HIPAA Resource Center
HIPAA Security Guide
The Need for Training in the Handling of ePHI
written by Christopher Karr CISSP
Training in the handling of ePHI is not only essential, but also a requirement of the HIPAA Security Rule. To mitigate liability and to be compliant, all covered entities must provide ongoing training to all personnel who handle ePHI. The training must include:
- Identification theft
- Daily practices
- Social engineering
- Security breach reporting
- Details of the CE’s Password Policy – with an employee acknowledgment form
- Details of the CE’s Sanction and Termination Policy
- Details of the CE’s Workstation Use Policy
- An acknowledgment form of the training for employee signatures.
1) Identification Theft
Employees should be aware that an identity may be stolen by co-opting and individual’s name , Social Security Number, credit card number, bank account number driver’s license number or another item of an individual’s personal use.
2) Daily Practices
Employees should be conscious of how they secure unattended ePHI. The following practices are strongly recommended:
- Strong password protected accounts and screen savers
- Prohibited use of unencrypted email to send or receive ePHI
- Received or sent faxes containing ePHI should never be unattended
- All documents containing ePHI that are delivered via a third party should be sealed
- All documents deemed unusable or void should be either shredded or deposited in a secure shredding vault.
3) Avoiding Social Engineering
Employees who handle ePHI should be wary of:
- Shoulder surfing
- Authority misrepresentation
- Dumpster diving
- Re-pay
4) Security Breach Reporting
All employees should clearly understand:
- Who should report
- What should be reported
- How to report
- Enforcement
5) Password Policy
The Password policy should specify the following password characteristics:
- Password content
- Password length
- Password aging
- Acknowledgement form for employee signature
6) Sanction and Termination Policies
All employees should read and understand the organization’s Sanction and Termination policies. These polices should server as a guide for professional and efficient performance of employee’s duties to protect the confidentiality and integrity of medical and other sensitive information.
7) Workstation Use Policy
This policy is an extension of an organization’s “Internet and Email Usage Policy”. It specifies what can and cannot be performed on an electronic company asset.
8) Employee Acknowledgement Form
All employees who handle ePHI and have received ePHI Training must sign off on such a form. This provides accountability for employees with access to ePHI.
PLEASE NOTE: Information is provided as a service to our visitors. Practis takes no responsibility for it's content. It is provided with the understanding that Practis is not engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. Links and information are provided as a service to our visitors. Practis takes no responsibility for their content nor connectivity.