Is HIPAA Training Required Annually?

The frequency of HIPAA training sessions needed to comply with the HIPAA Privacy Rule is a source of confusion, with many healthcare providers interpreting the HIPAA text to mean HIPAA training is required annually, even though annual training sessions are not explicitly stated as a requirement anywhere in the HIPAA text. Similarly, the frequency of security awareness training is not stated, other than HIPAA requiring ‘periodic’ retraining.

To help ensure you get your HIPAA training right, we have listed some of the best practices below which will ensure you do not fall afoul of regulators and attract a fine for noncompliance.

Is HIPAA Training Required Annually?

The HIPAA text does not provide a deadline for providing training and incorporates flexibility to make it easier for healthcare organizations to fit training into busy workflows. The HIPAA Privacy Rule states that “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and training should be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”

In addition to initial training, a covered entity must provide training when “functions are affected by a material change in the policies or procedures.” That means further training is required when updates are made to the HIPAA Rules, such as following the introduction of the HIPAA Omnibus Rule in 2013. Training must also be provided when internal policies and procedures change, or when new technology is introduced that ‘touches’ ePHI.

Periodic refresher HIPAA training sessions are also required to remind employees of the requirements of HIPAA and the importance of compliance. By providing regular refresher training sessions, the risk of accidental HIPAA violations will be reduced. These training sessions must be provided periodically, which means no less frequently than every two years, although the industry best practice is to provide refresher training sessions annually. Providing annual training sessions will help you to avoid financial penalties in the event of a compliance investigation.

Should I Conduct Annual Security Awareness Training?

Security awareness training is a requirement of the HIPAA Security Rule, which has the following provision: “Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).”

The purpose of security awareness training is to raise awareness of threats to protected health information and systems and devices through which PHI could be accessed. By teaching employees about these threats and helping them develop the skills they need to identify and avoid these threats, the risk of data and privacy breaches can be significantly reduced. As with HIPAA training, security awareness training needs to be provided to new hires and periodically thereafter.

The frequency of security awareness training should reflect the level of risk. It was once acceptable to provide this training annually, but the level of risk has increased sharply in recent years and cyber actors are actively targeting healthcare employees. New threats are constantly emerging so training should be provided more frequently than once a year. A short training session every 6 months is better for improving awareness than a long training session once a year.

How Long Should Training Courses Be?

HIPAA does not state how long training courses should be, but you must make sure the training is sufficiently comprehensive to teach employees about all appropriate requirements of the HIPAA Privacy and Security Rules and cybersecurity best practices. Try to keep training sessions to 40 minutes to an hour for each training session. Any longer and attention starts to wander. You should be able to cover HIPAA and Security Awareness in two training sessions of that length.

If you develop a modular training course, or use a third-party online training course, the modules can easily be completed when employees have a few spare minutes. Modular training courses are much more practical and can easily be fitted in to the busiest of workflows.

Keeping Records of Training Sessions

Remember that providing training is important, but so is proving that training has been provided. HIPAA requires all training to be documented. The HHS’ Office for Civil Rights and state attorneys general will want to see records of training when investigating complaints and data breaches and conducting HIPAA audits.

Your training log should list all employees and clearly show the date(s) training was provided, the type of course completed, and the content of the training sessions. This log should be kept with your HIPAA documentation along with a copy of any training material.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.