HIPAA Training Requirements
What are the HIPAA Training Requirements?
Because HIPAA applies to many different types of Covered Entity (CE) and Business Associate (BA), the HIPAA training requirements are best described as “flexible”. Training is undoubtedly mandatory. It is an Administrative Requirement of the HIPAA Privacy Rule (45 CFR §164.530) and an Administrative Safeguard of the HIPAA Security Rule (45 CFR §164.308).
However, other than stipulating training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule) and that CEs and BAs should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule), there are no specific HIPAA training requirements.
Doesn’t This Complicate HIPAA Compliance?
Knowing that you have to provide training, but not knowing what sort of training you have to provide, does complicate HIPAA compliance. Certainly, if a breach of PHI was to occur, and a subsequent investigation found that no training had been provided, the CE or BA responsible could expect a substantial fine from the HHS´ Office for Civil Rights.
To overcome the Flexibility of the HIPAA training requirements, CEs and BAs should refer back to their risk assessments. The risk assessments should have defined the function of each individual who may have contact with PHI or ePHI and, from these data, it should be possible to compile a “necessary and appropriate” security awareness and training program for each individual´s function or role.
Consider the Objectives of HIPAA Training
What should be included in the security awareness and training program will depend on the functions or role of each individual employee, manager, volunteer, trainee or contractor who may have contact with PHI or ePHI. In many cases it will be necessary to compile multiple security awareness and training programs to ensure their content is relevant to trainees.
This may be time-consuming and resource intensive; but, in order for training to be effective, it has to be focused. If an attempt is made to cram every element of the HIPAA Privacy and Security Rules into a six-hour training session, trainees will have too much information to absorb the relevance of HIPAA to their roles and the objectives of the HIPAA training will be unsuccessful.
How Often is HIPAA Training Required?
With regard to the question of how often is HIPAA training required, the Privacy Rule and Security Rule both offer suggestions without mandating specific timeframes. According to the Privacy Rule, HIPAA training is required for “each new member of the workforce within a reasonable period of time after the person joins the Covered Entity´s workforce” and also when “functions are affected by a material change in polies or procedures” – again within a reasonable period of time.
According to Security Rule, HIPAA training is required “periodically”. Many businesses interpret “periodically” as annually, which is not necessarily accurate or effective. HIPAA training should be provided whenever there is a change in working practices or technology, or whenever new rules or guidelines are issued by the Department for Health and Human Services. In order to assess whether HIPAA training is required, Privacy and Security Officers should:
- Monitor HHS and state publications for advance notice of rule changes. Ideally this should involve subscribing to a news feed or other official communication channel.
- When new rules or guidelines are issued, conduct a risk assessment to determine how they will affect the organizations operations and if HIPAA training is required.
- Liaise with HR and Practice Managers to receive advance notice of proposed changes in order to determine their impact on compliance with the HIPAA Privacy Rule.
- Liaise with IT managers to receive advance notice of hardware or software upgrades that may have an impact on compliance with the HIPAA Security Rule.
- Conduct regular risk assessments to identify how material changes in policies or procedures may increase or decrease the risk of HIPAA violations.
- Compile a training program that addresses how any changes will affect employees´ compliance with HIPAA – not only the changes themselves.
Naturally, in the event of changes in working practices and technology, HIPAA training only needs to be provided to the employees whose roles will be affected by the changes. As mentioned in our “Best practices” section below, it is also advisable to include at least one member of senior management in the training sessions – even if they are not affected by the new policies or procedures – as it shows the whole organization is taking its HIPAA training requirements seriously.
What should be Included in a HIPAA Training Course?
Although each HIPAA training course should be tailored towards the roles of employees attending the course, there are some vital elements that should be included. The following table is an example of what a basic HIPAA training course should include, although Covered Entities may need to focus on some areas more than others. However, none of these areas should be omitted completely.
|Areas to Cover in a HIPAA Training Course|
|What is HIPAA?||HIPAA Privacy Rule||HIPAA Security Rule|
|Why HIPAA is Important||Disclosures of PHI||Safeguarding ePHI|
|HIPAA Definitions||Breach Notifications||Potential Violations|
|Patients´ Rights||BA Agreements||Employee Sanctions|
Best Practices for HIPAA Compliance Training
With there being no specific HIPAA training requirements, we have put together a short series of best practices HIPAA compliance managers may want to consider when compiling “necessary and appropriate” security awareness and training programs. Our best practices for HIPAA compliance training are not set in stone and can be selected from at will.
- Do keep training short and sweet. It is recommended that training sessions last no longer than forty minutes and are regular events rather than the “periodic” refreshers suggested by the HIPAA Security Rule.
- Don’t waste time on the background to HIPAA. Employees do not need to know what HIPAA stands for or the history of its development and passage. Only discuss what they are supposed to do to protect PHI and ePHI in their specific roles.
- Do include the consequences of a HIPAA breach in the training – not just the financial implications for the CE or BA, but the implications for trainees and their colleagues, and – of course – the person(s) whose PHI has been exposed.
- Don’t quote passages of text out of the HIPAA guidebook. Use multimedia presentations to make the training memorable. HIPAA compliance training not only has to be absorbed, it has to be understood and followed in day-to-day life.
- Do include senior management in the training. Even if senior managers have no contact with PHI, it is essential they are seen to be involved with HIPAA compliance training. Knowing that the training is being taken seriously at the top will encourage others to take it seriously.
- Don’t forget to document your training. In the event of an OCR investigation or audit, it is important to be able to produce the content of the training as well as when it was administered, to whom, and how frequently.
Beware of Free HIPAA Training Courses
There is only one organization that provides comprehensive HIPAA training free of charge – the Department of Health and Human Services (HHS). The HHS´ website contains a page on HIPAA Training and Resources which includes links to various elements of the Privacy and Security Rules, including guidance materials for Covered Entities and Business Associates.
With regard to other websites offering free HIPAA training for healthcare workers, we recommend these are treated with caution. Some we have investigated host thirty minutes videos which, after watching the videos, users are invited to download a certificate of HIPAA compliance for a cost of $30.00. No thirty minute video is going to provide relevant HIPAA training to healthcare workers working in a variety of different disciplines. Not only is the free HIPAA training not free, it is a waste of time.
One further element of free online HIPAA training for employees we disagree with is paying to find out an exam score. In this scenario, an employee is provided with free online HIPAA training and then given an examination to complete. The training provider advises the employee whether they have passed or failed the exam, but will not release the exam score (which importantly reveals in what areas the employee requires more HIPAA training) until the appropriate fee has been paid.
Find Out More about the HIPAA Training Requirements
The consequences of inadequate training can be substantial – not only in financial terms, but also in human terms. Yet many HIPAA breaches can be avoided with adequate HIPAA compliance training. Although the only HIPAA training requirements appear to be that there must be training, you can find out more about what should be included in HIPAA compliance training by downloading our free HIPAA Compliance Guide.