The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Training Requirements

Posted By on Jan 21, 2023

The HIPAA training requirements are that privacy training must be provided – and repeated as necessary – for those to whom it is appropriate, while all workforce members must participate in a security awareness training program. The HIPAA training requirements are mandatory as they are an Administrative Requirement of the Privacy Rule (45 CFR §164.530) and an Administrative Safeguard of the Security Rule (45 CFR §164.308). However, the standards related to training allow for plenty of gaps in HIPAA knowledge, which could result in avoidable HIPAA violations.

Summary Of Article Contents

HIPAA Training Requirements

What are the HIPAA Training Requirements?

The first thing to be aware of with respect to the HIPAA training requirements is that only Covered Entities are required to comply with the Privacy Rule training standard. Both Covered Entities and Business Associates are required to comply with the Security Rule training standard – which applies to all members of the workforce regardless of whether they have access to PHI or not.

The Privacy Rule Training Standard

To best explain the Privacy Rule training standard, it is necessary to start with the “Policies and Procedures” standard of the Administrative Requirements. This standard states:

“A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart [the HIPAA Privacy Rule] and subpart D of this part [the Breach Notification Rule]. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance.”

Accredited HIPAA Compliance Training

HIPAA Journal Recommends ComplianceJunction

Used By 1,000+ Healthcare Organizations & 100+ Universities

Learn More
Try Free Sample Modules

HIPAA Training For Individuals HIPAA Training For Universities

This standard requires Covered Entities to develop and implement policies and procedures for every area of their operations which may involve uses and disclosures of PHI – including how to react to unauthorized uses and disclosures. Thereafter, with the above standard in mind, the “Training” standard of Administrative Requirements states:

“A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”

The Issues with the Privacy Rule Standard

The first issue with the Privacy Rule standard is that it could be interpreted as HIPAA training only has to be provided to members of the workforce whose functions involve uses and disclosures of PHI. This implies members of the workforce whose functions do not involve uses and disclosures of PHI would receive no HIPAA training. At this point, let’s look at the definition of “workforce”:

“Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.” (45 CFR § 160.103)

In theory, large groups of the workforce (cleaning, maintenance, stores, etc.) could be exposed to PHI – for example, recognizing a celebrity in a healthcare facility – without having been trained in how to react in such circumstances because their functions do not involve uses and disclosures of PHI. If an untrained member of the workforce subsequently published a social media post in which they named the celebrity and their ailment, this would be an avoidable HIPAA violation.

The second issue with the Privacy Rule standard is that it could be interpreted as members of the workforce whose functions involve uses and disclosures of PHI only receive training on the policies and procedures that are directly relevant to their functions. This could result in violations related to areas of the Privacy Rule such as patient consent and responding to access requests if these events are unusual to an employee´s regular functions and the employee has received no training on them.

The Security Rule Training Standard

Compared to the Privacy Rule training standards, the Security Rule training standard is straightforward. It states:

“Implement a security awareness and training program for all members of its workforce (including management).”

To guide Covered Entities and Business Associates with what should be included in HIPAA security awareness training, the standard has four addressable implementation specifications:

  1. Periodic security updates.
  2. Procedures for guarding against, detecting, and reporting malware.
  3. Procedures for monitoring login attempts and reporting discrepancies.
  4. Procedures for creating, changing, and safeguarding passwords.

In addition, elsewhere in the Administrative Requirements, Covered Entities and Business Associates are required to “implement policies and procedures to prevent, detect, contain, and correct security violations” and “apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the Covered Entity or Business Associate.”

Although the Security Rule training standard is more straightforward, it has more potential issues than the Privacy Rule training standard inasmuch as there are many more opportunities for gaps in HIPAA knowledge and avoidable HIPAA violations. For example, training Business Associate workforces on detecting malware, reporting discrepancies, and safeguarding passwords, does not explain why it is a violation of HIPAA to copy and paste PHI databases and email them to yourself.

The lack of HIPAA-specific training guidance is relevant because the General Rules of the Security Rule (45 CFR § 164.306) state Covered Entities and Business Associates must protect against any reasonably anticipated uses or disclosures not permitted under the Privacy Rule. This implies organizations should incorporate Privacy Rule training into HIPAA security awareness training, but it is left to organizations to make this connection themselves. Many don’t.

Organizations that do incorporate Privacy Rule training into HIPAA security awareness training can benefit from delivering Security Rule training in context. But, to combine training in this way, organizations have to develop multiple training courses to accommodate (for example) members of a Covered Entity´s workforce with different functions, and members of a Business Associate´s workforce with no access to PHI who have to undergo security training to “tick the box”.

A final issue with the Security Rule standard is the lack of guidance about the frequency of training. Although the terminology of the standard implies security and awareness training programs should be ongoing, Covered Entities and Business Associates are only required to conduct periodic evaluations to establish the extent to which policies and procedures meet the requirements of the Security Rule. “Periodic” can mean any period of time – during which non-compliant practices can easily develop.

How Often is HIPAA Training Required?

With regards to the question of how often is HIPAA training required, the Privacy Rule is quite clear about when policy and procedure training should be provided. According to the Administrative Requirements, HIPAA training is required for “each new member of the workforce within a reasonable period of time after the person joins the Covered Entity’s workforce” and also when “functions are affected by a material change in policies or procedures” – again within a reasonable period of time.

As well as providing HIPAA training to new staff as soon as possible, the best practice in the healthcare sector is to provide healthcare staff with annual HIPAA training.

As discussed above, the Security Rule training standard implies that security and awareness training programs should be ongoing. HIPAA training should also be provided whenever there is a change in working practices or technology, whenever a risk assessment identifies a need for further training, or whenever new rules or guidelines are issued by the Department for Health and Human Services (HHS). In order to assess whether HIPAA training is required, Privacy and Security Officers should:

  • Monitor HHS and state publications for advance notice of rule changes. Ideally, this should involve subscribing to a news feed or other official communication channel.
  • When new rules or guidelines are issued, conduct a risk assessment to determine how they will affect the organization’s operations and if HIPAA training is required.
  • Liaise with HR and Practice Managers to receive advance notice of proposed changes in order to determine their impact on compliance with the HIPAA Privacy Rule.
  • Liaise with IT managers to receive advance notice of hardware or software upgrades that may have an impact on compliance with the HIPAA Security Rule.
  • Conduct regular risk assessments to identify how material changes in policies or procedures may increase or decrease the risk of HIPAA violations.
  • Compile a training program that addresses how any changes will affect employees’ compliance with HIPAA – not only the changes themselves.
  • Develop a HIPAA refresher training program that can be conducted at least annually to reinforce the need to comply with HIPAA Rules.

Naturally, in the event of changes in working practices and technology, HIPAA training only needs to be provided to the employees whose roles will be affected by the changes. As mentioned in our “Best Practices” section below, it is also advisable to include at least one member of senior management in the training sessions – even if they are not affected by the new policies or procedures – as it shows the whole organization is taking its HIPAA training requirements seriously.

A potential issue with the frequency of training is that, if there are no material changes to policies and procedures, working practices, or technology, if no new rules or guidelines are issued by HHS, or if HIPAA security awareness training is only provided “periodically”, it can be a long time between training sessions – during which time members of the workforce may take shortcuts with compliance to “get the job done”.

This is why the best practice in the healthcare sector is to provide healthcare staff with annual HIPAA training.

What Should be Included in a HIPAA Training Course?

Below you will find the recommended modules of an online HIPAA training course divided into two groups – basic and advanced.

The basic elements that should be included in a HIPAA training course are suitable as an introduction to HIPAA or can be used as the basis for a refresher course. Those that fall into the advanced training category can be used to further trainees´ knowledge of HIPAA or adapted to provide more role-specific knowledge.

Basic HIPAA Compliance Training

The elements we have categorized as basic HIPAA compliance training cover the foundations of HIPAA, what constitutes a violation of HIPAA, and how these events can be avoided by being a HIPAA-compliant employee.

HIPAA Overview

An overview of HIPAA can help explain what the objectives of HIPAA are, who the Act applies to (i.e., covered entities and business associates), what the Act applies to (i.e., Protected Health Information), and how it is enforced (i.e., by HIPAA-compliant policies and procedures).

HIPAA Definitions

Before proceeding any further, it is a good idea to explain some of the terminology used in HIPAA – particularly Protected Health Information, the Minimum Necessary Standard, and Notices of Privacy Practices – so trainees can better understand the training.

The HITECH Act

Having introduced HIPAA in the earlier overview, it can also be beneficial to introduce the HITECH Act as this legislation was responsible for incentivizing the use of healthcare IT, the requirement that business associates also comply with HIPAA, and the tighter enforcement of HIPAA.

The Main HIPAA Regulatory Rules

Since the enactment of HIPAA, the Department of Health & Human Services has published five Rules. Although it is unlikely most trainees will require a knowledge of the Enforcement Rule or Breach Notification Rule, the content of the main HIPAA regulatory rules may need further explanation.

HIPAA Omnibus Final Rule

Although the significance of the HIPAA Omnibus Final Rule is possibly more relevant to the employees of business associates, this Rule also extended patient rights and increased the penalties for violations of HIPAA, so it is important trainees are aware of this event in the HIPAA timeline.

HIPAA Privacy Rule Basics

The HIPAA Privacy Rule is the cornerstone of all HIPAA legislation, and it is important trainees understand the standards created under the Privacy Rule for the allowable uses and disclosures of PHI. This is a must-have module of any HIPAA training curriculum.

HIPAA Security Rule Basics

Although covered entities should have technologies in place to control access to ePHI, it is worthwhile providing training on the HIPAA Security Rule basics so trainees better understand the objective of the Security Rule is to ensure the availability of ePHI when it is needed.

HIPAA Patient Rights

Under HIPAA, patients have the right to control what happens to their PHI. Trainees not only need to know what these rights are, but also how to explain them to patients, family members, and parents of children undergoing treatment.

HIPAA Disclosure Rules

It is important to understand the HIPAA disclosure rules because there are circumstances in which healthcare workers may have to use their professional judgment to determine whether it is allowable to disclose PHI to a family member or other third party.

HIPAA Violation Consequences

Discussing the consequences of a HIPAA violation gives organizations an opportunity to train staff on the best ways to mitigate the consequences. This opportunity can also be used to encourage staff to report HIPAA violations as soon as they occur rather than try to cover them up.

Preventing HIPAA Violations

A HIPAA training session on preventing violations can be used to alert staff to the most common types of violations and provide best practices on how to prevent those that are within their control. Typically, these include inadvertent verbal disclosures, social media, and misplaced mobile devices.

Being a HIPAA Compliant Employee

Being a HIPAA-compliant employee is not an option – it is a legal requirement. Organizations should ensure members of their workforces are aware of their responsibilities under HIPAA and also aware of the sanctions for failing to comply with the organization´s HIPAA policies and procedures.

Advanced HIPAA Compliance Training

Advanced HIPAA compliance training can give trainees a deeper insight into HIPAA so they have a clearer understanding of how to act in certain real-life circumstances. Advanced training can also mitigate the risk of shortcuts being taken “to get the job done”.

Threats to Patient Data

There are four main types of threats to patient data – and only one of them is malicious. Trainees should know what these threats are, know how to prevent the threats they have control over, and how to react appropriately when a threat they do not have control over is identified.

Computer Safety Rules

Organizations should have safeguards in place to protect computers and the data they maintain. Nonetheless, trainees should be trained on the fundamentals of safe computer use such as not leaving computers and mobile devices unattended when logged into systems containing ePHI.

HIPAA and Social Media

One of the easiest ways to violate HIPAA is to inadvertently share protected health information via social media. To mitigate the risk of this happening, it is advisable for organizations to dedicate a HIPAA compliance training session to their social media policies.

HIPAA and Emergency Situations

In some emergency situations, the Office for Civil Rights waives certain elements of HIPAA to remove obstacles to the flow of healthcare information. While these waivers differ depending on the nature of the emergency, it can be beneficial to train staff on disclosures of PHI in emergency situations.

HIPAA Officer

It is important for employees to know who their HIPAA Officer is and what the Officer´s roles and responsibilities are. For this reason, it is recommended to have a HIPAA Officer explain what they do to trainees so employees can put a name to a face and ask questions.

HIPAA Compliance Checklist

Although a HIPAA compliance checklist is most often a document used by HIPAA Officers and IT managers to ensure all areas of HIPAA are covered by compliance policies, a checklist can also be used to test employee understanding of the HIPAA Rules as the Rules apply to their roles.

Recent HIPAA Updates

If there have been HIPAA updates since training was last provided, this may qualify as a “material change in policies and procedures” which would require refresher training for employees for whom the material change impacted their roles or functions.

Accredited HIPAA Compliance Training

HIPAA Journal Recommends ComplianceJunction

Used By 1,000+ Healthcare Organizations & 100+ Universities

Learn More
Try Free Sample Modules

HIPAA Training For Individuals HIPAA Training For Universities

Texas Medical Privacy Act and HB 300

The Texas Medical Privacy Act – and its updates in HB 300 – is one example of when elements of a state law preempt HIPAA. Covered Entities operating in jurisdictions in which more stringent privacy regulations than HIPAA exist will need to train employees on state laws as well as HIPAA.

Cybersecurity Dangers for Healthcare Employees

Alerting healthcare employees to cybersecurity dangers is part of the security awareness training required by the Security Rule. This HIPAA compliance training session should cover areas such as secure browsing, good password management, and preventing phishing susceptibility.

How to Protect PHI from Cyber Threats

Beyond secure browsing, good password management, and preventing phishing susceptibility, there are many other ways to protect PHI from cyber threats. This session should include topics such as multi-factor authentication, access controls, and network monitoring.

HIPAA Compliance Training for Students

The HIPAA Privacy Rule states that HIPAA compliance training should be provided to new employees “within a reasonable period of time of a new employee joining a covered entity´s workforce”; and while there may be justifiable reasons not to provide training before a new employee accesses PHI (for example, they have transferred from another healthcare facility and already have an understanding of HIPAA), that is not the case for healthcare students.

Healthcare students should be provided with HIPAA compliance training before they access PHI so they are aware of PHI disclosure guidelines when they start working with patients or when they use healthcare data to support reports and projects. With this in mind, an appropriate HIPAA compliance training course for healthcare students would consist of the elements listed above, plus further elements relevant to their education.

Electronic Health Record Access by Healthcare Students

During their training, healthcare students may be permitted to access EHRs under supervision. It is important students know what they can and cannot do with patient PHI under HIPAA, and also that it is a violation of HIPAA to use another person´s EHR login credentials to access patient PHI.

PHI & Student Reports and Projects

Students need to be aware that, when writing reports, preparing case studies, or giving presentations, they are unable to use PHI unless the patient has given their informed consent, or unless PHI is de-identified by removing any identifiers that make the health information “protected”.

Being a HIPAA Compliant Student

It is a student´s responsibility to understand the covered entity´s HIPAA policies and procedures and comply with them just as if they were a healthcare professional. They also need to know how to identify a violation of HIPAA and who to report the violation to.

Best Practices for HIPAA Compliance Training

With there being no specific HIPAA training requirements, we have put together a short series of best practices that HIPAA compliance managers may want to consider when compiling “necessary and appropriate” security awareness training, HIPAA training for employees at onboarding, and HIPAA refresher training programs. Our best practices for HIPAA compliance training are not set in stone and can be selected from at will.

  • Do keep training short and sweet. While online modular training courses facilitate short and sweet training, it may be necessary at times to conduct classroom training. In this case, it is recommended training sessions last no longer than one hour.
  • Do include the consequences of a HIPAA breach in the training – not just the financial implications for the organization, but also the implications for trainees and their colleagues, and – of course – the person(s) whose PHI has been exposed.
  • Don’t quote long passages of text from the HIPAA guidebooks or the regulations. Use multimedia presentations to make the training memorable. HIPAA compliance training not only has to be absorbed, but it also has to be understood and followed in day-to-day life.
  • Do include senior management in the training. Even if senior managers have no contact with PHI, it is essential they are seen to be involved with HIPAA compliance training. Knowing that the training is being taken seriously at the top will encourage others to take it seriously.
  • Don’t forget to document your training. In the event of an OCR investigation or audit, it is important to be able to produce the content of the training as well as when it was conducted, to whom, and how frequently. Trainees should sign attestations to confirm they have received training if progress is not monitored by a learning management system.
  • Do provide regular security awareness training that mixes up HIPAA compliance training and general online security training to cover best practices such as using a password manager, reducing phishing susceptibility, and backing up data. This will help to build a security culture in your organization and reduce the risk of data breaches.

Training on other Federal and State Health Information Privacy Laws

HIPAA is a federal statute that applies to Covered Entities and Business Associates, but it is not the only legislation covering the privacy and security of healthcare data. HIPAA sets minimum standards for health information privacy and security, but there are circumstances in which other federal and state health information privacy laws preempt HIPAA. For example, federal agencies also have to comply with the Privacy Act, while teaching institutions have to comply with FERPA.

States may also implement more stringent privacy requirements that preempt HIPAA. When more stringent requirements exist, in addition to providing HIPAA training, training must also be provided to comply with state laws where the state laws – or areas of the state laws – preempt HIPAA. For instance, organizations in Texas and those serving Texas residents are required to provide training on Texas HB 300 and the requirements of the Texas Medical Records Privacy Act, which go further than the minimum standards of HIPAA.

HIPAA Training Requirements Summary

HIPAA Training Requirements for Employers

In most cases, the HIPAA training requirements for employers only apply to employers that are HIPAA Covered Entities or Business Associates. Qualifying employers must provide HIPAA training to all employees regardless of their role within the organization as per the Administrative Safeguards of the HIPAA Security Rule.

If an employer is not a Covered Entity or a Business Associate but engages in HIPAA-covered transactions (for example, the employer administers a self-insured health plan), HIPAA training only needs to be provided to employees with access to PHI or ePHI. Further information about HIPAA training requirements for employers in these circumstances can be found in this article.

HIPAA Training for Employees

In addition to providing “necessary and appropriate” HIPAA training for employees, it is advisable to provide additional training that gives context to the training each employee receives. For example, when training employees on the HIPAA rules for PHI disclosures, it is recommended to also discuss the consequences of HIPAA violations.

Documenting the training provided to employees is a requirement of HIPAA. However, this has advantages inasmuch as, if material changes to policies or procedures occur and they impact only a specific area of HIPAA compliance, a record exists of who has been trained in that specific area of HIPAA compliance and who now needs refresher training.

HIPAA Refresher Training

In addition to being provided regularly to prevent the development of cultural norms, HIPAA refresher training should be provided to staff whenever new threats to patient data are discovered. It is important employees know how to identify the threats and respond to them and delaying training of this nature until an annual refresher training day could result in an avoidable data breach.

As well as covering changes to policies and procedures, HIPAA refresher training also needs to go over old ground periodically in order to remind employees why HIPAA is important and what patients´ rights are – especially as changes to the HIPAA Privacy Rule have recently been proposed that will improve data sharing and interoperability, and prohibit information blocking.

HIPAA Training for Nurses

Although policy and procedure training should be tailored towards the roles of employees, HIPAA training for nurses should be centered around the disclosure requirements of the Privacy Rule. This is not because of the risk nurses may inadvertently disclose PHI within earshot of third parties, but rather because of the special relationships they develop with patients.

Patients often disclose information to nurses that they may not disclose to their physicians, and nurses need to be aware that, just because a patient has shared information with them, it does not mean the patient has consented for that information to be shared with anybody else. Consequently, nurses need to know how to deal with confidential disclosures in the context of HIPAA.

HIPAA Training for IT Professionals

While it is natural to assume HIPAA training for IT professionals should focus on IT security and protecting networks against unauthorized access, it is also important IT professionals receive training about the challenges experienced by frontline healthcare professionals operating in compliance with HIPAA.

This is so IT professionals design systems and develop procedures that streamline with healthcare professionals’ needs. If systems and procedures are too complicated or appear irrelevant to individuals´ roles, ways will be found to circumnavigate the systems – potentially placing ePHI at the risk of exposure, loss, or theft.

HIPAA Training for Medical Office Staff

Depending on the size of a medical office and the variety of roles filled by staff, HIPAA training for medical office staff is likely to be more comprehensive than for any other category of healthcare employee. This is because medical office teams can often deal with patients, their families, inquiries from third parties, suppliers, payment processors, and health care plans.

The range of scenarios medical office staff are likely to experience is one of the reasons HIPAA training needs to be memorable so it is applied in day-to-day life. With regards to HIPAA training for medical office staff, the more contextual it is the better, as it will help employees better understand the significance of HIPAA and why safeguarding ePHI is so important.

HIPAA Training for Business Associates

The HIPAA training requirements for Business Associates are often misunderstood because nowhere in the Privacy Rule does it state HIPAA training for Business Associates is mandatory. However, the Administrative Safeguards of the HIPAA Security Rule (45 CFR § 164.308) state:

“A Covered Entity or Business Associate must … … implement a security awareness and training program for all members of its workforce (including management).”

While this could be interpreted as a general security awareness and training program rather than HIPAA awareness training for Business Associates, it makes sense for training to be HIPAA-related because if a violation of HIPAA occurs, and there is no evidence of appropriate HIPAA Business Associate training being provided, it will likely result in heavier sanctions for `willful neglect´.

Consequently, while Business Associates must comply with the HIPAA security standards relating to a security and awareness training program, it is advisable to train workforces on whichever elements of the Administrative Requirements, Privacy Rule, and/or Breach Notification Rule are appropriate to individuals´ roles or which are stipulated in a Business Associate Agreement.

HIPAA Compliance Training for Business Associates

With the above comment in mind, HIPAA compliance training for Business Associates should consist of a basic grounding in HIPAA and then role-specific training depending on the services provided by the Business Associate and its employees. However, it is important Covered Entities conduct thorough due diligence on Business Associates to ensure the training is appropriate.

The issue with HIPAA compliance training for Business Associates is that many Business Associates do not have the resources to appoint a HIPAA Compliance Officer and the task of ensuring HIPAA compliance is often delegated to an existing employee who may not have the knowledge – or the time – to ensure the right HIPAA training is provided to the right people.

 

HIPAA Training Requirements FAQ

What is HIPAA training?

HIPAA training is part of the training new members of a Covered Entity´s workforce receive when they start working for a covered health plan, healthcare clearinghouse, healthcare provider, or pharmacy. The training should include an explanation of terms such as Protected Health Information and why it is necessary to protect the privacy of individually identifiable health information.

Additionally, HIPAA training should consist of security awareness training such as password management and phishing awareness. This element of training should not only be provided for members of a Covered Entity’s workforce, but also to members of a Business Associate´s workforce regardless of the access to electronic Protected Health Information.

How long is HIPAA training good for?

How long is HIPAA training good for is a difficult question to answer because, although policy and procedure training is (in theory) good until there is a material change in policies and procedures, members of the workforce may be required to undergo HIPAA refresher training due to company policy, a sanction for a non-compliant event, or a Corrective Action Plan imposed by HHS.

As well as policy and procedure training, the Security Rule stipulates that all members of the workforce are required to participate in a security awareness and training program. As the use of the term “program” implies security and awareness training is ongoing, HIPAA training of this nature has no expiry date. It is necessary to continue improving the workforce´s resilience to online threats.

How can you get HIPAA training?

In most cases, you get HIPAA training from your employer when you start working for a business required to comply with the HIPAA Privacy, Security, and/or Breach Notification Rules. However, if you have no previous knowledge of HIPAA, it can be beneficial to invest in an online HIPAA training course to better understand the basics of HIPAA before moving onto policy and procedure training.

When must new employees complete their HIPAA training?

New employees must complete their HIPAA training “within a reasonable period of time” according to the Privacy Rule. However, some states and some organizations have fixed time limits. For example, new employees in Texas must complete their HIPAA training within 90 days, while personnel attached to the Defense Health Agency must complete their training within 30 days.

How often should HIPAA training be completed?

HIPAA training should be completed as often as is necessary to mitigate the risk of a HIPAA violation or data breach. For some members of the workforce, this may mean completing HIPAA training monthly or quarterly; while, for other members of the workforce, annual refresher training is often sufficient to maintain a complaint organization.

Is there a difference between HIPAA compliance training and other types of HIPAA training?

Although there is no official difference between HIPAA compliance training and other types of HIPAA training, some organizations refer to policy and procedure training as HIPAA compliance training while any other training relevant to HIPAA (i.e., security and awareness training) is referred to as HIPAA training.

How often do healthcare workers need to have HIPAA training?

Healthcare workers need to have HIPAA training as often as required to perform their roles in compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Many healthcare workers only have HIPAA training when they start working for a new employer and when there is a material change to policies and procedures – and this is often not enough to ensure compliance.

How long must HIPAA security awareness training documents be maintained?

HIPAA security awareness training documents must be maintained for as long as policies or procedures related to the training (including sanctions policies) are in force plus six years. This is because documentation relating to policies and procedures have to be maintained for six years from the date they are last in force and, if training is based around the policies and procedures, the documents relating to the training must also be maintained for the same period of time.

How often does CMS require HIPAA training?

Although the Centers for Medicare and Medicaid Services (CMS) regulates compliance with Part 162 of HIPAA (relating to the operating rules for transactions, code sets, identifiers, etc.), CMS does not require HIPAA training. However, the agency does provide a series of web-based training courses on the Medicare Learning Network which cover a broad range of topics related to Part 162 compliance.

Who is in charge of HIPAA training?

The individual in charge of HIPAA training is the Privacy Officer or the Security Office depending on whether the training relates to HIPAA policies and procedures or security and awareness training. Although in charge of training, neither Officer has to be present during a training session if – for example – a member of the IT team is demonstrating how a software solution works.

HIPAA requires specific training on what?

HIPAA requires specific training on the policies and procedures developed by the organization to protect the privacy of individually identifiable health information. Members of the workforce do not have to receive training on every policy and procedure – just those that are relevant to their roles (although it is also a good idea to provide general HIPAA training to all members of the workforce).

Where do I take HIPAA training for the army?

HIPAA training for the army is required for all Defense Health Agency military, civilian, and contractor personnel within 30 days of onboarding and annually thereafter. HIPAA training and Privacy Act training (also a requirement for Defense Health Agency personnel) is accessible via the Joint Training System on the Joint Chiefs of Staff website.

Are the training requirements under HB 300 any different from the HIPAA training requirements?

The training requirements under HB 300 are different from the HIPAA training requirements inasmuch as new members of a workforce subject to the Texas Medical Records Privacy Act must trained on policies and procedures within 90 days. The HIPAA training requirements are that new members of the workforce are trained “within a reasonable period of time”, so the difference is that HIPAA does not stipulate a timeframe whereas HB 300 does.

It is worth noting that HIPAA Covered Entities are exempted from complying with the Texas Medical Records Privacy Act, but Business Associates are not. As a result, HB 300 applies to more types of organizations than HIPAA; and, while the training “requirements” do not differ a great deal, the number of organizations required to provide training is much higher.

Can Covered Entities be fined for not providing HIPAA training?

Covered Entities can be fined for not providing HIPAA training if it transpires that a violation investigated by HHS´ Office for Civil Rights is attributable to a lack of training. Most often, rather than fine a Covered Entity, HHS´ Office for Civil Rights will require the Covered Entity to follow a Corrective Action Plan which includes monitored and documented training.

Is it necessary to have HIPAA refresher training whenever new technology is implemented?

It is necessary to have HIPAA refresher training whenever new technology is implemented if the new technology is being implemented to address a vulnerability or threat to the privacy and security of Protected Health Information. In most cases, the HIPAA element of the training will be incorporated into the technology element of the training to make both elements more understandable.

If a material change to a policy occurs, but it only affects a few people, is it necessary for everyone to undergo refresher training?

If a material change to a policy occurs, but it only affects a few people, it is not necessary for everyone to undergo refresher training unless the material change has a knock-on effect for other members of the workforce. For example, if a Covered Entity changes its policy for responding to PHI access requests, only those who respond to PHI access requests need to undergo refresher training, but public-facing members of the workforce will also need to know the policy has changed.

How much is the fine for failing to comply with the HIPAA training requirements?

The fine for failing to comply with the HIPAA training requirements – if a fine is imposed – varies according to the nature of a subsequent violation attributable to the training failure. Fines for failing to comply with the HIPAA training requirements can also be imposed when no subsequent violation has occurred if the training failure is identified during a compliance audit.

How does HHS´ Office for Civil Rights find out about HIPAA training violations?

The HHS Office for Civil Rights can find out about HIPAA training violations in a number of ways. The agency can discover a training violation when investigating a complaint from a patient when investigating a data breach, when investigating a tip-off from a member of the workforce, or when conducting a compliance audit.

Is it a requirement to provide HIPAA refresher training to the entire workforce when there is a material change to a policy or procedure?

It is not a requirement to provide HIPAA refresher training to the entire workforce when there is a material change to a policy or procedure unless the material change affects the entire workforce. For example, if there is a change to the content of Business Associate Agreements, only those members of the workforce that handle Business Associate Agreements will have to undergo HIPAA refresher training. However, if there is a material change to the organization´s HIPAA sanctions policy, all members of the workforce need to be trained on the implications of the change.

Why do all members of the workforce have to have HIPAA security and awareness training?

All members of the workforce have to have HIPAA security and awareness training because it is important that all members of the workforce are aware of cyber risks. Cybercriminals do not necessarily know who has access to PHI stored on a network, so will target every member of the workforce to try to infiltrate the network and move laterally until they find unprotected PHI.

Is there a benefit of HIPAA training packages offered by third-party compliance companies?

There is a benefit of HIPAA training packages offered by third-party compliance companies inasmuch as the packages provide a foundation of HIPAA knowledge. Trainees learn about the basics of HIPAA, why it exists, and what it protects to better prepare them for when they undergo policy and procedure training – which is subsequently more understandable.

For Covered Entities and Business Associates, the benefit of HIPAA training packages offered by third-party compliance companies is three-fold. The packages prepare new members of the workforce for more advanced policy and procedure training, put security and awareness training into context, and can also be used as the basis for periodic refresher training.

Who is responsible for organizing HIPAA training?

HIPAA compliance officers should be responsible for organizing HIPAA training for members of the workforce – although they don’t necessarily have to conduct the training themselves. If, for example, HIPAA security and awareness training involves how to compliantly use a new piece of software, it may be better for a member of the IT team to present the training – although the compliance officer should be in attendance at the presentation.

Should a Privacy Officer provide privacy training and a Security Officer provide security training?

While it would appear to make sense that a Privacy Officer provides privacy training and a Security Officer provides security training – as each Officer should be a specialist in their own field to answer questions – it is not necessary to divide training responsibilities. A lot of crossover exists between privacy and security in HIPAA, so both topics can often be covered together in a training session unless the session is about a specific privacy or security topic.

What is an example of a “material change to policies”?

An example of a material change to policies is when hospitals had to amend policies and procedures to accommodate the change from CMS’ Meaningful Use program to the Promoting Interoperability program. If the policy changes affect the way in which ePHI is managed, the personnel involved in managing data for the Promoting Interoperability program should undergo training to avoid there being gaps in their knowledge.

Which senior managers should be involved in HIPAA training?

All senior managers must be involved in HIPAA training – particularly security and awareness training. Additionally, while it is important all senior managers are aware of the impact HIPAA compliance has on operations, it is more practical to involve (for example) CIOs and CISOs in technology training, and CFOs in training that concerns interactions between healthcare organizations and health insurance companies.

What is the most important element of HIPAA training?

The most important element of HIPAA training should be determined by a risk assessment. Thereafter, the “most important element” of HIPAA training will vary on a case-by-case basis and likely vary according to workforce roles. However, it is important for personnel to understand why HIPAA is important and why they are undergoing training in a particular aspect of HIPAA compliance.

How long does HIPAA training take?

How long HIPAA training takes is subject to the amount of content included in the session, the number of people attending the session, and the volume of questions asked during and after the session. Online training modules generally take around five minutes each, so it would take around two hours to complete an online training course, but probably longer in a classroom environment.

How often do you have to do HIPAA training?

How often you have to do HIPAA training depends on factors such as material changes to policies and procedures, risk assessments, and OCR corrective action plans. In addition, as well as maintaining an ongoing security and awareness training program, it is recommended Covered Entities and Business Associates provide Privacy Rule refresher training at least annually.

Why is HIPAA training important?

HIPAA training is important because – beyond the legal requirement to provide/undergo HIPAA training – it demonstrates to members of the workforce how Covered Entities and Business Associates protect patient privacy and ensure the confidentiality, integrity, and availability of PHI so members of the workforce can perform their duties without violating HIPAA regulations.

Who needs HIPAA training?

Everybody needs HIPAA training if they are a member of a Covered Entity´s or Business Associate´s workforce. This not only means employees have to be trained on HIPAA policies, but also volunteers, students, and contractors who may encounter Protected Health Information in visual, verbal, written, or electronic form. It is also a requirement of the Security Rule that all members of the workforce – including senior managers – participate in a security and awareness training program.

When does HIPAA training expire?

HIPAA training does not expire – even though some training organizations issue time-limited certificates of compliance. No training provided in compliance with the Privacy and Security Rules has an expiry date unless changes are made to policies and procedures, a risk analysis identifies a need for further training or an individual moves from one Covered Entity to another where different policies and procedures apply and the new employer has a legal obligation to provide HIPAA training on the different policies and procedures.

What kind of HIPAA training do I need to provide to new hires for HIPAA and HITECH?

The kind of HIPAA training you need to provide to new hires for HIPAA and HITECH depends on whether your organization is a Covered Entity or Business Associate.

If your organization is a HIPAA Covered Entity, you must train new hires on policies and procedures with respect to Protected Health Information and the Breach Notification Rule, and provide security and awareness training.

If your organization is a Business Associate for a Covered Entity, the training you need to provide for new hires varies according to the service provided to the Covered Entity. Breach Notification training and security and awareness training are mandatory. However, it may be a condition of a Business Associate Agreement that your organization also provides Privacy Rule training to new hires.

Why is documentation of HIPAA training necessary?

The documentation of HIPAA training is necessary for two reasons. First, it demonstrates a Covered Entity or Business Associate is complying with the HIPAA training requirements in the event of an audit, inspection, or investigation. Secondly, it records what training has been received by individuals to determine if additional training is required as a consequence of a risk analysis, a policy change, or a promotion.

What do you learn during HIPAA training?

What you learn during HIPAA training depends on the reason for the training being provided. HIPAA training for new employees will likely focus on the basics of HIPAA, policies, and procedures relating to PHI in the workplace, and how to respond to a breach of PHI. security and awareness training will likely be more focused on best practices for accessing, using, and sharing ePHI online. There may also be occasions when HIPAA training focuses on specific issues identified in a risk assessment or prompted by a patient complaint.

What is a HIPAA training certificate?

A HIPAA training certificate is a third-party accreditation awarded to individuals who pass a HIPAA training course. Often the courses are designed to provide individuals with a basic knowledge of HIPAA so that subsequent training on (for example) policies and procedures or security and awareness is more understandable. HIPAA training certificates can also demonstrate to potential employers that a job candidate has an understanding of the HIPAA rules and regulations.

Who is responsible for training students about HIPAA?

The organization responsible for training students about HIPAA is the Covered Entity they are under the control of when first exposed to Protected Health Information. However, teaching institutions that do not provide medical services to the general public are not considered to be Covered Entities. Because of this, it may be the case a student does not receive any HIPAA training until after they have graduated and start working as an employee for a healthcare organization.

What HIPAA training is required?

What HIPAA training is required depends on the reason for the training. The basic HIPAA training requirements are that Covered Entities train members of the workforce on HIPAA-related policies and procedures relevant to their roles and that both Covered Entities and Business Associates provide a security awareness and training program. These requirements are not sufficient to prevent the most common types of HIPAA violations, and it is recommended all businesses supplement the minimum requirements with frequent refresher training.

Accredited HIPAA Compliance Training

HIPAA Journal Recommends ComplianceJunction

Used By 1,000+ Healthcare Organizations & 100+ Universities

Learn More
Try Free Sample Modules

HIPAA Training For Individuals HIPAA Training For Universities

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist