HIPAA Privacy and Security Training

HIPAA privacy and security training must be designed to ensure that all workforce members with access to PHI are aware of when PHI can be used or disclosed in compliance with HIPAA, and that all workforce members – regardless of their access to PHI – are aware of an organization’s security policies and procedures, and the sanctions for violating them.

Because of the way the HIPAA privacy and security training requirements are distributed throughout Part 164 of the HIPAA Administrative Simplification Regulations, it can sometimes be difficult to understand what is required of covered entities and business associates with regards to HIPAA training. It can also be difficult to understand that workforce members may be responsible for their own HIPAA knowledge.

The failure to fully understand what is required of covered entities, business associates, and workforce members can lead to gaps in HIPAA compliance and avoidable HIPAA violations. HIPAA violations can result in medical identity theft, which not only incurs costs for healthcare providers and insurance companies, but which can also have a life-long impact on the wellbeing of medical identity theft victims.

HIPAA Training for Employees

What are the HIPAA Privacy and Security Training Requirements?

When discussing the HIPAA privacy and security training requirements, it is important to note that electronic PHI protected by the HIPAA Security Rule is a subset of PHI protected by the HIPAA Privacy Rule. Nonetheless, to better clarify what the HIPAA privacy and security training requirements are, and who they apply to, it can be beneficial to separate the Privacy and Security Rules and their training requirements.

The HIPAA Privacy Rule Training Requirements

The HIPAA Privacy Rule training requirements are that “a covered entity must train all members of its workforce on the policies and procedures with respect to protected health information (PHI) required by this subpart [the HIPAA Privacy Rule] and subpart D of this part [the HIPAA Breach Notification Rule], as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity”. (§164.530(b))

It is important not to take this standard out of context with other relevant standards in §164.530. These require covered entities to “implement policies and procedures” that “safeguard PHI from any intentional or unintentional use or disclosure that is in violation of [the HIPAA Privacy Rule]” and that “mitigate any harmful effect of a use or disclosure of PHI in violation of its policies and procedures or the requirements of [the HIPAA Privacy Rule]”.

These standards imply that a covered entity’s HIPAA Privacy Rule training must extend beyond training members of the workforce on the policies and procedures necessary to “carry out their functions within the covered entity” in compliance with HIPAA. In practice, HIPAA Privacy Rule training must be provided to all members of the workforce who could potentially use or disclose PHI in violation of the HIPAA Privacy Rule.

Examples of workforce members who could potentially use or disclose PHI in violation of the HIPAA Privacy Rule – and who might not be considered as requiring HIPAA Privacy Rule training – include caterers, equipment sanitizers, and other non-public facing personnel, who might recognize a celebrity patient or overhear workplace gossip and share the news with friends and family or to a wider audience via social media.

The Requirements are Not Just for Covered Entities

The HIPAA Privacy Rule applies to business associates “where provided” (§160.102(b)). With regards to the HIPAA Privacy Rule training requirements, “where provided” means that if a business associate provides a service for or on behalf of a covered entity in the course of which members of the workforce have access to PHI, those members of the workforce must receive training on applicable Privacy Rule standards.

If a business associate or a covered entity fails to provide workforce training on applicable Privacy Rule standards, they can be sanctioned by HHS’ Office for Civil Rights for failing to safeguard PHI. However, it is more likely that workforce members will be sanctioned for violations of the Privacy Rule, even if the violations relate to a standard about which they have received no HIPAA Privacy Rule training.

This is because §164.530(e) of the HIPAA Privacy Rule requires covered entities (and business associate where provided) to “apply appropriate sanctions against members of the workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart [the HIPAA Privacy Rule] or subpart D of this part [the HIPAA Breach Notification Rule]”.

For this reason, many members of covered entity’s workforces take responsibility for their own HIPAA knowledge by subscribing to external HIPAA training courses. While these cannot replace workplace HIPAA training (because each covered entity is required to adopt its own policies and procedures), they can provide workforce members with a better knowledge of HIPAA and a better understanding of workplace HIPAA training.

The HIPAA Security Rule Training Requirements

The HIPAA Security Rule training requirements state covered entities and business associates must “Implement a security awareness and training program for all members of [the] workforce (including management)” (§164.308(a)(5)). However, as with the HIPAA Privacy Rule training requirements, it is important not to take this standard out of context with other relevant standards – in this case §164.306(a) and §164.306(e).

  • 164.306(a) requires covered entities and business associate to ensure the confidentiality, integrity, and availability of electronic PHI, protect against any reasonably anticipated threats or hazards to the security or integrity of such information, and protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the HIPAA Privacy Rule.
  • 164.306(e) requires covered entities and business associates to review measures implemented to comply with the HIPAA Security Rule and to modify the measures as required to continue ensuring the confidentiality, integrity, and availability of electronic PHI, protecting against reasonably anticipated threats or hazards, and protecting against reasonably anticipated impermissible uses or disclosures.

What these standards mean is that the provision of generic cybersecurity training is not sufficient to meet the requirements of §164.306(a) because generic training fails to account for the nature of cybersecurity threats to electronic PHI and the errors healthcare professionals make because of the working environment. The relevance of the “review” standard will become apparent when discussing the frequency of HIPAA privacy and security training.

Generic Cybersecurity Training vs HIPAA Cybersecurity Training

Generic cybersecurity training consists of topics such as password best practices and phishing simulation testing, and while these are good topics to include in HIPAA cybersecurity training, it is necessary to provide information about why health data is highly sought by cybercriminals and why healthcare professionals make so many cybersecurity errors that disclose PHI impermissibly or expose PHI to unauthorized access.

With regards to the former, health data is highly sought by cybercriminals because it can used (or sold) so that unentitled individuals can obtain medical care and prescription drugs. Unlike stolen financial data, whose misuse can be identified and prevented within minutes, it is much harder to identify when healthcare data is being misused. In some cases it can take years before the misuse of health data is identified and prevented.

The misuse of health data incurs costs for healthcare providers and insurance companies. It can also incur costs for victims of medical identity theft if they are presented with a bill for treatment they have not received. However, the most serious consequence of medical identity theft is that victims’ health data can be corrupted during misuse – potentially resulting in misdiagnoses and adverse reactions to prescribed medications.

Top Error Varieties in Healthcare Data BreachesWith regards to why healthcare professionals make cybersecurity errors, research has attributed many errors in healthcare to tiredness, stress, and burnout. In Verizon’s 2024 Data Breach Investigations Report, more than 70% of investigated healthcare data breaches were attributable to human errors, and it is important HIPAA cybersecurity training reminds workforce members to “take a minute” before sending an email to the wrong recipients or leaving a device with access to ePHI unattended.

The Frequency of HIPAA Privacy and Security Training

The frequency of HIPAA privacy and security training is most often a fact-specific determination. With regards to what HIPAA says about the frequency of HIPAA privacy and security training, HIPAA Privacy Rule training must be provided to members of the workforce when their functions are affected by a material change in policies and procedures, while the requirement for HIPAA Security Rule training states that training must be a “program” rather than a one-off event.

Events that are more likely to affect the frequency of HIPAA privacy and security training include technical and nontechnical evaluations of security policies and procedures (required by §164.308(a)(8)), risk analyses (required by §164.308(a)(1)) and the previously mentioned reviews (required by §164.306(e)). If any of these event identify a human risk to the confidentiality, integrity, or availability of ePHI, it will be necessary to provide refresher HIPAA training.

The frequency of HIPAA privacy and security training can also be affected by sanctions. Sanctions can either imposed on workforce members or groups of workforce members (as required by §164.530(e) of the HIPAA Privacy Rule and §164.308(a)(1) of the HIPAA Security Rule) or they can be imposed on an organization by HHS’ Office for Civil Rights following a data breach as part of a corrective action plan. The latter happens more often than is publicized.

Other factors that can influence the frequency of HIPAA privacy and security training include other mandated training requirements. For example, OSHA’s bloodborne pathogens standard and CMS’ Emergency Planning Rule both have mandatory annual training requirements into which HIPAA privacy and security training can be integrated. However, if none of these events happen, best practices for HIPAA privacy and security training are to provide HIPAA Privacy Rule training at least annually and HIPAA Security Rule training at least quarterly.

Examples of Penalties for HIPAA Training Failures

HHS’ Office for Civil Rights is yet to issue a civil monetary penalty for solely failing to provide HIPAA privacy and security training. However, there are examples of when penalties for HIPAA training failures have been added to penalties for other violations of the HIPAA Rules.

In December 2019, West Georgia Ambulance Inc agreed to pay $65,000 and adopt a corrective action plan following a breach of unsecured PHI affecting 500 individuals. During the investigation into the breach, HHS’ Office for Civil Rights found the organization did not have a security awareness training program

In September 2020, Athens Orthopedic Clinic agreed to pay $1.5 million to resolve alleged violations of HIPAA which included the failure to provide training on the Privacy Rule or on the Clinic’s policies and procedures prior to 2018. As part of a corrective plan, the Clinic was required to retrain its workforce within 30 days.

In October 2023, the NY State Attorney fined Personal Touch Holding Corp. $350,000 for multiple violations of HIPAA and state law. The violations included the failure to implement effective access controls, the failure to monitor system activity, the failure to encrypt PHI, and the failure to provide security awareness training.

In November 2023, St. Joseph’s Medical Center agreed to an $80,000 settlement for disclosing the PHI of three patients to news reporters. Although only a few workforce members were responsible for the impermissible disclosure, all members of the workforce had to undergo HIPAA privacy and security training as part of the settlement.

Why it is Worth Providing HIPAA Privacy and Security Training

Aside from the human cost of medical identity theft, it is worth providing HIPAA privacy and security training to avoid compliance reviews, corrective action plans, and financial penalties. In its most recent report to Congress on HIPAA compliance (2022), HHS’ Office for Civil Rights reported it initiated 676 compliance reviews – 560 of which resulted in corrective action plans and twenty-one of which resulted in resolution settlements or civil monetary penalties.

However, State Attorneys General also have the authority to issue civil monetary penalties and HIPAA compliance is increasingly being used as the standard for reasonable care in class action lawsuits. State civil actions and class action lawsuits can result in much higher financial penalties than those issued by HHS Office for Civil Rights, making it financially viable for covered entities and business associates to invest in HIPAA privacy and security training.

Covered entities and business associates with concerns that the content of their HIPAA privacy and security training programs do not meet the full requirements of HIPAA are advised to seek independent compliance advice. The HIPAA Journal is the leading HIPAA training vendor with comprehensive HIPAA training modules that cover all the required content. Members of covered entity’s and business associate’s workforces with concerns that their HIPAA knowledge is not adequate to prevent avoidable HIPAA violations should investigate external HIPAA awareness training courses that are accredited by a recognized training assessor.