How Often Do You Have To Do HIPAA Training?
You have to do HIPAA training when you start working for a HIPAA covered entity, when your role is affected by a material change to the covered entity’s HIPAA policies, when a risk analysis identifies a need for HIPAA training, and when you are required to do HIPAA training as a sanction or as part of a corrective action plan following a HIPAA violation.
You may also have to do HIPAA training when a privacy compliant is filed or when a new technology is implemented. Elements of HIPAA training should be included in a security awareness and training program; and, if you work for a HIPAA business associate, you may have to do all of the above depending on the service(s) being provided by the business associate.
In addition, healthcare organizations can – but are not required to – integrate HIPAA training into other mandatory training. For example, threats to the privacy of Protected Health Information (PHI) could be included in annual OSHA bloodborne pathogen training or annual CMS’ emergency planning training depending on the context in which the training is provided.
How Often Do You Have To Do HIPAA Training?
Many sources discussing the question how often do you have to do HIPAA training tend to focus solely on the HIPAA Privacy Rule training standard and advocate that, if refresher HIPAA training is not triggered by a material change to HIPAA policies or procedures, it is a best practice to provide refresher HIPAA training to all members of the workforce at least annually.
This is an acceptable “catch all” solution to ensure that members of the workforce whose roles are not affected by a material change receive refresher training. However, it overlooks many other events that could trigger HIPAA training, and that some members of the workforce may “do” HIPAA training voluntarily in order to avoid sanctions, renew certifications, and earn CEUs.
The Significance of the Security Standard General Rules
Most events that could trigger HIPAA training are linked to an often-overlooked line in the HIPAA Security Rule’s Administrative Safeguards. The line appears at the beginning of §164.308 and requires covered entities and business associates to comply with all the Administrative Safeguards “in accordance with §164.306” – the Security Standard General Rules.
Among the General Rules’ General Requirements, covered entities and business associates are required by §164.306(a)(3) to “Protect against any reasonably anticipated uses or disclosures of such information [electronic Protected Health Information] that are not permitted or required under subpart E of this part [the HIPAA Privacy Rule].”
What This Means for HIPAA Training Triggers
This means that standards in the Administrative Safeguards relating to risk analyses and management, contingency plan testing and revision, and periodic technical and nontechnical evaluations must consider reasonably anticipated uses and disclosures of Protected Health Information (PHI) that are not permitted by the HIPAA Privacy Rule.
If a risk analysis, contingency plan test, or periodic evaluation identifies a threat to the confidentiality, integrity, or availability of PHI that cannot be resolved by the implementation of technology, it will be necessary to provide HIPAA training to mitigate the threat. It may also be necessary to provide HIPAA training even when the threat can be resolved by technology.
HIPAA Training Elements in Security Awareness Training
With regards to how often do you have to do HIPAA training required by the HIPAA Security Rule, it is important to note that the HIPAA Security Rule training standard requires a training program for all members of the workforce rather than one-off training. This implies security awareness training should be scheduled at least quarterly.
It is also important to note that the HIPAA Security Rule training standard must be complied with “in accordance with §164.306”. This means that generic or off-the-shelf security awareness training is not sufficient to comply with the standard, and that covered entities and business associates must make the training relevant to HIPAA compliance.
Other Events that Could Trigger HIPAA Refresher Training
Other events that could trigger HIPAA refresher training include privacy complaints, workforce sanctions, and corrective action plans. In most cases, HIPAA training triggered by a privacy complaint or workforce sanction may only impact a handful of workforce members. Corrective action plans most often apply to a whole organization.
HHS’ Office for Civil Rights imposes more corrective action plans than many people realize because most are in lieu of a civil monetary penalty and rarely make the headlines. However, in 2022, HHS’ Office for Civil Rights imposed 674 corrective action plans that required whole organizations to retrain all members of the workforce on the HIPAA Rules.
How Often Do Business Associates Do HIPAA Training?
In addition to mandatory HIPAA security awareness training (which should be relevant to HIPAA compliance), business associates are required by §160.102 of the HIPAA Administrative Simplification Regulations to provide HIPAA training on HIPAA Privacy Rule standards that are applicable to the services being provided for or on behalf of a covered entity.
This means that most business associate workforces should receive HIPAA training on topics such as what is considered PHI under HIPAA, why does it need to be protected, and what threats exist to the security of PHI. Practically the only type of business associates to which this would not apply is business associates with “no-view access” to a covered entity’s PHI.
Why Workforce Members “Do” HIPAA Training Voluntarily?
There are circumstances in which, rather than asking how often do you have to do HIPAA training, the question should be how often should you do HIPAA training. The answer to the revised question varies depending on the comprehensiveness of HIPAA training provided by a covered entity or business associate, and certification or CEU requirements.
One of the reasons for wanting to do HIPAA training is the avoidance of workforce sanctions. Covered entities and business associates are required to impose and document sanctions for any violation of the HIPAA Privacy Rule or HIPAA Breach Notification Rule, regardless of whether members of the workforce have been trained on the violated standard.
If, for example, a covered entity has failed to provide training on privacy protections and patients’ rights to request that PHI is withheld from specific people, and a member of the workforce discloses PHI impermissibly due to a lack of knowledge, the member of the workforce could receive a warning that remains on their personnel record indefinitely.
Therefore, it is workforce members’ best interests to do HIPAA awareness training voluntarily in order to avoid sanctions for unintentional HIPAA violations due to a lack of knowledge. When the course awards a certification of completion or Continuing Education Units (CEUs), individuals can use these to advance their careers or meet professional licensing requirements. The HIPAA Journal is the market leader in HIPAA training and providers CEUs for trainees who complete the testing, resulting in certification.
How Often Do You Have To Do HIPAA Training? Summary
- The frequency of required HIPAA training is event specific.
- Many types of events could trigger required HIPAA training.
- Training can be limited to one workforce member or organization wide.
- HIPAA training should be an element of security awareness training.
- It should also be provided to most business associate workforces.
- HIPAA training can be done voluntarily to avoid sanction, renew certifications, and earn CEUs.
Covered entities and business associates with questions about the frequency of HIPAA training, or what must be included in training, should seek independent compliance advice. Workforce members with questions about how often do you have to do HIPAA training should speak with their HIPAA Privacy Officer, while those interested in doing HIPAA training voluntarily should reach out to an accredited HIPAA awareness training provider.
