HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Training for Healthcare Workers

The requirements relating to HIPAA training for healthcare workers have limitations which can expose individuals to sanctions for non-compliance. Consequently, it is recommended healthcare workers take responsibility for their HIPAA knowledge and how HIPAA applies in their roles.

If you are a healthcare worker, your employer should provide you with two types of HIPAA training – Privacy Rule training on HIPAA policies and procedures (required by 45 CFR § 164.530) and security and awareness training (required by 45 CFR § 164.308). Your employer should also provide you with refresher training if there is a “material change” to HIPAA policies and procedures.

These regulations do not go far enough to prevent healthcare workers unintentionally violating HIPAA due to a lack of knowledge or because non-compliant practices have been allowed to develop in the workplace. This article discusses the limitations of HIPAA training for healthcare workers, what the consequences can be, and what healthcare workers should do to avoid the consequences.

Privacy Rule HIPAA Training for Healthcare Workers

In order to meet the minimum regulatory requirements, an employer must provide Privacy Rule HIPAA training for healthcare workers “on the policies and procedures with respect to PHI […] as necessary and appropriate for members of the workforce to carry out their functions”. Consequently, the nature of the training could be limited to whatever policies and procedures your employer has developed and how relevant your employer thinks they are to your function.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

While it is likely that your employer´s Privacy Rule HIPAA training for healthcare workers covers topics such as patient interactions, Notices of Privacy Practices, permitted disclosures, and the minimum necessary standard, it may be the case your employer might not include patient access requests, incidental disclosures, and the difference between a HIPAA violation and a HIPAA breach – and who to report each type of event to.

Why the Lack of Refresher Training is an Issue

Even if no gaps exist in your initial HIPAA training for healthcare workers, there is no requirement – other than the material change requirement – for employers to provide refresher training. Consequently, if a healthcare worker works for only one employer, it is possible that they could work their whole career without any refresher training on HIPAA. During this time, it would be completely understandable if a healthcare worker forgot some of the initial training and violated HIPAA.

The lack of refresher training can also lead to the development of non-compliant practices. This can occur when shortcuts are taken “to get the job done” and the shortcuts are subsequently repeated more and more frequently until the non-compliant practices develop into a cultural norm. Typically, the only times non-compliant practices are reversed by training is in response to a patient complaint, an OCR investigation, or a compliance audit – by which time the violations have already occurred.

The Risk of Gaps in Security and Awareness Training

The Security Rule provision to “implement a security and awareness training program for all members of the workforce” has the potential to leave large gaps in the knowledge of any employee. This is because, to comply with the provision, employers can provide general security and awareness training. There is no requirement to make the training role specific or relevant to any employee´s function even though the content of training should be determined by a risk analysis.

Employers could argue that it is impractical to provide different security and awareness training programs for different groups of the workforce when much of the content is duplicated. However, there are some areas of Security Rule compliance that may be unique to healthcare workers (EHRs, ePHI on mobile devices, etc.) and they could be excluded from security and awareness training if they are not identified as risks or don´t apply to other groups of the workforce.

The Consequences of the Training Limitations

The consequences of the training limitations are that healthcare workers can violate HIPAA due to a lack of knowledge, the development of a cultural norm, or a gap in security and awareness training. In all cases, it is unlikely that your employer will take responsibility for a violation because it is a lot easier for them to point a finger at an individual and sanction them than it is to undergo an OCR investigation, revise policies, and provide material change training to the full workforce.

While this may seem unfair, there are precedents for employers sanctioning individuals for violations of HIPAA even though it was the employer´s fault for failing to monitor compliance and allowing a cultural norms of non-compliance to develop. It has also been reported that EHR passwords are frequently shared despite this being a clear violation of HIPAA. Even when this non-compliant practice is attributable to an employer´s failings, the individual is still in violation of HIPAA.

What Healthcare Workers Can do to Protect Themselves

The best way for healthcare workers to protect themselves from unintentional violations of HIPAA is to take responsibility for their HIPAA knowledge and how HIPAA applies in their roles. There are multiple online training courses available that provide a good foundation in HIPAA knowledge plus several that can provide a deeper insight into HIPAA so individuals have a clearer understanding of how to act in certain real-life circumstances and not succumb to non-compliant practices.

Online HIPAA training for healthcare workers helps put employer training into context, can be used as refresher training whenever necessary, and fill gaps in security and awareness programs. Additionally, because online HIPAA training is usually provided in a modular format, individuals can skip modules relating to topics they are familiar with and focus on those in which their knowledge is lacking – efficiently reducing the likelihood of unintentional HIPAA violations and sanctions.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.