Share this article on:
The regulations relating to HIPAA training for employees are deliberately flexible because of the different functions Covered Entities perform, the different roles of employees, and the different level of access each employee has to Protected Health Information (PHI).
The degree of flexibility can create misunderstandings about which employees require training, what training should be provided, how training should be provided, and when training should be provided. This blog aims to clarify the regulations relating to employee training.
Which Employees Require HIPAA Training?
The first issue to resolve is straightforward. Both the HIPAA Privacy Rule (45 CFR § 164.530) and the HIPAA Security Rule (45 CFR § 164.308) stipulate training should be provided to all members of the workforce. That means not only employees, but also agency staff, consultants, and contractors regardless of the level of interaction with PHI – even if they have no contact with PHI at all.
However, whereas the HIPAA Security Rule applies to Covered Entities and Business Associates, the HIPAA Privacy Rule only applies to Covered Entities. Therefore, Business Associates only need to implement a security awareness and training program as required by the Security Rule – ensuring that all members of the workforce receive HIPAA training regardless of their role or function.
What HIPAA Training Should be Provided to Employees?
The HIPAA Privacy Rule requires each Covered Entity to develop policies and procedures designed to comply with the Rule´s standards and implementation specifications and “train all members of its workforce on the policies and procedures […] as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity”.
This implies the content of HIPAA training will depend on what policies and procedures the Covered Entity has developed, and what policies and procedures are relevant for each employee to carry out their functions in compliance with HIPAA. As a guide, this article on the HIPAA Training Requirements includes examples of HIPAA compliance training.
How Should HIPAA Compliance Training for Employees be Provided?
Covered Entities and Business Associates have several options when it comes to providing HIPAA compliance training for employees. Historically, HIPAA compliance training was classroom- based and led by an instructor – usually the HIPAA Privacy Officer or HIPAA Security Officer. However, classroom-based training can often be ineffective because there is so much to cover in HIPAA.
For example, a classroom-based training session for patient-facing employees would have to cover areas of HIPAA such as the provision of Privacy Notices, Patients´ Rights under HIPAA, the Minimum Necessary Standard, using technologies such as EHRs compliantly, and the Breach Notification Rule. It is a lot to cover in a single training session, and a lot for employees to remember.
HIPAA Training Video for Employees
A HIPAA training video for employees can be used as part of – or as an alternative to – classroom-based training. Videos enable instructors to break down and explain HIPAA visually, which can lead to more engagement and better retention. When used as an alternative to classroom-based training, videos can also overcome the problem of getting trainees in the same place at the same time.
An unfortunate issue with HIPAA training videos for employees is that it can be impractical to produce a different video that is relevant to each employee´s role because of the expense. Therefore, while a HIPAA training video can be of some benefit – for example, for providing an explanation of PHI – it is often not the best way to comply with the HIPAA training requirements.
Online HIPAA Training for Employees
Online HIPAA training for employees comprised of mix-and-match modules is a far more effective way for Covered Entities and Business Associates to comply with the HIPAA training requirements. The modules can be assembled into groups to be relevant to each employee´s role – or employee group roles – and each employee can complete the training individually in their own time.
Online training not only makes it easier for a Covered Entity or Business Associate to provide initial training (i.e., when onboarding new employees), but also makes it easier to provide refresher training or HIPAA-mandated training whenever “functions are affected by a material change in the policies or procedures”, as individual modules are easier to update than complete training courses.
When Should HIPAA Training for Employees be Provided?
Covered Entities are required to provide training on HIPAA policies and procedures “within a reasonable period of time after a person joins the Covered Entity´s workforce” and whenever “functions are affected by a material change in the policies or procedures”. There is no time period stipulated for when a security awareness and training program has to be provided.
In addition, Covered Entities and Business Associates should incorporate HIPAA training for employees into risk analyses. This will help identify when further training is needed by members of the workforce to prevent unauthorized uses or disclosures of PHI that have developed through bad practices. If a need for training is identified, it must be provided “within a reasonable period”.
HIPAA Training for Employees: FAQs
Why is HIPAA training important?
HIPAA training is important because members of a Covered Entity´s workforce have to understand how to protect PHI from unauthorized uses and disclosures. If a HIPAA violation occurs that could have been prevented with training, but no training has been provided, the Office of Civil Rights will consider the Covered Entity or Business Associate willfully neglectful when calculating the penalty.
The failure to provide training is a violation of HIPAA in itself. The training requirements in the Privacy Rule and Security Rule are both “standards” rather than “implementation specifications”, which means they have to be complied with. Some implementation specifications can be ignored if they are inappropriate or unnecessary, or if a suitable alternative is implemented instead.
Who is responsible for training all employees on HIPAA?
The HIPAA Privacy Rule stipulates a Covered Entity must designate a Privacy Officer who is responsible for the development and implementation of the Covered Entity´s HIPAA policies and procedures. This person is not necessarily responsible for providing training him or herself, but they are responsible for ensuring employees are trained on HIPAA.
Covered Entities and Business Associates are also required to designate a Security Officer under the Security Rule. This person can be the same person who has been designated the post of Privacy Officer; and like the Privacy Officer, the Security Officer does not have to personally provide HIPAA training, but they must ensure a security awareness and training program is implemented.
Who needs HIPAA training?
As mentioned above, training should be provided to all members of the workforce regardless of the level of interaction they have with PHI. This means that cleaners, maintenance teams, and gardeners must have a basic tuition in PHI so they know (for example) not to discuss a patient staying in a healthcare facility or how to identify PHI that has been inadvertently left unattended.
Significantly, the HIPAA Security Rule highlights that management should be included in security awareness and training. While managers might not have any more interaction with PHI than a gardener in their function, healthcare managers can often be targeted by cybercriminals for login credentials that will enable them to carry out business email compromise attacks.
How often is HIPAA training required?
HIPAA training for employees is required when a person joins a Covered Entity´s workforce, when there is a material change in policies and procedures that affects that person´s role, and when a risk analysis identifies a need for further training. Beyond these requirements, it is a best practice to provide periodic refresher training – especially with regards to security awareness.
Threats to patient data are constantly evolving. Cybercriminals are identifying new ways to infiltrate IT networks, while the existing methods of extracting data (phishing, malware, ransomware, etc.) are becoming more sophisticated. Therefore, periodic refresher training should be provided at least annually to educate workforces on the latest threats and how to defend PHI against them.
How long does HIPAA training take?
There are various schools of thought about the best way to provide HIPAA training for employees, and these can influence how long HIPAA training takes. For example, some Covered Entities may prefer day-long workshops, while others may opt for a 20 minute video. Neither extreme is ideal because employees either won´t retain the information or won´t receive enough information.
If Covered Entities and Business Associates implement modular online HIPAA training for employees, the time training takes will vary according to how many modules are included in the training course and whether the training is provided for each employee to complete individually in their own time or in a classroom setting. In a classroom setting, the optimal time is less than two hours.
Engaging Video Training
Perfect Refresher Course
Flexible and Convenient Self-paced Learning