HIPAA and SOX: Why security awareness training is essential for compliance

Concern for the security of data has been growing fast in recent years. While the average consumer is now more aware than ever of the implications of their data falling into the wrong hands, regulators are also tightening their grip on how businesses are expected to protect the data they gather and control.

No matter what industry or territory you operate in, chances are that you’re already expected to comply with at least one data protection regulation. In the United States, HIPAA and SOX are the most prevalent.

In this article, we’ll look at why security awareness training is essential for compliance with the two major data protection regulations in the US - and how you can make training a success in your company.

What is HIPAA?

HIPAA, or Health Insurance Portability and Accountability Act of 1996, is a US regulation that sets rules on how personal information relating to people’s health and healthcare coverage can be used. It sets strict requirements on limiting access to and protecting the confidentiality of personal health information.

What is SOX?

SOX, or the Sarbanes-Oxley Act of 2022, is a US law that sets out rules for accounting and record-keeping in public companies and accounting firms. It was created after the collapse of the energy company Enron and the discovery of serious failures in record-keeping across public companies in the US.

Why is training essential for compliance?

HIPAA directly mandates that covered entities and business associates are required to institute security awareness training for all employees (Privacy Rule 45 CFR §164.530). This training needs to cover policies and procedures for maintaining the security of Protected Healthcare Information (PHI).

What are covered entities under HIPAA?

Covered entities include health plans, healthcare clearinghouses and healthcare providers. These oganizations deal with the payment of healthcare provision, and are set strict standards on the use, disclosure and handling of personal healthcare information.

The Sarbanes-Oxley Act doesn’t directly mandate companies to institute security awareness training. However, security awareness training is key to ensuring that your company meets its record-keeping requirements under the regulation. SOX requires public companies in the US to keep all business records for a minimum of five years, so training employees in the secure collection, access to and back up of sensitive business information is essential to complying with the regulation.

SOX Penalties for failure to comply with record-keeping requirements:

  • Fines of up to $5,000,000
  • Delisting from public stock markets
  • Taking back of any bonuses paid in the year of non-compliance
  • Imprisonment of senior executives.

Under both HIPAA and SOX, companies are at risk of serious regulatory penalties if they fail to keep and protect data. Regulatory action is not the only cause for concern: customer confidence and brand reputation can become seriously damaged by any breach of data. Customers and partners want to know that your company won’t put their data at risk of exposure, and thus any unauthorized breach can seriously harm your reputation.

HIPAA Penalties for exposure of Protected Health Information:

  • Civil penalties of $100 per failure to comply with a Privacy Rule requirement can be issued by HHS.
  • Criminal penalties of $50,000 or imprisonment for knowingly compromising Protected Health Information for your own gain.

What should training cover?

HIPAA and SOX both require you to train your employees to protect sensitive information. This includes a wide range of security awareness: from creating strong passwords to using VPNs to protect connections when working away from the office.

Here is a list of the most essential topics that should be covered:

  • How to defend against phishing attacks
  • How to stay safe on email and over the internet
  • Why strong passwords and multi-factor authentication are important
  • How to spot and stop social engineering attempts
  • How to maintain physical security
  • Why backing up sensitive data is essential - and how to do it securely
  • How to connect to data securely while on the go

How should training be carried out?

Traditionally, SOX and HIPAA security awareness training was carried out through company- or department-wide sessions where a presenter gave a lecture on security to the audience. This allowed the company to ensure that all employees were given training in all essential areas. The problem with this type of training was that employees would be overwhelmed with information during the lecture - and afterwards, they would soon forget what little they had learned.

Cloud-based training has a number of advantages over traditional lecture-like training sessions. Cloud-based courses allow employees to take their training sessions whenever is most convenient to them, and let users progress through the training at a speed that is fit for them. They can go through content again if they need to have a second read through to better understand something, and online training can be combined with questions that help reinforce learning by making users recollect and use what they’ve just learned.

How does cloud-based training work?

Online security awareness training consists of slide- or video-based courses that focus on a certain security topic. Users can either receive an online login to find their courses - or more conveniently, courses can be sent directly to users’ email inboxes. Users can then progress through all required training at their own pace, and you will be able to track their progress from a web-based dashboard.

When should training take place?

Employees can’t be expected to take training one time, or annually, and then know all they need to do to keep data safe. Instead, training should be made a regular part of the employee responsibilities.

Regular training that carries on throughout the year allows security to become a routine part of your users’ week. Key points can be reinforced, and new security knowledge can be introduced without overwhelming the user by making them learn across many areas at once.

Ongoing training also allows training to be broken up into small, bite-sized courses that are easy for employees to digest. This reduces resistance to training, and helps ensure that users stay engaged with the training they participate in.

usecure is a cloud-based, automated training solution that helps companies across the world address their human risk. Learn how we can help you with HIPAA and SOX compliance today.