How to satisfy HIPAA awareness and training requirements

Introduction

While data privacy and security regulations abound, few bring the same number of frustrated groans from IT departments as the Health Insurance Portability and Accountability Act (HIPAA). 

The acronym “HIPAA” sounds a lot like the word “hippo.” In many ways, the connection between the two is an excellent way to think of the regulation. Hippos are highly aggressive and unpredictable, making them some of the world’s most dangerous animals. Similarly, HIPAA is a highly aggressive regulation, one that includes heavy fines and jail time. Just as you would teach someone going on a safari to steer clear of hippos, you need to educate your staff according to the HIPAA training compliance requirements to protect patient data. 

What are the HIPAA training requirements?

The regulatory morass known as “HIPAA” imbeds training in two small sections of two rules. Similar to the rest of the law, the training requirements are equal parts prescriptive and vague. 

According to the HIPAA Security Rule Administrative Safeguards, all covered entities must annually train all workforce members and document said training. The training and documentation must:

  • Be provided to all workforce members by the annual compliance date
  • Be provided to new workforce members within a “reasonable period” after joining the workforce
  • Be updated if a material change in policies or procedures occurs and then given again to align with the changes
  • Be retained for at least six years

The HIPAA Privacy Rule Administrative Safeguards provide a bit more detail to help you understand the information that needs to be in the training. The specifications include:

  • Periodic security updates
  • Procedures for guarding against, detecting and reporting malicious software
  • Procedures for monitoring login attempts and reporting discrepancies
  • Procedures for creating, changing and safeguarding passwords

At first glance, these don’t seem too difficult. After all, (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Karen Walsh. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/hcZGiG5mDzQ/