HIPAA Training Requirements

What are the HIPAA Training Requirements?

Because HIPAA applies to many different types of Covered Entity (CE) and Business Associate (BA), the HIPAA training requirements are best described as “flexible”. Training is undoubtedly mandatory as it is an administrative requirement of the HIPAA Privacy Rule (45 CFR §164.530) and an administrative safeguard of the HIPAA Security Rule (45 CFR §164.308).

However, other than stipulating training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule) and that CEs and BAs should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule), there is no detailed list of HIPAA training requirements provided.

Consider the Objectives of HIPAA Training

Knowing that you have to provide training, but not knowing what sort of training you have to provide, does complicate HIPAA compliance. Certainly, if a breach of PHI was to occur, and a subsequent investigation found that no training had been provided, the CE or BA responsible could expect a substantial fine from the HHS’ Office for Civil Rights. Organizations that provide regular HIPAA training are much less likely to receive a HIPAA fine.

To overcome the flexibility of the HIPAA training requirements, CEs and BAs should refer back to their risk assessments. The risk assessments should have defined the function of each individual who may have contact with PHI or ePHI and, from these data, it should be possible to compile a “necessary and appropriate” security awareness and training program for each individual’s function or role.

What should be included in the security awareness and training program will depend on the functions or role of each individual employee, manager, volunteer, trainee, or contractor who may have contact with PHI or ePHI. In many cases it will be necessary to compile multiple security awareness and training programs to ensure the content is relevant to each trainee.  Healthcare professionals, for example, do not need the same training as a HIPAA compliance officer.  Healthcare students need slightly different training than healthcare professionals.  Healthcare administrators again need slightly different training.

It may be time-consuming and resource intensive to produce targeted training; but, in order for training to be effective, it has to be focused.

How Often is HIPAA Training Required?

With regards to the question of how often is HIPAA training required, the Privacy Rule and Security Rule both offer suggestions without mandating specific timeframes. According to the Privacy Rule, HIPAA training is required for “each new member of the workforce within a reasonable period of time after the person joins the Covered Entity’s workforce” and also when “functions are affected by a material change in policies or procedures” – again within a reasonable period of time.  This is interpreted as requiring training in the first few days or weeks rather than months.

According to the Security Rule, HIPAA training is required “periodically”. Most healthcare providers interpret “periodically” as annually, since a longer period, say every two or three years, would constitute a negligent attitude to training in the case of a HHS investigation into a breach. It s a good best practice to provide HIPAA refresher training annually, but consider providing shorter training sessions more frequently to reinforce the need for compliance and to reduce the risk of accidental HIPAA violations.

HIPAA training should also be provided whenever there is a change in working practices or technology, or whenever new rules or guidelines are issued by the Department for Health and Human Services. In order to assess whether HIPAA training is required, Privacy and Security Officers should:

  • Monitor HHS and state publications for advance notice of rule changes. Ideally this should involve subscribing to a news feed or other official communication channel.
  • When new rules or guidelines are issued, conduct a risk assessment to determine how they will affect the organization’s operations and if HIPAA training is required.
  • Liaise with HR and Practice Managers to receive advance notice of proposed changes in order to determine their impact on compliance with the HIPAA Privacy Rule.
  • Liaise with IT managers to receive advance notice of hardware or software upgrades that may have an impact on compliance with the HIPAA Security Rule.
  • Conduct regular risk assessments to identify how material changes in policies or procedures may increase or decrease the risk of HIPAA violations.
  • Compile a training program that addresses how any changes will affect employees’ compliance with HIPAA – not only the changes themselves.
  • Develop a HIPAA refresher training program that can be conducted at least annually to reinforce the need to comply with HIPAA Rules.

Naturally, in the event of changes in working practices and technology, HIPAA training only needs to be provided to the employees whose roles will be affected by the changes. As mentioned in our “Best Practices” section below, it is also advisable to include at least one member of senior management in the training sessions – even if they are not affected by the new policies or procedures – as it shows the whole organization is taking its HIPAA training requirements seriously.

What Should be Included in a HIPAA Training Course?

Previously, we mentioned that training programs should be designed to suit each individual´s function or role; and, in the summary at the end of the article, we provide a few examples of how the HIPAA training requirements may differ for nursing staff, IT professionals, and medical office staff. However, there are some elements of HIPAA training which are relevant to all functions and roles – if only to provide context for subsequent role-based training.

What we have done below is to divide these elements into two groups – basic and advanced. The basic elements that should be included in a HIPAA training course are suitable as an introduction to HIPAA or can be used as the basis for a refresher course. Those that fall into the advanced training category can be used to further trainees´ knowledge of HIPAA or adapted to provide more role-specific knowledge.

Basic HIPAA Compliance Training

The elements we have categorized as basic HIPAA compliance training cover the foundations of HIPAA, what constitutes a violation of HIPAA, and how these events can be avoided by being a HIPAA-compliant employee.

HIPAA Overview

An overview of HIPAA can help explain what the objectives of HIPAA are, who the Act applies to (i.e., covered entities and business associates), what the Act applies to (i.e., Protected Health Information), and how it is enforced (i.e., by HIPAA-compliant policies and procedures).

HIPAA Definitions

Before proceeding any further, it is a good idea to explain some of the terminology used in HIPAA – particularly Protected Health Information, the Minimum Necessary Standard, and Notices of privacy practices – so trainees can better understand the training.

The HITECH Act

Having introduced HIPAA in the earlier overview, it can also be beneficial to introduce the HITECH Act as this legislation was responsible for incentivizing the use of healthcare IT, the requirement that business associates also comply with HIPAA, and the tighter enforcement of HIPAA.

The Main HIPAA Regulatory Rules

Since the enactment of HIPAA, the Department of Health & Human Services has published five Rules. Although it is unlikely most trainees will require a knowledge of the Enforcement Rule or Breach Notification Rule, the content of the main HIPAA regulatory rules may need further explanation.

HIPAA Omnibus Final Rule

Although the significance of the HIPAA Omnibus Final Rule is possibly more relevant to the employees of business associates, this Rule also extended patient rights and increased the penalties for violations of HIPAA, so it is important trainees are aware of this event in the HIPAA timeline.

HIPAA Privacy Rule Basics

The HIPAA Privacy Rule is the cornerstone of all HIPAA legislation, and it is important trainees understand the standards created under the Privacy Rule for the allowable uses and disclosures of PHI. This is a must-have module of any HIPAA Training curriculum.

HIPAA Security Rule Basics

Although covered entities should have technologies in place to control access to ePHI, it is worthwhile providing training on the HIPAA Security Rule basics so trainees better understand the objective of the Security Rule is to ensure the availability of ePHI when it is needed.

HIPAA Patient Rights

Under HIPAA, patients have the right to control what happens to their PHI. Trainees not only need to know what these rights are, but also how to explain them to patients, family members, and parents of children undergoing treatment.

HIPAA Disclosure Rules

It is important to understand the HIPAA disclosure rules because there are circumstances in which healthcare workers may have to use their professional judgement to determine whether it is allowable to disclose PHI to a family member or other third party.

HIPAA Violation Consequences

Discussing the consequences of a HIPAA violation gives covered entities an opportunity to train staff on the best ways to mitigate the consequences. This opportunity can also be used to encourage staff to report HIPAA violations as soon as they occur rather than try to cover them up.

Preventing HIPAA Violations

A HIPAA training session on preventing violations can be used to alert staff to the most common types of violation and provide best practices on how to prevent those that are within their control. Typically, these include inadvertent verbal disclosures, social media, and misplaced mobile devices.

Being a HIPAA Compliant Employee

Being a HIPAA-compliant employee is not an option – it is a legal requirement. Covered entities should ensure trainees are aware of their responsibilities under HIPAA and also aware of the sanctions for failing to comply with the covered entity´s HIPAA policies and procedures.

Advanced HIPAA Compliance Training

Advanced HIPAA compliance training can give trainees a deeper insight into HIPAA so they have a clearer understanding of how to act in certain real-life circumstances. Ideally, the following modules should be tailored to trainees´ specific roles and responsibilities.

HIPAA Timeline

Providing a timeline of HIPAA can help trainees better understand the objectives of HIPAA and why Rules were introduced when they were. It can also help trainees better understand that HIPAA is constantly evolving to meet new challenges.

Threats to Patient Data

There are four main types of threat to patient data – and only one of them is malicious. Trainees should know what these threats are, know how to prevent the threats they have control over, and how to react appropriately when a threat they do not have control over is identified.

Computer Safety Rules

Covered entities should have safeguards in place to protect computers and the data they maintain. Nonetheless, trainees should be trained on the fundamentals of safe computer use such as not leaving computers and mobile devices unattended when logged into systems containing ePHI.

HIPAA and Social Media

One of the easiest ways to violate HIPAA is to inadvertently share protected health information via social media. To mitigate the risk of this happening, it is advisable for covered entities to dedicate a HIPAA compliance training session to their social media policies.

HIPAA and Emergency Situations

In some emergency situations, the Office for Civil Rights waives certain elements of HIPAA to remove obstacles to the flow of healthcare information.  While these waivers differ depending on the nature of the emergency, it can be beneficial to train staff on disclosures of PHI in emergency situations.

HIPAA Officer

It is important for employees to know who their HIPAA Officer is and what the Officer´s roles and responsibilities are. For this reason, it is recommended to have a HIPAA Officer explain what they do to trainees so employees can put a name to a face and ask questions.

HIPAA Compliance Checklist

Although a HIPAA compliance checklist is most often a document used by HIPAA Officers and IT managers to ensure all areas of HIPAA are covered by compliance policies, a checklist can also be used to test employee understanding of the HIPAA Rules as the Rules apply to their roles.

Recent HIPAA Updates

If there has been a HIPAA updates since training was last provided, this may qualify as a “material change in policies and procedures” which would require refresher training for employees for whom the material change impacted their roles or functions.

Texas Medical Privacy Act and HB 300

The Texas Medical Privacy Act – and its updates in HB 300 – is one example of when elements of a state law preempt HIPAA. Covered entities operating in jurisdictions in which more stringent privacy regulations than HIPAA exist will need to train employees on state laws as well as HIPAA.

Cybersecurity Dangers for Healthcare Employees

Alerting healthcare employees to cybersecurity dangers is part of the security awareness training required by the Security Rule. Therefore, this HIPAA compliance training session should cover areas such as secure browsing, good password management, and preventing phishing susceptibility.

How to Protect PHI from Cyber Threats

Beyond secure browsing, good password management and preventing phishing susceptibility, there are many other ways to protect PHI from cyber threats. This session should include topics such as multi-factor authentication, access controls, and network monitoring.

HIPAA Compliance Training for Students

The HIPAA Privacy Rule states that HIPAA compliance training should be provided to new employees “within a reasonable period of time of a new employee joining a covered entity´s workforce”; and while there may be justifiable reasons not to provide training before a new employee access PHI (for example, they have transferred from another healthcare facility and already have an understanding of HIPAA), that is not the case for healthcare students.

Healthcare students should be provided with HIPAA compliance training before they access PHI so they are aware of PHI disclosure guidelines when they start working with patients or when they use healthcare data to support reports and projects. With this in mind, an appropriate HIPAA compliance training course for healthcare students would consist of the elements listed above, plus further elements relevant to their education.

Electronic Health Record Access by Healthcare Students

During their training, healthcare students may be permitted to access EHRs under supervision. It is important students know what they can and cannot do with patient PHI under HIPAA, and also that it is a violation of HIPAA to use another person´s EHR login credentials to access patient PHI.

PHI & Student Reports and Projects

Students need to be aware that, when writing reports, preparing case studies, or giving presentations, they are unable to use PHI unless the patient has given their informed consent, or unless PHI is de-identified by removing any identifiers that make the health information “protected”.

Being a HIPAA Compliant Student

It is a student´s responsibility to understand the covered entity´s HIPAA policies and procedures and comply with them just as if they were a healthcare professional. They also need to know how to identify a violation of HIPAA and who to report the violation to.

HIPAA Security Awareness Training

The HIPAA Security Rule requires security awareness training should be provided “periodically,” which is widely accepted to mean at least annually. Healthcare employees are targeted by cybercriminals so it is essential for healthcare employees and students to be aware of the threats they are likely to encounter, be trained how to recognize those HIPAA security threats, and be taught best practices for safeguarding ePHI and how to respond if a threat is encountered.

Consider providing annual HIPAA security awareness training sessions interspersed with shorter refresher training sessions throughout the year. Cybercriminals frequently change their tactics, techniques, and procedures. Employees should be made aware of the latest threats targeting healthcare employees and have training on how to recognize phishing emails and other threats. Not only is security awareness training important for HIPAA compliance, it will also help to prevent costly data breaches and regulatory fines.

Best Practices for HIPAA Compliance Training

With there being no specific HIPAA training requirements, we have put together a short series of best practices HIPAA compliance managers may want to consider when compiling “necessary and appropriate” security awareness training, HIPAA training for employees at onboarding, and HIPAA refresher training programs. Our best practices for HIPAA compliance training are not set in stone and can be selected from at will.

  • Do keep training short and sweet. It is recommended that training sessions last no longer than one hour and are  “periodic” refreshers, as suggested by the HIPAA Security Rule. Annual HIPAA refresher training is sufficient to meet the “periodic” requirement.
  • Do include the consequences of a HIPAA breach in the training – not just the financial implications for the CE or BA, but the implications for trainees and their colleagues, and – of course – the person(s) whose PHI has been exposed.
  • Don’t quote long passages of text out of the HIPAA guidebooks or the regulations. Use multimedia presentations to make the training memorable. HIPAA compliance training not only has to be absorbed, it has to be understood and followed in day-to-day life.
  • Do include senior management in the training. Even if senior managers have no contact with PHI, it is essential they are seen to be involved with HIPAA compliance training. Knowing that the training is being taken seriously at the top will encourage others to take it seriously.
  • Don’t forget to document your training. In the event of an OCR investigation or audit, it is important to be able to produce the content of the training as well as when it was administered, to whom, and how frequently. Employees should sign to confirm they have completed HIPAA awareness training.
  • Do consider providing HIPAA online training for employees. Modular online HIPAA training courses can be completed when employees have spare time, which makes it easier to fit into busy workflows. HIPAA online training courses are especially useful for refresher HIPAA training sessions.
  • Do provide regular security awareness training. This will help to build a security culture in your organization and reduce the risk of data breaches.

Training on State Health Information Privacy Laws

HIPAA is a federal statute that applies to Covered Entities and their Business Associates, but it is not the only legislation covering the privacy and security of healthcare data. HIPAA sets minimum standards for health information privacy and security, but states may implement more stringent requirements. In addition to providing HIPAA training, training must also be provided to comply with state laws. For instance, healthcare organizations in Texas and those serving Texas residents are required to provide training on Texas HB 300 and the requirements of the Texas Medical Records Privacy Act, which go further than the minimum standards of HIPAA.

HIPAA Training Requirements Summary

HIPAA Training Requirements for Employers

In most cases, the HIPAA training requirements for employers only apply to employers that are HIPAA Covered Entities or Business Associates. Qualifying employers must provide HIPAA training to all employees regardless of their role within the organization as per the Administrative Safeguards of the HIPAA Security Rule.

If an employer is not a Covered Entity or Business Associate, but engages in HIPAA-covered transactions (for example, the employer administers a self-insured health plan), HIPAA training only needs to be provided to employees with access to PHI or ePHI. Further information about HIPAA training requirements for employers in these circumstances can be found in this article.

HIPAA Training for Employees

In addition to providing “necessary and appropriate” HIPAA training for employees, it is advisable to provide additional training which give context to the training each employee receives. For example, when training employees on the HIPAA rules for PHI disclosures, it is recommended to also discuss the consequences of HIPAA violations.

Documenting the training provided to employees is a requirement of HIPAA. However, this has advantages inasmuch as, if material changes to policies or procedures occur and they impact only a specific area of HIPAA compliance, a record exists of who has been trained in that specific area of HIPAA compliance and who now needs refresher training.

HIPAA Refresher Training

In addition to being provided when a material change to policies or procedures occurs, HIPAA refresher training should be provided to staff whenever new threats to patient data are discovered. It is important employees know how to identify the threats and respond to them and delaying training of this nature until an annual refresher training day could result in an avoidable data breach.

As well as covering changes to policies and procedures, HIPAA refresher training also needs to go over old ground periodically in order to remind employees why HIPAA is important and what patients´ rights are – especially as changes to the HIPAA Privacy Rule have recently been proposed that will improve data sharing and interoperability, and prohibit information blocking.

HIPAA Training for Nurses

Although each HIPAA training course should be tailored towards the roles of employees, HIPAA training for nurses should be centered around the disclosure requirements of the Privacy Rule. This is not because of the risk nurses may inadvertently disclose PHI within earshot of third parties, but rather because of the special relationships they develop with patients.

Patients often disclose information to nurses that they may not disclose to their physicians, and nurses need to be aware that, just because a patient has shared information with them, it does not mean the patient has consented for that information to be shared with anybody else. Consequently, nurses need to know how to deal with confidential disclosures in the context of HIPAA.

HIPAA Training for IT Professionals

While it is natural to assume HIPAA training for IT professionals should focus on IT security and protecting networks against unauthorized access, it is also important IT professionals receive training about the challenges experienced by frontline healthcare professionals operating in compliance with HIPAA.

This is so IT professionals design systems and develop procedures that streamline with healthcare professionals needs. If systems and procedures are too complicated or appear irrelevant to individuals´ roles, ways will be found to circumnavigate the systems – potentially placing ePHI at the risk of exposure, loss, or theft.

HIPAA Training for Medical Office Staff

Depending on the size of a medical office and the variety of roles filled by staff, HIPAA training for medical office staff is likely to be more comprehensive than for any other category of healthcare employee. This is because medical office teams can often deal with patients, their families, enquiries from third parties, suppliers, payment processors, and health care plans.

The range of scenarios medical office staff are likely to experience is one of the reasons HIPAA training needs to be memorable so it is applied in day-to-day like. With regards to HIPAA training for medical office staff, the more contextual it is the better, as it will help employees better understand the significance of HIPAA and why safeguarding ePHI is so important.

HIPAA Training Requirements for Business Associates

The HIPAA training requirements for Business Associates are often misunderstood because nowhere in the Privacy Rule does it state HIPAA training for Business Associates is mandatory. However, the Administrative Safeguards of the HIPAA Security Rule (45 CFR § 164.308) state:

“A Covered Entity or Business Associate must … … implement a security awareness and training program for all members of its workforce (including management).”

While this could be interpreted as a general security awareness and training program rather than a HIPAA security awareness and training program, it makes sense for training to HIPAA-related because if a violation of HIPAA occurs, and there is no evidence of HIPAA training having been provided, it will likely result in heavier sanctions for `willful neglect´.

HIPAA Compliance Training for Business Associates

With the above comment in mind, HIPAA compliance training for Business Associates should consist of a basic grounding in HIPAA and then role-specific training depending on the services provided by the Business Associate and its employees. However, it is important Covered Entities conduct thorough due diligence on Business Associates to ensure the training is appropriate.

The issue with HIPAA compliance training for Business Associates is that many Business Associates do not have the resources to appoint a HIPAA Compliance Officer, and the task of ensuring HIPAA compliance is often delegated to an existing employee who may not have the knowledge – or the time – to ensure the right HIPAA training is provided to the right people.

Find Out More about the HIPAA Training Requirements

The consequences of inadequate training can be substantial – not only in financial terms, but also in human terms. Yet many HIPAA breaches can be avoided with adequate HIPAA compliance training. Although the only HIPAA training requirements appear to be that there must be training, you can find out more about what cloud be included in HIPAA compliance training by reading a comprehensive HIPAA Compliance Guide.

HIPAA Training Requirements FAQ

Who is responsible for organizing HIPAA training?

HIPAA compliance officers should be in charge of organizing HIPAA training for employees – although they don’t necessarily have to conduct the training themselves. If, for example, training involves how to compliantly use a new piece of software, it may be better for a member of the IT team to present the training – although the compliance officer should be in attendance at the presentation.

Should a Privacy Officer provide privacy training and a Security Officer provide security training?

While this would appear to make sense, as each Officer will be a specialist in their own field to answer questions, it is not necessary to divide training responsibilities. Furthermore, there is a lot of crossover between privacy and security in HIPAA, so both topics will usually be covered in a training session unless the session is about a specific privacy or security topic.

What is an example of a “material change to policies”?

Some hospitals may have to amend policies and procedures to accommodate the change from CMS’ Meaningful Use program to the Promoting Interoperability program. If the policy changes affect the way in which ePHI is managed, personnel involved in managing data for the Promoting Interoperability program should undergo training to avoid there being gaps in their knowledge.

Which senior managers should be involved in HIPAA training?

All of them – although not necessarily all at the same time. While it is important senior managers are aware of the impact HIPAA compliance has on operations, it is more practical to involve (for example) CIOs and CISOs in technology training, and CFOs in training that concerns interactions between healthcare organizations and insurance carriers.

What is the most important element of HIPAA training?

The nature of HIPAA training for healthcare workers should be determined by conducting a risk assessment, so the “most important element” of HIPAA training will vary on a case-by-case basis. However, it is important for personnel to understand why HIPAA is important and why they are undergoing training in a particular aspect of HIPAA compliance.