2019 but had not been provided with those records within two months.

When a healthcare provider receives a request from a patient who wishes to exercise their HIPAA Privacy Rule right to obtain a copy of their healthcare records, a copy of those records must be provided as soon as possible and no later than 30 days after the request is received. A 30-day extension is possible in cases where records are stored offsite or are otherwise not easily accessible. In such cases, the patient requesting the records must be informed about the extension in writing within 30 days and be provided with the reason for the delay.

OCR contacted Arbour Hospital and provided technical assistance on the HIPAA Right of Access on July 22, 2019 and the complaint was closed. The patient then submitted a second complaint to OCR on July 28, 2019 when his medical records had still not been provided. The records were eventually provided to the patient on November 1, 2019, almost 6 months after the written request was submitted and more than 3 months after OCR provided technical assistance on the HIPAA Right of Access.

OCR determined the failure to respond to a written, signed medical record request from a patient in a timely manner was in violation of the HIPAA Right of Access – 45 C.F.R. § 164.524(b). In addition to the financial penalty, Arbour Hospital is required to adopt a corrective action plan that involves implementing policies and procedures for patient record access and providing training to the workforce. Arbour Hospital will also be monitored by OCR for compliance for 1 year.

“Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care,” said Acting OCR Director Robinsue Frohboese.

The HIPAA Right of Access enforcement initiative was launched in late 2019 to ensure patients are provided with timely access to their medical records at a reasonable cost. This is the sixteenth financial penalty to be paid to OCR to resolve HIPAA Right of Access violations under this enforcement initiative and the 4th HIPAA Right of Access settlement to be announced in 2021.

The post Massachusetts Mental Health Clinic Settles HIPAA Right of Access Case for $65,000 appeared first on HIPAA Journal.

How Often is HIPAA Training Required?

Posted by HIPAA Journal

HIPAA-covered entities and their business associates must ensure that all members of the workforce that encounter protected health information (PHI) in any of its forms need to be provided with training, but how often is HIPAA training required and how flexible are the HIPAA Rules when it comes to providing employee HIPAA training?

What Does HIPAA Say About Employee Training?

Both the HIPAA Privacy Rule and HIPAA Security Rule have training provisions. The HIPAA Privacy Rule states:

“A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and training should be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”

The HIPAA Security Rule training standard states:

“Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).”

The Privacy Rule does not specify the content of training courses, and scant information is provided in the Security Rule as to what training courses should cover. This vagueness ensures that the HIPAA text does not have to be constantly updated every time technology changes or there is a new threat, although security reminders, protection from malicious software, log-in monitoring, and password management are all mentioned as addressable implementation specifications in the Security Rule.

How Often is HIPAA Training Required?

How often is HIPAA training required is a common question as the HIPAA test is a little vague. Employee HIPAA training must be provided when an employee joins the organization. The training should be provided “to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce.” Thereafter, further training is required when “functions are affected by a material change in the policies or procedures”, with the training provided “within a reasonable period of time after the material change becomes effective.”

It is also important to re-train the workforce regularly to reenforce the initial HIPAA training and ensure that no aspect of compliance is forgotten. The frequency of HIPAA training is at the discretion of each covered entity, with HIPAA only saying that retraining should be “periodic.”

That should be taken to mean at least every 2 years, although the industry best practice – which should be followed – is to provide refresher HIPAA training to the workforce annually.

How Frequently Should Security Awareness Training be Provided in Healthcare?

Periodic security awareness training is also required, in addition to providing security awareness training within a reasonable period of time after a person joins the covered entity’s workforce. In the case of security awareness training, an annual training session is no longer viewed by security professionals as sufficient, considering the extent to which employees are targeted by cybercriminals and the rapidly changing threat landscape.

Here, the best practice is to provide ongoing security awareness training to ensure that employees understand proper cyber hygiene and are kept up to date on the threats they are likely to encounter via the web and email. Training is best provided frequently in small doses to fit in with employee workflows. A biannual training session could be conducted, with frequent security reminders sent such as monthly or quarterly cybersecurity newsletters.

It is important for security awareness training to cover the threats employees are likely to encounter, especially malware and phishing attacks. Employees must be taught how to identify phishing emails as part of their security awareness training given the extent to which healthcare employees are targeted and the sheer number of phishing-related data breaches now being reported.

Document All Employee Training

There have been many enforcement actions by OCR where covered entities and business associates have not been able to provide documentation to prove that they are in compliance with the requirements of the HIPAA Privacy and Security Rules. If documentation cannot be provided to prove that all members of the workforce have been trained, any accidental HIPAA violations by employees are likely to be viewed as training failures.

The HIPAA Privacy Rule only states that “A covered entity must document that the training as described [in the HIPAA Text] has been provided.” You should therefore ensure that you create a training log that includes all employee names and record the date training was provided, the type of training, and the course that was completed.

HIPAA Penalties for Inadequate Training

The penalties for training failures can be severe. Any violation of the HIPAA Rules carries a maximum penalty of $1.5 million, with the level of culpability considered when determining an appropriate penalty. OCR has not, at the time of writing, imposed a penalty solely for training failures but there have been enforcement actions where the lack of either Privacy Rule training or security awareness training was a cited HIPAA violation that contributed to the financial penalty.

The post How Often is HIPAA Training Required? appeared first on HIPAA Journal.