How Often is HIPAA Training Required?

HIPAA-covered entities and their business associates must ensure that all members of the workforce that encounter protected health information (PHI) in any of its forms need to be provided with training, but how often is HIPAA training required and how flexible are the HIPAA Rules when it comes to providing employee HIPAA training?

What Does HIPAA Say About Employee Training?

Both the HIPAA Privacy Rule and HIPAA Security Rule have training provisions. The HIPAA Privacy Rule states:

“A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and training should be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”

The HIPAA Security Rule training standard states:

“Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).”

The Privacy Rule does not specify the content of training courses, and scant information is provided in the Security Rule as to what training courses should cover. This vagueness ensures that the HIPAA text does not have to be constantly updated every time technology changes or there is a new threat, although security reminders, protection from malicious software, log-in monitoring, and password management are all mentioned as addressable implementation specifications in the Security Rule.

How Often is HIPAA Training Required?

How often is HIPAA training required is a common question as the HIPAA text is a little vague. Employee HIPAA training must be provided when an employee joins the organization. The training should be provided “to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce.” Thereafter, further training is required when “functions are affected by a material change in  policies or procedures”, with the training provided “within a reasonable period of time after the material change becomes effective.”

It is also important to re-train the workforce regularly to re-enforce the initial HIPAA training and ensure that no aspect of compliance is forgotten. The frequency of HIPAA training is at the discretion of each covered entity, with HIPAA only saying that retraining should be “periodic.” That should be taken to mean at least every 2 years, although the industry best practice – which should be followed – is to provide refresher HIPAA training to the workforce annually.

The length of HIPAA training courses is not mentioned in the HIPAA text. Training sessions do not need to cover all aspects of the HIPAA Rules, they just need to cover the essential elements to allow individuals to work in a HIPAA compliant way. A training session that’s 40 minutes to 1 hour in length would be sufficient, provided all appropriate points are covered.

How Frequently Should Security Awareness Training be Provided in Healthcare?

Periodic security awareness training is also required, in addition to providing security awareness training within a reasonable period of time after a person joins the covered entity’s workforce. In the case of security awareness training, an annual training session is no longer viewed by security professionals as sufficient, considering the extent to which employees are targeted by cybercriminals and the rapidly changing threat landscape.

Here, the best practice is to provide ongoing security awareness training to ensure that employees understand proper cyber hygiene and are kept up to date on the threats they are likely to encounter via the web and email. Training is best provided frequently in small doses to fit in with employee workflows. A biannual training session could be conducted, with frequent security reminders sent such as monthly or quarterly cybersecurity newsletters.

It is important for security awareness training to cover the threats employees are likely to encounter, especially malware and phishing attacks. Employees must be taught how to identify phishing emails as part of their security awareness training given the extent to which healthcare employees are targeted and the sheer number of phishing-related data breaches now being reported.

Document All Employee Training

There have been several enforcement actions by OCR where covered entities and business associates have not been able to provide documentation to prove that they are in compliance with the requirements of the HIPAA Privacy and Security Rules. If documentation cannot be provided to prove that all members of the workforce have been trained, any accidental HIPAA violations by employees are likely to be viewed as training failures.

The HIPAA Privacy Rule only states that “A covered entity must document that the training as described [in the HIPAA Text] has been provided.” You should therefore ensure that you create a training log that includes all employee names and record the date training was provided, the type of training, and the course that was completed.

HIPAA Penalties for Inadequate Training

The penalties for training failures can be severe. Any violation of the HIPAA Rules carries a maximum penalty of $1.5 million, with the level of culpability considered when determining an appropriate penalty. OCR has not, at the time of writing, imposed a penalty solely for training failures but there have been enforcement actions where the lack of either Privacy Rule training or security awareness training was a cited HIPAA violation that contributed to the financial penalty.

How Often is HIPAA Training Required? – FAQs

How much can a covered entity be fined for not providing HIPAA training?

The amount of an OCR fine for not providing HIPAA training depends on a number of factors – for example, the degree of “willful neglect” and the consequences of the willful neglect. Therefore, a minor violation may only result in corrective action being required, whereas a significant data breach attributable to a lack of training will be viewed more seriously.

How does OCR get to hear about HIPAA training violations?

The Office for Civil Rights can find out about HIPAA training violations in a number of ways. The three most common are when investigating a patient complaint, looking into the cause of a data breach, or during a HIPAA audit.

Is it necessary to provide refresher training to the full workforce whenever there is a material change to policies and procedures?

When there is a material change to policies and procedures, only members of the covered entities workforce whose functions are affected by the material change are required to undergo refresher training. However, this may be a good opportunity to involve more of the workforce in order to refresh their HIPAA knowledge.

What about when new technology is introduced? Does HIPAA training have to be provided each time?

If a covered entity or business associate introduces a new technology that creates, stores, transmits, or processes ePHI, then HIPAA training has to be provided – but only to members of the workforce whose functions are affected by the new technology (i.e., those who will use it). If the new technology does not create, store, transmit, or process ePHI, no HIPAA training is required.

It is recommended above to provide security awareness training twice a year. How often should other types of HIPAA training be provided?

Other than as required by HIPAA (new member of the workforce/material change), other types of HIPAA training should be provided periodically as identified by a risk assessment or when it becomes apparent refresher training is required.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.