When Should You Promote HIPAA Awareness?
HIPAA awareness should be promoted whenever possible by integrating HIPAA-related tasks into daily routines and sharing responsibilities for events such as obtaining an acknowledgement of a Notice of Privacy Practices or documenting a patient’s request to withhold disclosures of PHI. However, the most practical time to promote HIPAA awareness is during HIPAA training.
HIPAA training should ideally be provided before any employee is given access to PHI. HIPAA-covered entities, business associates and subcontractors are all required to comply with HIPAA Rules, and all workers must receive training on HIPAA.
Training should cover the allowable uses and disclosures of PHI, patient privacy, data security, job-specific information, internal policies covering privacy & security, and HIPAA best practices.
The penalties for HIPAA violations, and the consequences for individuals discovered to have violated HIPAA Rules, must also be explained. If employees do not receive training, they will not be aware of their responsibilities and privacy violations are likely to occur.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Additional training must also be provided whenever there is a material change to HIPAA Rules or internal policies with respect to PHI, following the release of new guidance, or implementation of new technology.
HIPAA Training Cannot be a One-Time Event
The provision of training at the start of an employment contract is essential, but training cannot be a one-time event. It is important to ensure employees do not forget about their responsibilities, so retraining is necessary and a requirement for continued HIPAA compliance.
HIPAA does not specify how often retraining should occur, as this is left to the discretion of the covered entity. HIPAA only requires retraining to be conducted ‘regularly.’ The industry best practice is for retraining to take place annually.
The HIPAA Privacy Rule Administrative requirements, detailed in 45 CFR § 164.530, require all members of the workforce to receive training on HIPAA Rules and policies and procedures with respect to PHI. Training should be provided, as appropriate, to allow employees to conduct their work duties and functions within the covered entity. One training program therefore does not fit all. HIPAA training for the IT department is likely to be different to training provided to administrative workers. The Privacy Rule requires training to be provided for all new employees “within a reasonable timeframe”.
The HIPAA standard 45 CFR § 164.308(a)(5) covers two types of training – Job-specific training and security awareness training, neither of which can be a one-time event.
While it is important to provide training for HIPAA compliance and security awareness, it is also important to ensure that training has been understood, that it is remembered, and to ensure HIPAA Rules are followed on a day to day basis. It therefore recommended that you promote HIPAA awareness throughout the year.
How to Promote HIPAA Awareness
There is no hard and fast rule for HIPAA retraining and there are many ways that healthcare organizations can promote HIPAA awareness. While formal training sessions can be conducted on an annual basis, the use of newsletters, email bulletins, posters, and quizzes can all help to raise and maintain awareness of HIPAA Rules.
In the case of security awareness training this is especially important. Annual training on HIPAA is a good best practice, but it is important to promote HIPAA awareness with respect to security more frequently. It is a good best practice to provide security awareness training biannually and issue cybersecurity updates on a monthly basis. Any specific threats to the workforce should be communicated as necessary – new phishing threats for instance. However, care should be taken not to bombard employees with threat information, to avoid employees suffering from alert fatigue.
When is HIPAA Retraining Required?
In addition to annual refresher training sessions, retraining on HIPAA Rules is recommended following any privacy or security violation and after a data breach has been experienced.
While the individuals concerned should be retrained, it is a good best practice to take these incidents as a training opportunity for all staff to ensure similar breaches do not occur in the future. If one employee makes a mistake with HIPAA, it is possible that others have failed to understand HIPAA requirements or are making similar mistakes.
