Why HIPAA Training Doesn’t Work. And How To Fix It

By Travis Good, MD, Co-founder and CEO of Haekka
HIPAA, for better or worse, is a part of every healthcare business. It does not matter if your company is a traditional clinic or a cutting-edge AI platform powered by PHI (protected health information). There are different approaches to comply with HIPAA, and organizations as varied as clinics and AI platforms typically employ these different approaches.
HIPAA is not new. In fact, it’s older than companies like Facebook and predates the first iPhone. But, the way that we do HIPAA training has not changed much since HIPAA was first written and adopted. With changes in how we work, whether you are a clinician or a data scientist, the need to rethink how we train employees to protect PHI has never been greater.

Actions speak louder than words

Ask 100 people in healthcare and the majority will tell you that HIPAA training is not fun. But, it is required. HIPAA is clear about the training it requires, namely that individuals that touch or may touch PHI receive training on 1) policies and procedures and 2) security awareness. Both of these pieces of training are important as they educate employees on the privacy of data and cybersecurity, or security of data.
These training requirements are most commonly achieved by offering “HIPAA training” when somebody joins a company and then annually; I put “HIPAA training” in quotes because companies lump and split privacy and security training in different ways. This approach to training is checking the box on HIPAA requirements. It does meet the requirements of HIPAA and passes audits with 3rd parties. In that regard, it works.
But, what does this approach say to employees about the importance of following HIPAA? Think about the things you do once a year in your job. Do you perceive them as having any value? Do you gain anything from them?
Actions speak louder than words and checking the box on HIPAA training negates any rhetoric about the importance of patient privacy. This is not to say that when managers and companies talk about the importance of HIPAA they are not genuine; it’s simply stating the inconsistencies between the message, and positive intentions, and the implementations of HIPAA that employees see and experience.
What’s more, if you spend time with employees at healthcare companies, especially employees on the engineering side, you will have encounters with employees who want to follow HIPAA in their day-to-day work but don’t know how. These employees stress about this. They want to ensure they are protecting PHI and not putting themselves, or their company, at risk.

The opportunity to rethink HIPAA training

Let’s shift gears a bit to how work is actually done today. All employees, regardless of role – clinical or tech or support or anything, perform work across multiple technical systems. The flow of work today is in tools like apps for customer support or communications or larger applications like EHRs and practice management systems. The actions employees take in the flow of work, in their workflows, have a huge impact on the security and privacy of data. Workflows represent a largely unmanaged plane of risk, one that automation and configuration management alone cannot fix.
The technical tools used in the flow of work offer the ability for integration points. Right now, these integration points are used to connect data and systems, making workflows across multiple apps more seamless for employees and ensuring consistency of data.
The opportunity to rethink HIPAA training and manage risk in the flow of work lies in delivering real-time contextual training, in whatever format (tips, nudges, reinforcement, questions, videos, etc.), based on triggers in the applications themselves. This form of training addresses the shortcomings of current approaches by addressing the following:

Make it easy for employees

All employees today have too much on their plates. They are constantly inundated with more things to do, more tools to use, and more responsibilities to manage. Current approaches to HIPAA training, done annually, do not get in the way of day-to-day work but also do not empower employees to better manage their responsibilities and to reduce the growing risk to companies from employee actions in the flow of work. Intelligent, real-time training in the flow of work is an opportunity to make following HIPAA easy for employees.

About Travis Good

Travis Good, MD is the co-founder and CEO of Haekka, which offers effective, continual, in-context HIPAA and security training and is used by over 250 companies and 30,000 learners. He is the author of Complete Cloud Compliance and co-creator of widely used open source compliance policies. Prior to Haekka, Travis co-founded and was CEO of Datica where he developed and supported the largest platform of HIPAA compliant workloads on the public cloud. Datica is the public cloud compliance layer between AWS and 150+ healthcare companies from small startups up through Fortune 100 life sciences companies.
Scroll to Top