HIPAA and Privacy Act Training
When a federal agency provides healthcare services, there may be circumstances in which members of the federal agency-s workforce and onsite contractors are required to be provided with both HIPAA and Privacy Act training. In addition, as an increasing number of states enact their own privacy laws, there may also be occasions when employees of state agencies require HIPAA and Privacy Act training, and state law training.
The Privacy Act of 1974 governs the collection, use, storage, and sharing of personally identifiable information maintained by federal agencies. Under the Act, U.S. citizens have the right to request a copy any data held about them and request that any errors are corrected, federal agencies must only collect data “relevant and necessary” to accomplish the purpose for which it is being collected, and sharing data between agencies is restricted and allowed only under certain conditions.
People acquainted with the Health Insurance Portability and Accountability Act will find these privacy provisions familiar as they closely resemble Patients’ Rights under HIPAA, the Minimum Necessary Standard, and Business Associate Agreements. Indeed, there are many similarities between HIPAA and the Privacy Act. However, despite the similarities, separate HIPAA and Privacy Act training is required by law in circumstances where both Acts apply.
The Laws Governing Privacy Act and HIPAA Privacy Training
Privacy Act training is governed by Part 24 of the Federal Acquisition Regulation. Subpart 24.3 states training must be provided initially and annually for employees that collect, create, use, process, store, or dispose of personally identifiable information, have access to systems on which personally identifiable information is maintained, or who “design, develop, maintain, or operate” a system which collects, creates, uses, processes, stores, or disposes of personally identifiable information.
Accredited HIPAA Compliance Training
HIPAA Journal Recommends ComplianceJunction
Used By 1,000+ Healthcare Organizations & 100+ Universities
HIPAA Training For Individuals ‐ HIPAA Training For Universities
HIPAA privacy training is governed by the Administrative Requirements of the HIPAA Privacy Rule. 45 CFR § 164.530 states a HIPAA Covered Entity must train members of its workforce on the policies and procedures designed to prevent the unauthorized disclosure of Protected Health Information when they start working for the Covered Entity, whenever there is a material change to the policies and procedures, and when a need for refresher training is identified in a risk analysis.
The circumstances in which both Acts apply occur when a federal agency provides healthcare services to either its employees, or contractors, or civilians. Examples of agencies subject to both Acts include the Defense Department, the General Services Administration, and NASA – but while Privacy Act training is only necessary for employees with access to personally identifiable information, all employees of a Covered Entity should undergo HIPAA privacy training.
Lack of training can be a factor, as in the 2020 Athens Orthopedic Clinic PA penalty of $1,500,000 and the 2023 St. Joseph’s Medical Center penalty of $80,000.
HIPAA Privacy and Security Training
The HIPAA Security Rule also requires Covered Entities and Business Associates who provide a service for a Covered Entity to implement a security awareness and training program. However, as the healthcare industry becomes increasingly digitalized, HIPAA privacy and security training is often provided simultaneously. This makes sense rather than have separate HIPAA privacy and security training sessions for employees who access Protected Health Information via EHRs.
The content of a security awareness and training program will closely align with the content of Privacy Act training inasmuch as electronic records containing personally identifiable information are subject to physical, technical, and administrative safeguards similar to those present in the HIPAA Security Rule. Indeed, the language of the Privacy Act relating to the encryption of data, automatic log-off, and the disposal of electronic media are remarkably similar to the language of HIPAA.
State Privacy Laws and HIPAA Privacy Rule Training
Because the Privacy Act applies only to federal agencies, many states are introducing their own privacy laws that will apply to state and local government agencies and – in some cases – private organizations. Consequently, employees of public health departments, state-run correction centers, and public school systems currently subject to HIPAA may also have to undergo state privacy laws and HIPAA Privacy Rule training – if training is mandated in the state´s legislation.
HIPAA and Privacy Act Training: FAQs
Why should all members of a Covered Entity´s workforce undergo HIPAA privacy training?
Although the Privacy Rule could be interpreted as “Covered Entity´s must train members of the workforce on policies and procedures relevant to their roles”, there are very few circumstances in which no member of a Covered Entity´s workforce would not need to have a knowledge of permissible uses and disclosures – and the sanctions that apply for disclosing PHI without authorization.
What is the major difference between HIPAA and Privacy Act training?
While the HIPAA Privacy, Security, and Breach Notification Rules contain standards that Covered Entities must apply and train members of the workforce on, Privacy Act training is more flexible. Privacy Act training is also more role-based – with foundation and advanced levels – plus the option exists for contractors to utilize training from any source provided it meets minimum Privacy Act standards.
How often is Privacy Act training required?
One of the similarities between HIPAA and Privacy Act training is that training has to be provided within a reasonable period of time of a new employee joining the workforce. However, while HIPAA does not state how often HIPAA training is required (beyond material changes to policies and procedures), Privacy Act training must be provided annually – a stipulation that is also included in many state privacy laws as well.
Does HIPAA preempt the Privacy Act?
HIPAA and the Privacy Act are very similar in terms of their purposes and how they achieve them, and there are no conflicts between the two. Therefore, neither law preempts the other. However, HIPAA can be preempted by a state law when the state law provides greater privacy protections or privacy rights, provides for the reporting of health information to public health authorities (i.e., without inclusion in an accounting of disclosures), or provides for health plan reporting.
Do all federal agencies have to provide HIPAA and Privacy Act training?
No, only federal agencies – or departments within federal agencies – that qualify as HIPAA covered entities because they conduct electronic transactions for which the Department of Health and Human Services has published standards. These standards can be found in the HIPAA Administrative Simplification Regulations, Part 162, Subparts I to S.
What is the difference between HIPAA and the Privacy Act of 1974?
The difference between HIPAA and the Privacy Act of 1974 is that HIPAA applies to both public and private Covered Entities (generally health plans, health care clearinghouses, and health care providers), while the Privacy Act of 1974 applies to all federal agencies regardless of function. Additionally, HIPAA only protects the privacy of individually identifiable health information, whereas the Privacy Act protects the privacy of all individually identifiable information.
What is JKO HIPAA and Privacy Act Training?
JKO HIPAA and Privacy Act training is training provided for military and civilian personnel attached to the Department of Defense via the Joint Knowledge Online (JKO) platform. The JKO platform is the DoD´s advance distributed learning system which has been designed to support “anytime, anywhere” online certification and career management. The platform is also used by the Joint Staff to provide initial HIPAA and privacy Act training and annual refresher training.
What does HIPAA Privacy Act training consist of?
The content of HIPAA Privacy Act training can vary according to government agency and/or the role of an individual and/or the agency´s role in the Military Health System. As an example, the introductory HIPAA Privacy Act training provided by the JKO platform consists of five modules:
- Module 1 provides a general overview of HIPAA, explains the HIPAA Privacy Rule, and correlates DoD Privacy Standards in greater detail.
- Module 2 focuses on the HIPAA Security Rule and DoD’s implementation standards.
- Module 3 provides information about HIPAA Enforcement and HIPAA complaints.
- Module 4 focuses on the Privacy Act and the DoD Privacy Act Program.
- Module 5 covers Breach Response at DoD.
Role and/or agency specific HIPAA Privacy Act training is tailored to correspond with the level of access to PHI and individually identifiable information. For further information, federal agency personnel should contact their agency´s HIPAA Privacy Officer.
HIPAA vs Privacy Act – Who enforces which Act?
Various agencies enforce HIPAA and the Privacy Act depending on the area of the Act or the nature of a violation. For example, HIPAA is enforced by the Department of Labor, the Internal Revenue Service, the Department for Health and Human Services, and the federal Trade Commission. The Privacy Act is enforced by even more agencies, although the Office of Management and Budget is responsible for creating Rules and guiding federal agencies on how they should be enforced.
How does the army HIPAA and Privacy Rule training differ from non-military HIPAA and Privacy Rule training?
The army HIPAA and Privacy Rule training does not differ a great deal from non-military HIPAA and Privacy Rule training. Most of the differences relate to tighter restrictions on permitted uses and disclosures of PHI when army medical personnel are providing treatment – especially disclosures to senior officers relating to mental health and substance misuse not covered by 45 CFR Part 2.
What HIPAA Privacy Act training is there for army personnel?
HIPAA Privacy Act training for army personnel is provided via the Joint Knowledge Online (JKO) platform. HIPAA Privacy Act training is required for all Defense Health Agency and Military Health Service personnel (including civilian personnel and contractors) within thirty days of on-boarding and annually thereafter.
Can federal agencies be fined for not providing HIPAA training?
Federal agencies that qualify as HIPAA Covered Entities or Business Associates to Covered Entities can be fined for not providing HIPAA training if a training failure results in a foreseeable HIPAA violation or if a lack of training is identified in a compliance audit. In most cases, a violation of this nature is resolved by a Corrective Action Plan; but where there has been a serious violation due to willful neglect, HHS´ Office for Civil Rights has the authority to issue a Civil Monetary Penalty.
