There are standards within the HIPAA Security Rule to train all organization workforce members. That means all employees, as well as contractors, of a business associate or covered entity. The rules for training two-fold - 1) providing training to new workforce members and 2) ongoing and periodic training, especially with environment or organizational changes. It’s not simply a one time and done requirement.
The content of training should also be two-fold - 1) training around HIPAA (what is PHI, when is it authorized to disclose, etc) and 2) training around information security. The first category of content deals with understanding what HIPAA is, the types of data that would meet the definition of ePHI, and the types of safeguards which are required and addressable as part of HIPAA - things like encryption, auditing, and disaster recovery. The goal should be for every employee and contractor to have an understanding of what HIPAA means, at a high level, and ideally have it be a part of the way that an organization makes operational and technical decisions.
The other category of training relates not specifically to HIPAA, but more around training workforce members in information security best practices. It’s important to understand about things like encryption from the technical perspective and from a process perspective, not necessarily for HIPAA, but so that good information security practices are something that workforce members know and follow.
At Datica, we provide HIPAA and information security training for all new employees to assure that they know how to spell HIPAA correctly, and additionally, so that they understand the nature of the types of data that we’re storing for customers, the importance of the integrity of that data, and the security and privacy related to that data. We also provide employees training on an annual basis and with weekly, what we call, Brown Bag Trainings. Those trainings always relate to either a HIPAA topic, like contingency planning or disaster recovery, or a security topic, like some specific information security topic that may not be prescriptive within HIPAA, but is really best practice. The reason we differentiate between the two categories of training is that compliance and security aren’t always the same thing.
We want security to be a part of the way that our workforce members think about technology. We want it to go into every decision that they make, and every requirement that they write, and every line of code. So that they understand not just the importance of HIPAA, not just what is PHI, but also what are the best technical practices to secure that data. We’re acting as a trusted compliance partner, and an abstracted compliance and security layer for our customers, so we need security and compliance to be at the center of how we operate. We put a lot of time and energy into training to make sure that all of the technology that we provide to our customers is not just compliant, but also secure. We’re planning to “open source” our training, and do more open training by using our Brown Bag Trainings as a springboard into blog posts in which others can learn.