Is HIPAA employee awareness training enough?

Featured image

Share this article

URMC pays $3M fine for failure to encrypt mobile devices

Several puzzle pieces must fit together for a healthcare organization to achieve HIPAA compliance. And one such piece is HIPAA compliance training, which must include cybersecurity employee awareness training.

RELATED: Understanding and Implementing HIPAA Rules

The best cybersecurity strategy is not foolproof without proper employee awareness training. At the same time, training is not enough on its own.

So what is HIPAA employee awareness training? What are the best approaches to HIPAA compliance and strong cybersecurity?

What is HIPAA employee awareness training?

Under the HIPAA Privacy Rule, healthcare organizations must provide employees with HIPAA compliance training on “privacy policies and procedures, as necessary and appropriate for them to carry out their functions.”

Such training must include an explanation of what HIPAA is and why it is necessary to safeguard protected health information (PHI).

RELATED: Is a Name PHI?

Anyone within an organization that handles PHI must have this training. It can empower employees to protect themselves as well as the organization and any of its patients.

Cybersecurity training (and the protection of electronic PHI (ePHI)) is regulated under the administrative safeguards of the HIPAA Security Rule.

And according to both Rules, training is a periodic requirement though no detailed list exists of what to include. Rather, HIPAA rules are flexible.

Generally, cybersecurity training should educate employees on the safe use of computers, and teach them:

What measures to include in employee awareness training depends on each organization. What is important is setting expectations upfront and ensuring employees follow them.

Why is employee awareness training necessary?

The number of healthcare organizations breached by the end of 2020 increased dramatically with cybercriminals taking advantage of two things:

The best-laid cybersecurity plan means nothing if employees don’t follow it. Employees, especially within healthcare, are the weakest cybersecurity link of any organization.

Your employees may be tired or stressed, especially within the current climate. They may also be distracted or just not care about cybersecurity.

Moreover, email is the most accessible threat vector (or entry point) into any computer/network. In fact, the Paubox HIPAA Breach Report for April 2021 tallied email breaches as affecting 520,059 individuals.

There is nothing to stop a hacker from tempting employees through phishing and/or social engineering or from utilizing malware such as viruses, adware, spyware, ransomware, and so forth.

No matter the cybersecurity measures in place, without employee awareness training employees may easily let a cybercriminal into any organization.

But is HIPAA employee training enough?

HIPAA employee awareness training should not be the only tactic utilized for cybersecurity. Rather, a layered approach is necessary for complete HIPAA cybersecurity compliance.

RELATED: How to Ensure Your Employees Aren’t a Threat to HIPAA Compliance

It is through a HIPAA risk assessment that an organization will understand its best approach to cybersecurity. Typically, a layered cybersecurity program should include:

  • Employee awareness training
  • Access controls and physical safeguards
  • Encryption and antivirus software
  • Policies and procedures
  • Separate backups
  • Strong password policies
  • Patched and up-to-date devices

And of course, email security.

If a breach does occur and the subsequent U.S. Health and Human Services investigation takes place, having key safeguards in place ensures that no HIPAA violation took place.

RELATED: What to Do After You Violate HIPAA

But if found negligent, the organization will more than likely be fined and held accountable for the breach.

Always include strong email security

Given the vulnerability of employees, it is necessary to include strong email security along with employee awareness training.

Free Whitepaper “Barriers to Secure Email Communication”

Enabling HIPAA compliant email with strong inbound and outbound email security is crucial to strengthening any organization’s cybersecurity program.

Paubox Email Suite Premium provides this needed protection and requires no change in email behavior. No extra logins, passwords, or portals. With our HITRUST CSF certified solution, all emails are encrypted directly from your existing email platform (such as Microsoft 365 and Google Workspace).

Malicious inbound emails are blocked even before reaching an employee’s inbox. Our Plus and Premium packages also come with ExecProtect, built to stop display name spoofing emails from reaching the inbox in the first place.  Our Premium level also comes with data loss prevention (DLP), which stops unauthorized employees from transmitting sensitive data outside an organization.

So is employee awareness training enough on its own? No, though that doesn’t mean organizations shouldn’t take it seriously. Rather, a combination of measures, including training and email security, work together to stop data breaches.

Don’t leave your employees out in the open. Protect them while showing them how to protect themselves.

Try Paubox Email Suite Premium for FREE today.
Author Photo

About the author

Kapua Iao

Read more by Kapua Iao

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022