What is a HIPAA Course?
A HIPAA course is a training course that is either provided by an employer to members of the workforce, or that is taken independently by an individual in order to obtain a qualification that demonstrates an understanding of HIPAA. The first type of HIPAA course is most often a regulatory requirement. The second type of HIPAA course is optional, but is recommended for students, jobseekers, and employees in the healthcare industry.
The HIPAA training requirements in §164.530(b) of the HIPAA Privacy Rule require covered entities to provide training on HIPAA policies and procedures to all new members of the workforce when they join the covered entity’s workforce. A HIPAA training course must also be provided for all members of the workforce when their functions are affected by a material change to policies and procedures. Business associates must also comply with these requirements “where provided”.
In addition, covered entities and business associates are required by §164.308(a) of the Security Rule to provide security and awareness training to all members of the workforce regardless of their functions or access to Protected Health Information (PHI). The security and awareness training does not have to specifically about HIPAA (although it is advisable to deliver the training in the context of HIPAA) but it does have to be ongoing, as the standard requires the implementation of a “training program”.
Covered entities and business associates can – but are not required to – use HIPAA training as a “negative consequence to noncompliance” in a HIPAA Sanctions Policy. In such circumstances, the nature of the training should reflect the nature of noncompliance. Similarly, HHS Office for Civil Rights may require that workforce members undertake a HIPAA course as part of a Technical Assistance Program to support HIPAA compliance, or a Corrective Action Plan following a violation of HIPAA.
What is a Voluntary HIPAA Course?
A voluntary HIPAA course differs from a covered entity’s HIPAA training course inasmuch as a voluntary HIPAA course covers the basics of HIPAA (i.e., permissible uses and disclosures, the minimum necessary standard, patients’ rights, etc.), whereas a covered entity’s HIPAA training course is specific to the policies and procedures implemented by the covered entity to comply with HIPAA. In many cases, a covered entity’s training assumes trainees already have knowledge of the basics of HIPAA.
An individual might take a voluntary HIPAA course because they are a healthcare student, because they are looking for work in the healthcare industry, or because they are already employed in the healthcare industry and need a better understanding of HIPAA. Each of these reasons is expanded on below.
Medical Students
Healthcare regulatory compliance is often included in medical training curricula. However, due to the number of regulations medical students potentially have to be familiar with, and how these may not seem important at the time compared to their primary medical training, voluntary healthcare regulation refresher courses are advisable. As most employers assume medical students have a knowledge of HIPAA, a voluntary HIPAA course is one of the best voluntary refresher courses to take.
Jobseekers
An increasing number of employers in the healthcare and affiliate industries advertise job vacancies that require candidates to have a HIPAA certification (Indeed.com lists several hundred). A voluntary HIPAA course with certification does not usually cost more than $30 and can usually be completed online within a few hours – giving jobseekers a better chance of being accepted for interview, demonstrating their knowledge to an employer, and potentially securing a more rewarding job.
Existing Employees
The sanctions standard in the HIPAA Privacy Rule (§164.530(e)(1)) requires covered entities to apply sanctions against members of the workforce who fail to comply with their policies and procedures and the requirements of the Privacy and Breach Notifications Rule (“this subpart or subpart D of this part”). This means that employers can – in theory – sanction employees for violations of HIPAA even if the standards that have been violated have not been covered in HIPAA training.
Final Thoughts on HIPAA Training Courses
HIPAA training courses can have several different purposes. They can enable covered entities and business associates to comply with regulatory requirements, be applied as a negative consequence to noncompliance, or used to support/improve HIPAA compliance in a healthcare or health insurance organization. They can also be taken voluntarily by medical students and jobseekers to improve their prospects of employment, or by existing employees to avoid being sanctioned for a violation they may not know they were committing.
Organizations and individuals who would like to know more about HIPAA training courses are advised to discuss their requirements with an accredited HIPAA compliance training provider.
