Protected Health Information (PHI) Training

PHI Requires Your Employees Know How To Handle Such Sensitive Data, Living Security Makes It Easy To Be Prepared.

 

What Is PHI?

Protected health information (PHI) 1 is any data, in any form, whether electronic, paper, or oral that relates to the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual. PHI is most closely associated with the U.S. Health Insurance Portability and Accountability Act (HIPAA), and is the cornerstone of what constitutes patient data and how it should be used, shared, managed, stored, and protected.

Very simply...PHI is the combination of both Personally Identifiable Information (PII) plus medical data.
What is protected health information?

This applies to information that identifies the individual or could be used to identify the individual that is created, stored, or transmitted by a Covered Entity (or business associate of a covered entity). HIPAA identifies 18 different identifiers that must be removed, secured, and/or encrypted. These include name, address, social security numbers, medical and health insurance-related numbers, biometric and photographic data, and medical device data and serial numbers.

A Covered Entity includes healthcare professionals, hospitals, insurers, and their business associates (such as a credit card processing company or medical device manufacturer, as well as a cloud service provider or cloud datacenter where sensitive data is stored), and requires that they all hold the same standards of privacy and confidentiality.

Why It Is Important

PHI is extraordinarily sensitive information that could subject an individual to significant harm if disclosed or shared. Patient rights with respect to PHI entail:

  1. The right to request restrictions for the use of PHI
  2. The right to examine and copy their PHI
  3. The right to request amendments or corrections to their PHI
  4. The right to file a complaint with the covered entity and with the Secretary of Health and Human Services if they believe their privacy has been compromised
 

PHI Training Requirements

A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.

This training applies to HIPAA-specific education about the regulation itself and guidelines for how covered entities must comply with them, but the majority of the education and awareness that it requires is focused on cybersecurity. Some of the required training topics include, but are not limited to, phishing and email best practices, password best practices, social engineering, data protection (protecting the physical workspace and document management and destruction), and the use and disclosure of PHI.

PHI training can have a lot of requirements

Per HIPAA Regulation, the Timing and Documentation of Training Is Clearly Outlined That a Covered Entity Must Provide Training That Meets the Following Requirements:

  1. To each member of the covered entity's workforce by no later than the compliance date for the covered entity
  2. Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity's workforce
  3. To each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures required, within a reasonable period of time after the material change becomes effective
  4. A covered entity must document that the training has been provided
 

Common Challenges With Compliance-Based Training

When the aim is to complete training to satisfy compliance requirements, security awareness training becomes the goal - when in reality, better user recognition and user response to threats is what is needed.

Many organizations struggle to solve for the greatest challenge in cybersecurity - that we throw the best technology (the average enterprise has 75 different security products) at the problem, even though human error accounts for 90% of breaches. This is due to the fact that most trainings are boring, look only to check-the-box that compliance training has taken place, but do little to measure whether it actually made a difference in employee behavior.

Common challenges with traditional compliance-based PHI training

What Does Good Look Like

Living Security is built on an entirely different premise - that people are you greatest asset. Our solution measures strengths and weaknesses for employees, identifies potential gaps, then delivers timely, engaging individual and team-based training that creates proven, lasting change.

If your organization has ever struggled with challenges like, "everyone has completed phishing training, but hundreds of employees still click on our phishing simulations over and over", you need a better solution.

46 Living Security Icons-43

Internal Testing

A top five global telecommunications company ran an internal test and found that “End users who went through the LS Escape Rooms were 45% less likely to click on a phishing simulation vs. all others”.

46 Living Security Icons-32

The Escape Room

The Escape Room is one example of a team training that explores phishing, PHI, and other security concepts through team puzzle solving. Paired with an engaging storyline based on real life scenarios, the experience delivers a more impactful learning experience.

46 Living Security Icons-29

goal of security awareness

The goal of security awareness compliance shouldn’t just be to check the box that employees have completed training, it should be to prevent breaches and minimize risk and exposure due to human error.

What Makes Living Security Better

The sensitivity of PHI makes it especially critical to safeguard. It is the underlying foundation of HIPAA compliance, and in many ways requires the heightened application of personally identifiable information (PII) best practices. The most critical aspect of PHI is the restriction of its collection and sharing. In order to protect your patients’ PHI, you need to train your employees.

Living Security is chosen by more leading global organizations to provide the security awareness training they need to not only check the box for compliance, but to improve the cybersecurity posture of their organization. Training that is engaging, impactful, and delivers a 16x increase in retention helps you create proven, lasting change - and turns employees into your strongest cybersecurity asset.

Living Security makes it easy to meet compliance with training modules, that include, but are not limited to:

  1. PHI-specific content
  2. Passwords (maintaining strong passwords, use of a password manager)
  3. Phishing (and other forms, vishing, smishing)
  4. Physical security (device security, document access and disposal)
  5. How to report an incident
  6. Removable devices/USBs
  7. Mobile devices
  8. Privacy/PII
  9. Social media usage and risks of oversharing
  10. … many, many more.

Our modules range from quick-hit 1-3 minute training per topic to full CyberEscape room series that cover multiple topics all-in-one. Your compliance checklist can easily support several complex topics in under 15 minutes.


References:

  1. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
  2. https://ecfr.federalregister.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530

Meet Your Compliance Requirements

Learn more about how Living Security can help you meet your compliance requirements, and actually help your employees make better cybersecurity decisions.