There is a great quote in this article from HealthcareInfoSecurity: that expresses very well the importance and goals of HIPAA training programs:
Workforce training is important not only for preventing breaches, including those involving ID crimes, but also to help detect those incidents, [Ann Patterson of the Medical Identity Fraud Alliance] says. “Each employee must understand their role in protecting PHI. Equally important is regular and continued evaluation of the training programs to make sure that employees are adhering to the policies put in place, and that the ‘red flags’ detection systems are keeping pace with changing technologies and workplace practices.”
I recently created a new resource page for the TeachPrivacy website: Text of HIPAA’s Training Requirements. This page provides excerpts of the training provisions in the HIPAA Privacy Rule and the HIPAA Security Rule.
This page is designed to be a useful companion page to our resource page, HIPAA Training Requirements: FAQ. The FAQ discuss my interpretation of the HIPAA training provisions, but the full text of those provisions is located on the separate new resource page above.
When you go to the hospital, you might worry about catching a staph infection or pneumonia, but you should also worry about contracting a nasty case of medical identity theft. Most people suffer significant harm from medical ID theft, and few are completely cured. This ailment is spreading dramatically as data spurts out of healthcare organizations these days as if from a ruptured aorta.
In January of this year, an article citing U.S. Department of Health and Human Services (HHS) statistics noted that in the past 5 years, there have been roughly 120,000 reported data breaches involving HIPAA protected health information. These breaches have involved more than 31 million individuals.
It has long been difficult to quantify the ROI of data security awareness training.
But finally, I have been able to locate a number. According to a 2014 PricewaterhouseCoopers study: “The financial value of employee awareness is even more compelling. Organizations that do not have security awareness programs—in particular, training for new employees—report significantly higher average financial losses from cybersecurity incidents. Companies without security training for new hires reported average annual financial losses of $683,000, while those do have training said their average financial losses totaled $162,000.”