When you are involved in storing, transmitting, or interacting — in any way — with information about people’s health and identity, you need to comply with HIPAA. We’ve written an article on what is useful to know about HIPAA for software developers and how, in general, the compliance of your healthcare tech business can save you a lot of money. (If you’ve done it from the beginning of product development, of course.)
In this article, we’ll tell you how to build a HIPAA training program, that is necessary for business associates (which are software vendors) to comply.
Researching for this instalment, we’ve noticed a funny thing about HIPAA training: people recommend medical organizations to ask for assistance with training from their “digital partners.” Medical organizations do have a problem with HIPAA: while most of the American healthcare organizations agree they have security concerns, most of them, also, agree that employees not knowing how to behave around PHI privacy is their biggest issue. But digital healthcare businesses that develop solutions that will be handling healthcare data sometimes don’t even know what HIPAA is. We know most of our European and Near East clients didn’t.
So this article will be useful as a list of methods to implement when training for HIPAA for medical providers, as well.
Use real-life HIPAA violation use cases as motivation to engage in training
Humans are problem-solving creatures: we lamely react to others struggling if they tell us about some crap they experience, but we’re running to help or to advise if we know what needs to be done to make it easier for others. We’re more motivated and creative if we’re seeing we can contribute to fixing something.
“Do that because you should” isn’t a good idea for effective learning and development. “Do that because you’ll be doing your job better and protecting your customers and company” is more effective.
So, a point to fix for HIPAA training is cybersecurity challenges. Engage employees in awareness training showcasing statistics of cybersecurity breaches in the industry (by the way, did you know healthcare’s loses to breaches and leaks are the most massive among *all* industries?) — followed by the numbers of patient records’, compromised, and of lost costs.
If you’re signed Business Associate Agreement (which is a thing to do if you want to interact with patient data in any way with a covered entity), you have access to patients data. A single lost PHI may cost your organization about $200. Show them how potential breach can affect your organization.
Motivated by the possibility of making an impact, you won’t only let employees connect their personal goals (make things better, build a product that will help people, make new discoveries, etc.) to your business goals, but also encourage them to participate in building HIPAA-compliant workflow later.
Encourage them to practice their knowledge hands-on
You or some of the people you know, in the school, asking “how exactly we’re going to use it in real life?” and then learning how to do taxes from scratch — because here’s where some of this math go, mate — is an illustration of useless passive knowledge, separated from real life.
Don’t make your HIPAA training passive: even short YouTube video — microlearning has proven to be very efficient if used in the right way — won’t help your employee to understand why UnityPoint reporting their EHR breach more than two months after the incident make their situation worse.
Another nice thing about human along with “We love a challenge” fact is that if we don’t consequently and regularly apply what we learned, we’re forgetting more and more about it. Add tests, real-life or close-to-life violation examples in tests, encourage them to solve complex violation assigning them to particular parts of HIPAA that weren’t in place.
For instance, in the case with UnityPoint, there was, obviously, Breach Notification Rule violated (only within the sixty-day timeframe!) It was a phishing email their employee opened — with a gate for hackers — training issue. Phishing emails asked employees to share their internal system log-in information — training issue. While the attack happened in March-April timeframe, it was discovered only in May — risk assessment issue.
Your employees have to learn to break down every case of violation to see what could have been done to avoid it.
Include HIPAA-brainstorming and training in your product development
Treat Security Rule training same as Awareness training. While the latter is fittable for everyone in your organization, Security Rule is more high-level tech-people only. HIPAA requires passing of both for your compliance.
Security training involves choosing and constructing a risk management framework for your organization, complying with security safeguards, ensuring data encryption, etc. And it has to do with your engineers, DevOps, data scientists, quality assurance folks, and, well, all product team that builds the product.
Security Rule consists of literally best practices for every product that handles personal data. Tech people know — at least, middle and senior developers know for sure — that data encryption ensures data protection. As they know the system must log a user off after a defined period of inactivity. It’s basic. But breaches still happen, so the handbook of “how to be a good engineer and develop a secure product,” clearly doesn’t work.
Attach their (and additional, if needed) theoretical knowledge to digital healthcare product. What are we talking about?
If you’re a niche vendor (you develop a certain software for certain branch of healthcare), ask them to come up with a little user analysis — yes, engineers, not project management! — on how each person interacting with this software may screw cybersecurity up and how to prevent it from happening.
Your product team needs to think about HIPAA compliance from the start as well as yourself, and the best way to train them is by integrating training into their performance.
How do we track someone accessed our user database from the phishing email?
Do we have the tools to terminate such session?
Are they automated or they need to be handled manually?
Bottom line: don’t assume your product will be HIPAA-compliant and safe because you have good and capable product team that envisions all security issues. That’s not going to happen. You cannot over communicate.
A quick take on the worst practices
1. People hate when L&D distracts them from their jobs and when they need to work more hours to cover the training.
Consider this, when planning a two-hour meeting on HIPAA Awareness. Stress makes their memory less efficient, and even though we’ve discussed the efficiency of active learning versus lecturing your workforce, lecture in-the-middle-of-the-workday will be even more ineffective.
Solution: create an online course that can be accessed from different devices; if you can’t, group employees by hours they’re most comfortable to learn at and conduct a few separate sessions.
2. A lot of information in one day.
Microlearning is popular not because it’s a fancy way of doing things remotely, no. The efficiency of microlearning, combined with hands-on practice is in the fact that it fits into humans’ short attention span. Most people can’t remember what they’ve seen online two days ago; the information load is huge and we’re constantly getting distracted. You need to break HIPAA on digestible parts (by Rules — Privacy, Security, Administrative, or by the level of complexity, or by purposes) and present content written in a language that people can understand easily. Not HHS’ language. No offence, HHS.
By the way, make sure you have this educational content and results of people’s final tests documented (!) To be HIPAA-compliant, you need to document your training.
3. Almost no feedback or bad feedback.
“No feedback” is when after the final test you just provided your employees with their results. That’s not feedback, that’s a grade, and surely there is value in grade, but that’s still not exactly feedback — no communication is done. Feedback on what’s done well and what’s done badly helps employees understand what to focus on and feel you care about them. Their training is valuable for your business. That makes them feel precious, and happy employees equal efficient, high-performative workforce and good training results. Everyone knows that.
Bad feedback is passive-aggressive remarks on how everything is in dire danger because someone didn’t pass the test. Help your employees address the gaps in understanding, fire them, if they’re so bad — but don’t torture them.
By the way, good results also need follow-up with your feedback.
Final thoughts: HIPAA might become your competitive advantage
Some resources advocate for not bothering your employees with HIPAA too much. But if you’re a software company working in the healthcare industry, we think it’d bring you more value than you think.
Along with security, HIPAA training will allow you to use the security-first mindset on every stage of product development. Everyone kind of knows that security shouldn’t be an afterthought, but tech is so used to getting there as fast as possible that a lot of important things are left forgotten. In the medical and connected fields, it’s rare when speed and security get together— and that is one of the reasons why it’s so hard to sell healthcare tech product.
HIPAA Rules that are familiar to each employee are quite possibly your competitive advantage in negotiations with large healthcare players. It will signalize: ok, we know your regulations, we orient in them perfectly, we understand your struggles. You’re safe with us.
Plus, partially HIPAA Rules complement FDA requirements for medical devices, so if you’re working on something like that, it’d be easier to move to get clearance.
Your submission is received and we will contact you soon