The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires Covered Entities to “implement a security awareness and training program for all members of its workforce (including management).” Under the HIPAA Final Omnibus Rule published in January of 2013, business associates also must comply with all Security Rule requirements, including Security Awareness Training. Security Awareness and Training must be provided to all workforce members that may gain access to protected health information (PHI) and periodic retraining must be given whenever environmental or operational changes affect the security of electronic PHI (ePHI). Examples of changes that would warrant periodic retraining may include new or updated policies or procedures, new or upgraded software or hardware, new security technology, or new threats or vulnerabilities to ePHI. Although data breaches have many causes, insider misuse and error increasingly are the cause of preventable security incidents. Accordingly, security awareness and training is a critical component of HIPAA compliance and can help organizations avoid costly HIPAA breach notification and enforcement actions. Whether you are an employer group health plan sponsor or a Business Associate, this customizable on-site provides an overview of HIPAA, educates your workforce about HIPAA’s Security Rule requirements, provides your workforce with security awareness on topics such as malicious software and password management, and helps you satisfy one of the core compliance requirements under the Security Rule.
- Overview of HIPAA
- How are Covered Entities defined and what type of group health plans are subject to HIPAA?
- How is PHI defined and what employee medical information is not subject to HIPAA?
- Overview of the Security Rule’s Administrative, Physical, and Technical Safeguards
- Who are HIPAA Business Associates and what are their responsibilities?
- When is Breach Notification required and who must be notified?
- What are the penalties for non-compliance?
- Security Awareness and Training Implementation Specifications including security reminders, protection from malicious software, log-in monitoring, and password management
- Employee responsibilities for information security
- Review of recent HIPAA security breaches and lessons learned from each incident.
Employers who sponsor group health plans and business associates. Workforce members who should attend include those within the HIPAA “firewall” (employees that may gain access to PHI or ePHI). Examples of such workforce members for group health plan sponsors include human resource directors and managers, benefits and payroll administrators, chief financial officers or controllers, privacy officers and security officers, and IT staff. Business associates should consult with MSEC staff to determine whether this onsite is appropriate and if so, which workforce members should attend
Note: this onsite is not designed for employers who are health care providers and does not cover training required under the Privacy Rule.