How Often Do You Need HIPAA Training?

How Often Do You Need HIPAA Training?

Share this article on:

The question of how often do you need HIPAA training does not have a definitive answer because the HIPAA training requirements are deliberately flexible in order to adapt to different types of Covered Entities and Business Associates, and the functions they perform. However, the failure to provide adequate HIPAA training can have serious consequences.

OCR is Cracking Down on Noncompliance!

It can be difficult to fit training into busy workflows; but, if adequate training is not provided, it is possible for Covered Entities and Business Associates to be fined for non-compliance with HIPAA – even if there is no unauthorized use or disclosure of Protected Health Information. This is because HIPAA training is a requirement of both the HIPAA Privacy and Security Rules.

The HHS’ Office for Civil Rights has stepped up enforcement of HIPAA compliance. In 2020, the number of investigations conducted by OCR increased by 18%, nineteen financial penalties were imposed, and 1,357 organizations were required to take corrective action to resolve non-compliance issues following patient complaints, breach investigations, audits, and reviews.

Two of the financial penalties that were imposed included sanctions for training failures, and one saw the penalty amount increased for the failure to provide both HIPAA privacy training and HIPAA security awareness training. The takeaway from these statistics is that the failure to provide adequate HIPAA training has never been more likely to be discovered.

How Often do you Need HIPAA Training?

The requirement for Covered Entities to provide HIPAA training appears in the Administrative Requirements of the Privacy Rule (45 CFR § 164.530). Under the Administrative Requirements, Covered Entities must develop policies and procedures relating to permitted uses and disclosures of Protected Health Information. “All members of [the] workforce” must receive training on the policies and procedures within a reasonable time of joining the Covered Entity´s workforce”.

Thereafter, Covered Entities are required to provide refresher training “to each member of the workforce whose functions are affected by a material change in the policies or procedures”. While this implies that refresher training only has to be provided when a material change impacts an employee´s role, there may be many roles that are not impacted by a material change for many years. This could leave gaps in employees´ knowledge of the HIPAA requirements.

In theory, any gaps in employees´ knowledge should be identified in a HIPAA risk assessment. However, guidance issued by the Dept. of Health and Human Services does not specify the frequency of risk assessments other than stating they should be conducted periodically. For this reason, it is recommended Covered Entities provide refresher HIPAA training sessions in order to avoid penalties for HIPAA violations attributable to a lack of training.

Frequency of Refresher HIPAA Training Sessions

While there is a “reasonable” time frame for providing initial employee training and training following a material change in policies and procedures, there is no guidance about the frequency of refresher HIPAA training sessions because there is no requirement for Covered Entities to provide refresher training. Nonetheless – and not withstanding it can be difficult to fit training into busy workflows – refresher training should be provided for all member of the workforce periodically.

Similar to initial training and “material changes” training, refresher training should consist of content relevant to employees´ roles. In most cases, this will be the basics of permitted uses and disclosures, plus role-specific training for (for example) students, nursing staff, and public-facing employees. While some elements will be covered in mandated security awareness training (below), it does not hurt to reinforce these elements in the context of the HIPAA Privacy Rule.

One further consideration about how often do you need HIPAA training is that training should be on Covered Entities´ policies and procedures – not on the content of the HIPAA Privacy Rule. Therefore, it is not safe to assume initial training can be delayed for (for example) nursing staff that have transferred from another medical facility. Although they may have an understanding on HIPAA from their previous employment, they will not be aware how their new employer enforces HIPPA Rules.

Security Awareness Training for the Workforce

The requirement to provide security awareness training appears in the Administrative Safeguards of the HIPAA Security Rule (45 CFR § 164.308); and, unlike the training requirements of the HIPAA Privacy Rule, these requirements apply to both Covered Entities and Business Associates – including members of the workforce who will not come into contact with Protected Health Information. The Security Rule stipulates that management must also be included in security awareness training.

The reason for including all members of a Covered Entity´s or Business Associate´s workforce is that it makes little difference to cybercriminals whether or not an individual has access to PHI/ePHI. Once they get into an IT network, they can move through exploiting vulnerabilities and weaknesses. Any individual that discloses login credentials or passwords to IT systems could inadvertently let a cybercriminal into the network regardless of their own access to PHI/ePHI.

The Security Rule does not specify the frequency of security awareness training nor what it should consist of. However, both Covered Entities and Business Associates are required to develop and enforce policies and procedures that comply with the physical, technical, and administrative safeguards of HIPAA, so the security awareness training program should include training on these policies plus basic best practices for preventing unauthorized uses and disclosures online.

Conclusion

While neither the text of the Privacy Rule nor the Security Rule directly answers the question how often do you need HIPAA training, there is sufficient information in the regulations for Covered Entities and Business Associates to determine what adequate training consists of. An industry best practice is to provide refresher HIPAA training annually, and security awareness training more frequently (i.e., twice a year) due to the constantly evolving threat landscape.

How Often do you Need HIPAA Training? – FAQs

How would a complaint filed by an individual patient result in a penalty for failing to provide HIPAA training?

When the complaint is investigated, if it is found that the individual responsible for the HIPAA violation had not been trained on how to perform their role in compliance with HIPAA, the Office for Civil Rights can impose a penalty for the failure to comply with the HIPAA training requirements.

Is it really necessary to provide HIPAA refresher training every time new technology is introduced?

It is necessary to provide HIPAA refresher training when new technology is introduced if the new technology creates, stores, transmits, or processes ePHI. In most cases it will be possible to incorporate HIPAA training alongside technology training when employees are shown how to use the new technology.

When a material change occurs, but only affects a small number of the workforce, does every member of the workforce have to undergo refresher training?

In these circumstances, HIPAA training only needs to be provided to those who will be affected by the material change. Covered entities should conduct – and document – a risk assessment to identify who the material change applies to and what sort of training they require to comply with the HIPAA requirements.

It is mentioned above that security awareness training should be conducted twice a year. What about other types of HIPAA refresher training?

Other types of HIPAA refresher training (i.e., Privacy Rule refresher training) can be incorporated into “material change” training, or when a need to refresh employee knowledge is identified. Again, it is important to document why training was considered necessary, what training was provided, and who attended.

How much is the penalty for not complying with the HIPAA training requirements?

The penalty will vary according to the nature of the complaint being investigated and any other failings identified by OCR investigators. In some cases, there does not have to be a complaint made in order for OCR to impose a fine. If a covered entity or business associate is found not to have complied with the HIPAA training requirements during an audit, OCR can still issue a fine.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On