Share this article on:
HIPAA-covered entities and their business associates must ensure that all members of the workforce that encounter protected health information (PHI) in any of its forms need to be provided with training, but how often is HIPAA training required and how flexible are the HIPAA Rules when it comes to providing employee HIPAA training?
What Does HIPAA Say About Employee Training?
Both the HIPAA Privacy Rule and HIPAA Security Rule have training provisions. The HIPAA Privacy Rule states:
“A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and training should be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
The HIPAA Security Rule training standard states:
“Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).”
The Privacy Rule does not specify the content of training courses, and scant information is provided in the Security Rule as to what training courses should cover. This vagueness ensures that the HIPAA text does not have to be constantly updated every time technology changes or there is a new threat, although security reminders, protection from malicious software, log-in monitoring, and password management are all mentioned as addressable implementation specifications in the Security Rule.
How Often is HIPAA Training Required?
How often is HIPAA training required is a common question as the HIPAA test is a little vague. Employee HIPAA training must be provided when an employee joins the organization. The training should be provided “to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce.” Thereafter, further training is required when “functions are affected by a material change in the policies or procedures”, with the training provided “within a reasonable period of time after the material change becomes effective.”
It is also important to re-train the workforce regularly to reenforce the initial HIPAA training and ensure that no aspect of compliance is forgotten. The frequency of HIPAA training is at the discretion of each covered entity, with HIPAA only saying that retraining should be “periodic.” That should be taken to mean at least every 2 years, although the industry best practice – which should be followed – is to provide refresher HIPAA training to the workforce annually.
The length of HIPAA training courses is not mentioned in the HIPAA text. Training sessions do not need to cover all aspects of the HIPAA Rules, they just need to cover all of the essential elements to allow individuals to work in a HIPAA compliant way. A training session that’s 40 minutes to 1 hour in length would be sufficient, provided all appropriate points are covered.
How Frequently Should Security Awareness Training be Provided in Healthcare?
Periodic security awareness training is also required, in addition to providing security awareness training within a reasonable period of time after a person joins the covered entity’s workforce. In the case of security awareness training, an annual training session is no longer viewed by security professionals as sufficient, considering the extent to which employees are targeted by cybercriminals and the rapidly changing threat landscape.
Here, the best practice is to provide ongoing security awareness training to ensure that employees understand proper cyber hygiene and are kept up to date on the threats they are likely to encounter via the web and email. Training is best provided frequently in small doses to fit in with employee workflows. A biannual training session could be conducted, with frequent security reminders sent such as monthly or quarterly cybersecurity newsletters.
It is important for security awareness training to cover the threats employees are likely to encounter, especially malware and phishing attacks. Employees must be taught how to identify phishing emails as part of their security awareness training given the extent to which healthcare employees are targeted and the sheer number of phishing-related data breaches now being reported.
Document All Employee Training
There have been many enforcement actions by OCR where covered entities and business associates have not been able to provide documentation to prove that they are in compliance with the requirements of the HIPAA Privacy and Security Rules. If documentation cannot be provided to prove that all members of the workforce have been trained, any accidental HIPAA violations by employees are likely to be viewed as training failures.
The HIPAA Privacy Rule only states that “A covered entity must document that the training as described [in the HIPAA Text] has been provided.” You should therefore ensure that you create a training log that includes all employee names and record the date training was provided, the type of training, and the course that was completed.
HIPAA Penalties for Inadequate Training
The penalties for training failures can be severe. Any violation of the HIPAA Rules carries a maximum penalty of $1.5 million, with the level of culpability considered when determining an appropriate penalty. OCR has not, at the time of writing, imposed a penalty solely for training failures but there have been enforcement actions where the lack of either Privacy Rule training or security awareness training was a cited HIPAA violation that contributed to the financial penalty.