HIPAA is one of the broadest reaching privacy initiatives, and, as a result, is also one of the most complex. However, simple doesn't always mean easy, and, by converse, complex doesn't always mean hard. In its essence, HIPAA can be summed up thusly: "Don't let unauthorized people have access to the personal health information (PHI) of patients."
Pretty straight forward, right? However, complexity arises because the amount of data that needs to be protected is huge. Not only must an organization protect the traditional personally identifiable information (PII) like Social Security numbers and patient IDs, but also all records relating to the health care the patient has received, including any transaction codes and code sets that relate to the patient.
What this translates to is not only a lot of data to protect, but also a lot of people who will need access to a lot of data on a regular basis. As a result, there's a much larger human component to worry about than with GLBA, PCI DSS or SOX. Employees and contractors of organizations that need to be HIPAA compliant (i.e. covered entities, business associates and online healthcare tracking systems such as Google Health) need to be aware of their responsibilities and what they need to do. Along with this awareness of responsibilities should come an awareness of the repercussions of non-compliance on both a organizational and personal level. These repercussions can range from substantial monetary fines to jail time if it is determined that someone deliberately leaked data (as opposed to accidental disclosure).
This has become even more important as a result of the Health Information Technology for Economic and Clinical Health Act (HITECH), the recent update to HIPAA that mandates much larger fines for organizations -- as well as personal responsibility for individuals -- that deliberately violate the HIPAA rules. For most individuals those consequences are quite real, so the trick is ensuring that everyone knows what's going on and the potential risks.
For a project of this scale, posting policies on the corporate website and sending out emails just won't be enough, nor will hanging awareness posters on work place bulletin boards. Ideally, the trainings should be in person, or, if that's not an option, go with interactive Web-based training. For something of this magnitude, bring in the pros; experts who know the best methods for providing this kind of instruction will do a far better job than in-house staff. I also recommend working with human resources to identify appropriate resources and methodologies for communicating more effectively.
Once, you've settled on your training methodology, you need to work on the really important part: the actual content of the training. This will break down into general and specific training. The general training is for everyone who has access to PHI and is really pretty basic. The idea here is to make everyone aware of HIPAA/HITECH and its requirements. The basic requirements of the recent changes to HIPAA are:
- Many more organizations are now required to comply with HIPAA; as a result, all these compliance processes may be new for the organization and will take some getting used to.
- Per federal regulation, if unencrypted PHI is leaked, then the patients whose data was lost must be notified. This is now required for every organization that falls under HIPAA.
- Patients may request an audit trail showing all disclosures of their health information made through an electronic record. This will have specific ramifications with regards to logging and auditing for the teams that manage the various applications.
- The sale of an individual's health information or use of PHI for marketing and fundraising purposes without the patient's authorization is not permitted. This could have a major effect on sales/marketing/alliances groups.
- There are now increased penalties and enforcement for all organizations.
This is not only an opportunity to teach employees what the changes to their jobs are (e.g. they must no longer share PHI with spouses or other medical groups without prior consent.) but also what the potential consequences of failure to follow the new rules aren(e.g. fines, loss of job, even jail time). This is also a great time to discuss some common scenarios employees may be facing and how to handle them. This training shouldn't take more than 30-60 minutes, including any question and answer time. Also, be sure to reiterate the executive support behind your organization's compliance with HIPPA. At the end of the general training, employees should sign something that certifies that they have been trained and understand the rules. Ideally this will also be rolled into new employee orientation, so there is no reason for anyone not to know what's acceptable and what's not.
The specific training should be focused on technical employees; this is where you will train them on the more specific technical requirements they will face. As a result of HIPAA/HITECH, staff may have to deal with significant operational process changes, such as encrypting databases, implementing new authentication and authorization mechanisms, applying separation of duties, redesigning network architecture or re-segmenting. If your company is implementing new technologies or products, your staff might also require outside training from those companies. Finally, technical staff will need to know which systems have PHI on them so they know which ones to apply any new policies and processes to.
Regardless of how effective the training is though, there will always be some percentage of people who will be resistant to the necessary changes. There are several ways of dealing with this issue. First and foremost, the executives should make it clear that HIPAA is a priority for everyone in the organization. It's a lot harder to maintain one's stance that something is unnecessary if the CEO disagrees. If that doesn't work, you will have to have more direct managerial involvement. This can range from a writing a warning to a particular employee, to transferring the employee to a position where they don't have access to HIPAA-related data and, if worse comes to worse, considering employee termination. Often it helps to be public about the first termination, as this sends a clear message that management is serious. This doesn't necessitate revealing who was fired (as that would create its own privacy issues), only the fact that someone was fired because of a failure to comply.
As I said in the beginning, HIPAA/HITECH is simple in principle and complex in practice. Thus, ensuring that your staff is properly educated about HIPAA and the recent changes as a result of HITECH is imperative to a proper compliance program. The above will give you a framework on which to base that education process.
About the author:
As CSO-in-Residence, David Mortman is responsible for Echelon One's research and analysis program. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and led up Siebel's product security and privacy efforts. A CISSP, Mr. Mortman sits on a variety of advisory boards including Qualys and Applied Identity and Reflective, amongst others. He holds a BS in Chemistry from the University of Chicago.
This was first published in October 2009