HIPAA Training Requirements

What are the HIPAA Training Requirements?

Because HIPAA applies to many different types of Covered Entity (CE) and Business Associate (BA), the HIPAA training requirements are best described as “flexible”. Training is undoubtedly mandatory as it is an administrative requirement of the HIPAA Privacy Rule (45 CFR §164.530) and an administrative safeguard of the HIPAA Security Rule (45 CFR §164.308).

However, other than stipulating training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule) and that CEs and BAs should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule), there is no detailed list of HIPAA training requirements provided.

Consider the Objectives of HIPAA Training

Knowing that you have to provide training, but not knowing what sort of training you have to provide, does complicate HIPAA compliance. Certainly, if a breach of PHI was to occur, and a subsequent investigation found that no training had been provided, the CE or BA responsible could expect a substantial fine from the HHS’ Office for Civil Rights. Organizations that provide regular HIPAA training are much less likely to receive a HIPAA fine.

To overcome the flexibility of the HIPAA training requirements, CEs and BAs should refer back to their risk assessments. The risk assessments should have defined the function of each individual who may have contact with PHI or ePHI and, from these data, it should be possible to compile a “necessary and appropriate” security awareness and training program for each individual’s function or role.

What should be included in the security awareness and training program will depend on the functions or role of each individual employee, manager, volunteer, trainee or contractor who may have contact with PHI or ePHI. In many cases it will be necessary to compile multiple security awareness and training programs to ensure their content is relevant to trainees.  Healthcare professionals, for example, do not need the same training as a HIPAA compliance officer.  Healthcare students need slightly different training than healthcare professionals.  Healthcare administrators again need slightly different training.

This may be time-consuming and resource intensive to produce targeted training; but, in order for training to be effective, it has to be focused.

How Often is HIPAA Training Required?

With regards to the question of how often is HIPAA training required, the Privacy Rule and Security Rule both offer suggestions without mandating specific timeframes. According to the Privacy Rule, HIPAA training is required for “each new member of the workforce within a reasonable period of time after the person joins the Covered Entity’s workforce” and also when “functions are affected by a material change in policies or procedures” – again within a reasonable period of time.  This is interpreted as requiring training in the first few days or weeks rather than months.

According to Security Rule, HIPAA training is required “periodically”. Most healthcare providers interpret “periodically” as annually, since a longer period, say every two or three years, would constitute a negligent attitude to training in the case of a HHS investigation into a breach. It s a good best practice to provide HIPAA refresher training annually, but consider providing shorter training sessions more frequently to reinforce the need for compliance and to reduce the risk of accidental HIPAA violations.

HIPAA training should also be provided whenever there is a change in working practices or technology, or whenever new rules or guidelines are issued by the Department for Health and Human Services. In order to assess whether HIPAA training is required, Privacy and Security Officers should:

  • Monitor HHS and state publications for advance notice of rule changes. Ideally this should involve subscribing to a news feed or other official communication channel.
  • When new rules or guidelines are issued, conduct a risk assessment to determine how they will affect the organization’s operations and if HIPAA training is required.
  • Liaise with HR and Practice Managers to receive advance notice of proposed changes in order to determine their impact on compliance with the HIPAA Privacy Rule.
  • Liaise with IT managers to receive advance notice of hardware or software upgrades that may have an impact on compliance with the HIPAA Security Rule.
  • Conduct regular risk assessments to identify how material changes in policies or procedures may increase or decrease the risk of HIPAA violations.
  • Compile a training program that addresses how any changes will affect employees’ compliance with HIPAA – not only the changes themselves.
  • Develop a HIPAA refresher training program that can be conducted at least annually to reinforce the need to comply with HIPAA Rules.

Naturally, in the event of changes in working practices and technology, HIPAA training only needs to be provided to the employees whose roles will be affected by the changes. As mentioned in our “Best Practices” section below, it is also advisable to include at least one member of senior management in the training sessions – even if they are not affected by the new policies or procedures – as it shows the whole organization is taking its HIPAA training requirements seriously.

What Should be Included in a HIPAA Training Course?

Although each HIPAA training course should be tailored toward the roles of employees attending the course, there are some vital elements that should be included. The following table is an example of what a basic HIPAA training course should include, although Covered Entities may need to focus on some areas more than others. However, none of these areas should be omitted completely in HIPAA training for healthcare workers.

Areas to Cover in a HIPAA Training Course
HIPAA Overview Patient Rights Safeguarding ePHI Consequences of HIPAA Violations
Why HIPAA is Important HIPAA Rules on PHI Disclosures HIPAA and Social Media Sanctions Policy
HIPAA Definitions HIPAA Security Rule HIPAA in Emergency Situations HIPAA Breach Notifications
HIPAA Privacy Rule Threats to Patient Data Preventing HIPAA Violations Recent HIPAA Updates

Security Awareness Training

The HIPAA Security Rule requires security awareness training should be provided “periodically,” which is widely accepted to mean at least annually. Healthcare employees are targeted by cybercriminals so it is essential for healthcare employees and students to be aware of the threats they are likely to encounter, be trained how to recognize those threats, and be taught best practices for safeguarding ePHI and how to respond if a threat is encountered.

Consider providing annual security awareness training sessions interspersed with shorter refresher training sessions throughout the year. Cybercriminals frequently change their tactics, techniques, and procedures. Employees should be made aware of the latest threats targeting healthcare employees and have training on how to recognize phishing emails and other threats regularly reinforced. Not only is security awareness training important for HIPAA compliance, it will also help to prevent costly data breaches and regulatory fines.

Best Practices for HIPAA Compliance Training

With there being no specific HIPAA training requirements, we have put together a short series of best practices HIPAA compliance managers may want to consider when compiling “necessary and appropriate” security awareness training, HIPAA training for employees at onboarding, and HIPAA refresher training programs. Our best practices for HIPAA compliance training are not set in stone and can be selected from at will.

  • Do keep training short and sweet. It is recommended that training sessions last no longer than one hour and are  “periodic” refreshers, as suggested by the HIPAA Security Rule. Annual HIPAA refresher training is sufficient to meet the “periodic” requirement.
  • Do include the consequences of a HIPAA breach in the training – not just the financial implications for the CE or BA, but the implications for trainees and their colleagues, and – of course – the person(s) whose PHI has been exposed.
  • Don’t quote long passages of text out of the HIPAA guidebooks or the regulations. Use multimedia presentations to make the training memorable. HIPAA compliance training not only has to be absorbed, it has to be understood and followed in day-to-day life.
  • Do include senior management in the training. Even if senior managers have no contact with PHI, it is essential they are seen to be involved with HIPAA compliance training. Knowing that the training is being taken seriously at the top will encourage others to take it seriously.
  • Don’t forget to document your training. In the event of an OCR investigation or audit, it is important to be able to produce the content of the training as well as when it was administered, to whom, and how frequently. Employees should sign to confirm they have completed HIPAA awareness training.
  • Do consider providing HIPAA online training for employees. Modular online HIPAA training courses can be completed when employees have spare time, which makes it easier to fit into busy workflows. HIPAA online training courses are especially useful for refresher HIPAA training sessions.
  • Do provide regular security awareness training. This will help to build a security culture in your organization and reduce the risk of data breaches.

Training on State Health Information Privacy Laws

HIPAA is a federal statute that applies to Covered Entities and their Business Associates, but it is not the only legislation covering the privacy and security of healthcare data. HIPAA sets minimum standards for health information privacy and security, but states may implement more stringent requirements. In addition to providing HIPAA training, training must also be provided to comply with state laws. For instance, healthcare organizations in Texas and those serving Texas residents are required to provide training on Texas HB 300 and the requirements of the Texas Medical Records Privacy Act, which go further than the minimum standards of HIPAA.

Find Out More about the HIPAA Training Requirements

The consequences of inadequate training can be substantial – not only in financial terms, but also in human terms. Yet many HIPAA breaches can be avoided with adequate HIPAA compliance training. Although the only HIPAA training requirements appear to be that there must be training, you can find out more about what cloud be included in HIPAA compliance training by reading a comprehensive HIPAA Compliance Guide.

HIPAA Training Requirements FAQ

Who is responsible for organizing HIPAA training?

HIPAA compliance officers should be in charge of organizing HIPAA training for employees – although they don’t necessarily have to conduct the training themselves. If, for example, training involves how to compliantly use a new piece of software, it may be better for a member of the IT team to present the training – although the compliance officer should be in attendance at the presentation.

Should a Privacy Officer provide privacy training and a Security Officer provide security training?

While this would appear to make sense, as each Officer will be a specialist in their own field to answer questions, it is not necessary to divide training responsibilities. Furthermore, there is a lot of crossover between privacy and security in HIPAA, so both topics will usually be covered in a training session unless the session is about a specific privacy or security topic.

What is an example of a “material change to policies”?

Some hospitals may have to amend policies and procedures to accommodate the change from CMS’ Meaningful Use program to the Promoting Interoperability program. If the policy changes affect the way in which ePHI is managed, personnel involved in managing data for the Promoting Interoperability program should undergo training to avoid there being gaps in their knowledge.

Which senior managers should be involved in HIPAA training?

All of them – although not necessarily all at the same time. While it is important senior managers are aware of the impact HIPAA compliance has on operations, it is more practical to involve (for example) CIOs and CISOs in technology training, and CFOs in training that concerns interactions between healthcare organizations and insurance carriers.

What is the most important element of HIPAA training?

The nature of HIPAA training for healthcare workers should be determined by conducting a risk assessment, so the “most important element” of HIPAA training will vary on a case-by-case basis. However, it is important for personnel to understand why HIPAA is important and why they are undergoing training in a particular aspect of HIPAA compliance.

HIPAA Compliance Infographics