How Often Do You Need HIPAA Training?

How Often Do You Need HIPAA Training?

Share this article on:

Training for healthcare employees on HIPAA is mandatory, but many covered entities and business associates are unsure about how often employees need HIPAA training and how frequently to conduct security awareness training sessions, so how often do you need HIPAA training to ensure compliance with the HIPAA Rules?

OCR is Cracking Down on Noncompliance!

It can be difficult to fit training into busy workflows, but if training is not provided regularly it is possible for fines to be issued for noncompliance. The HHS’ Office for Civil Rights has stepped up enforcement of HIPAA compliance in recent years, with 19 financial penalties imposed in 2020 to resolve compliance issues.

Two financial penalties have been imposed that include penalties for training failures, one of which saw the penalty amount increased for the failure to provide HIPAA privacy training to the workforce and another for the failure to provide security awareness training. With data breaches now occurring at record rates and OCR having imposed 17 penalties following investigations into complaints filed by individual patients, training failures have never been more likely to be discovered.

How Often do you Need HIPAA Training?

There is little text in the Health Insurance Portability and Accountability Act covering HIPAA training and the language used could be interpreted in different ways. What is clear is that training on HIPAA must be provided when new employees join the organization and periodically thereafter.

The HIPAA Privacy Rule states that initial training should be provided “within a reasonable period of time after the person joins the covered entity’s workforce,” and training should be appropriate to the role of each individual and the work activities they have to perform.

While there is some flexibility on the time frame for providing the training, you should consider how easy it would be for an employee to unwittingly violate HIPAA if they are not aware of its requirements. Training should therefore be provided as soon as possible – within a few days of commencing employment if possible and certainly in the first few weeks.

Frequency of Refresher HIPAA Training Sessions

The HIPAA Privacy Rule also requires training to be provided after “functions are affected by a material change in the policies or procedures.” That means when policies and procedures change, when new technology is introduced, or the HIPAA Rules are updated. Again, this training must be provided “within a reasonable period of time” after the changes have been implemented.

Even if there are no updates to policies, procedures, technology, or HIPAA Rules, refresher HIPAA training still needs to be provided periodically. While the frequency of HIPAA refresher training is not explicitly stated, refresher training sessions need to be provided to employees no less frequently than every two years. The industry best practice is to provide refresher HIPAA training annually.

Security Awareness Training for the Workforce

The HIPAA Security Rule calls for covered entities to develop and implement a security awareness and training program for all members of the workforce, including management. This training should also be provided within a reasonable period of time after an employee commences employment and periodically thereafter.

“Periodically” has long been viewed as meaning annual security awareness training; however, the best practice is now to provide security awareness training more frequently. Healthcare employees are targeted by cyber actors, phishing attacks on healthcare employees are incredibly common, and the threat landscape is constantly changing. Providing refresher security awareness training sessions twice a year, as well as sending security reminders, will help to keep security fresh in the mind of employees and will help develop a security culture in your organization which will reduce the risk of data breaches occurring.

How Often do you Need HIPAA Training? – FAQs

How would a complaint filed by an individual patient result in a penalty for failing to provide HIPAA training?

When the complaint is investigated, if it is found that the individual responsible for the HIPAA violation had not been trained on how to perform their role in compliance with HIPAA, the Office for Civil Rights can impose a penalty for the failure to comply with the HIPAA training requirements.

Is it really necessary to provide HIPAA refresher training every time new technology is introduced?

It is necessary to provide HIPAA refresher training when new technology is introduced if the new technology creates, stores, transmits, or processes ePHI. In most cases it will be possible to incorporate HIPAA training alongside technology training when employees are shown how to use the new technology.

When a material change occurs, but only affects a small number of the workforce, does every member of the workforce have to undergo refresher training?

In these circumstances, HIPAA training only needs to be provided to those who will be affected by the material change. Covered entities and business associates should conduct – and document – a risk assessment to identify who the material change applies to and what sort of training they require to comply with the HIPAA requirements.

It is mentioned above that security awareness training should be conducted twice a year. What about other types of HIPAA refresher training?

Other types of HIPAA refresher training (i.e., Privacy Rule refresher training) can be incorporated into “material change” training, or when a need to refresh employee knowledge is identified. Again, it is important to document why training was considered necessary, what training was provided, and who attended.

How much is the penalty for not complying with the HIPAA training requirements?

The penalty will vary according to the nature of the complaint being investigated and any other failings identified by OCR investigators. In some cases, there does not have to be a complaint made in order for OCR to impose a fine. If a covered entity or business associate is found not to have complied with the HIPAA training requirements during an audit, OCR can still issue a fine.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On