How Long Is HIPAA Training Good For?

Posted By Steve Alder on May 16, 2024

HIPAA training is usually good for one year. The industry best practice is to provide annual HIPAA training unless something changes in the organization.  HIPAA training is good for as long as a HIPAA risk assessment does not identify a need for further training, for as long as there is not a material change to internal HIPAA policies and procedures, until HIPAA training is required as a sanction for a HIPAA violation, or until HHS’ Office for Civil Rights mandates HIPAA training as part of a corrective action plan.

The HIPAA Privacy Rule Training Requirements

Under the HIPAA Privacy Rule, training is mandated for all workforce members of covered entities and business associates who handle or have access to PHI, ensuring they understand how to maintain the confidentiality and security of this sensitive information. This includes education on the proper use and disclosure of PHI, the rights of individuals under HIPAA, and the entity’s privacy policies and procedures. The HIPAA Journal is the market leader in HIPAA training and has a reputation for providing the best HIPAA training.

The HIPAA Privacy Rule states that “a covered entity must train all members of its workforce on the policies and procedures with respect to protected health information”. The frequency of training is specified “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity” and whenever members of the workforce are affected by a material change in privacy policies and procedures.

The HIPAA Security Rule Training Requirements

The HIPAA Security Rule specifically focuses on training regarding electronic PHI (ePHI), emphasizing the importance of securing electronic health records and other digital forms of PHI. It requires that all members of the workforce are trained on the entity’s security policies and procedures, the handling of ePHI, and awareness of potential security threats.

The HIPAA Security Rule states covered entities and business associates must “Implement a security awareness and training program for all members of its workforce (including management).” The inclusion of the word “program” implies securely awareness training is an ongoing requirement rather than an annual or periodic requirement.

The Timing of HIPAA Training for New Hires

The HIPAA Privacy Rule requires that HIPAA training is provided to new members of the workforce within a reasonable timeframe after hiring. As some new hires will have no understanding of HIPAA prior to working for a covered entity, it is advisable all new members of the workforce are provided with basic HIPAA training before having access to PHI or interactions with patients.

The aim of basic HIPAA training is to support policies and procedure training and security awareness training to put the mandated training into context. This will help new members of the workforce with no previous understanding better absorb – and comply with – the organizations privacy policies and procedures and security guidelines.

The Frequency of HIPAA Training Thereafter

While it is a best practice to provide HIPAA refresher training annually, it may be necessary to increase the frequency of HIPAA training if a risk assessment identifies a need for further training, if HIPAA training is a sanction for a HIPAA violation, or if HHS’ Office for Civil Rights mandates HIPAA training as part of a corrective action plan.

HIPAA training can be provided to a group or to an individual as considered necessary. Generally, group training is sufficient to meet the HIPAA training requirements. However, if training is applied as a sanction for violation to a HIPAA policy, it is most often provided to members of the workforce individually – the exception being when a culture of non-compliance has developed due to members of the workforce taking shortcuts “to get the job done”.

HIPAA Violation Penalties for Training Failures

When HIPAA violation penalties are announced by HHS’ Office for Civil Right, the penalties usually refer to the “headline” violation (i.e., a data breach) rather than the underlying causes of the headline violation (i.e., failure to conduct a thorough risk assessment, failure to provide adequate training, failure to monitor compliance, etc.). However, by reading the resolution agreements, it is possible to identify HIPAA violation penalties for training failures.

• In 2023, St Joseph’s Medical Center agreed to an $80,000 penalty for disclosing PHI to reporters during the COVID-19 pandemic. As the disclosures were attributable to lack of Privacy Rule knowledge, the workforce had to undergo HIPAA training as part of the corrective action plan.
• In 2020, it was announced that Athens Orthopedic Clinic had agreed to a $1.5 million settlement to resolve multiple HIPAA violations including that the clinic had not provided Privacy Rule training to any members of the workforce prior to 2018.
• In 2019, West Georgia Ambulance Inc. agreed to a settlement of $65,000 to resolve violations of HIPAA that included the failure to conduct a risk analysis, implement security policies and procedures, and provide security awareness training.

Documenting HIPAA training helps in proving compliance with federal requirements, reducing the risk of legal issues or fines during audits. Training records are useful for confirming that new hires and staff with access to PHI are properly trained. Training records also allow organizations to track and manage their employees’ training, identifying areas that need further education and ensuring everyone is up to date with current HIPAA rules.