Share this article on:
Training for healthcare employees on HIPAA is mandatory, but many covered entities and business associates are unsure about how often employees need HIPAA training and how frequently to conduct security awareness training sessions, so how often do you need HIPAA training to ensure compliance with the HIPAA Rules?
OCR is Cracking Down on Noncompliance!
It can be difficult to fit training into busy workflows, but if training is not provided regularly it is possible for fines to be issued for noncompliance. The HHS’ Office for Civil Rights has stepped up enforcement of HIPAA compliance in recent years, with 19 financial penalties imposed in 2020 to resolve compliance issues.
Two financial penalties have been imposed that include penalties for training failures, one of which saw the penalty amount increased for the failure to provide HIPAA privacy training to the workforce and another for the failure to provide security awareness training. With data breaches now occurring at record rates and OCR having imposed 17 penalties following investigations into complaints filed by individual patients, training failures have never been more likely to be discovered.
How Often do you Need HIPAA Training?
There is little text in the Health Insurance Portability and Accountability Act covering HIPAA training and the language used could be interpreted in different ways. What is clear is that training on HIPAA must be provided when new employees join the organization and periodically thereafter.
The HIPAA Privacy Rule states that initial training should be provided “within a reasonable period of time after the person joins the covered entity’s workforce,” and training should be appropriate to the role of each individual and the work activities they have to perform.
While there is some flexibility on the time frame for providing the training, you should consider how easy it would be for an employee to unwittingly violate HIPAA if they are not aware of its requirements. Training should therefore be provided as soon as possible – within a few days of commencing employment if possible and certainly in the first few weeks.
Frequency of Refresher HIPAA Training Sessions
The HIPAA Privacy Rule also requires training to be provided after “functions are affected by a material change in the policies or procedures.” That means when policies and procedures change, when new technology is introduced, or the HIPAA Rules are updated. Again, this training must be provided “within a reasonable period of time” after the changes have been implemented.
Even if there are no updates to policies, procedures, technology, or HIPAA Rules, refresher HIPAA training still needs to be provided periodically. While the frequency of HIPAA refresher training is not explicitly stated, refresher training sessions need to be provided to employees no less frequently than every two years. The industry best practice is to provide refresher HIPAA training annually.
Security Awareness Training for the Workforce
The HIPAA Security Rule calls for covered entities to develop and implement a security awareness and training program for all members of the workforce, including management. This training should also be provided within a reasonable period of time after an employee commences employment and periodically thereafter.
“Periodically” has long been viewed as meaning annual security awareness training; however, the best practice is now to provide security awareness training more frequently. Healthcare employees are targeted by cyber actors, phishing attacks on healthcare employees are incredibly common, and the threat landscape is constantly changing. Providing refresher security awareness training sessions twice a year, as well as sending security reminders, will help to keep security fresh in the mind of employees and will help develop a security culture in your organization which will reduce the risk of data breaches occurring.