The term HIPAA awareness training has multiple interpretations. For some people it can mean HIPAA-mandated Privacy Rule training provided when a new member joins a Covered Entity´s workforce. For others, it can mean the security and awareness training program required by the Security Rule.
Other interpretations include the provision of training to mitigate a threat identified in a risk assessment, training provided to members of the workforce as the result of an HHS corrective action plan, or periodic refresher training intended to maintain workforce awareness of HIPAA. HIPAA awareness training can also be a safety net to ensure members of the workforce who might otherwise not receive HIPAA privacy training are familiar with the HIPAA Rules.
The HIPAA Privacy Rule training standard (45 CFR § 164.530) states that all new members of a Covered Entity´s workforce must undergo training on the Covered Entity´s “policies and procedures with respect to PHI […] as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity”.
This standard can be interpreted to imply that only members of the workforce who would normally use or disclose PHI when they carry out their functions within the Covered Entity need to undergo training on policies and procedures. Indeed, it seems reasonable to exclude those who would not normally interact with PHI from training (i.e., environment services personnel, maintenance teams, etc.) because they would never have reason to comply with the policies and procedures.
Nonetheless, it is important that members of the workforce who would not normally interact with HIPAA are aware of the Privacy Rule because there may be occasions when they see or hear health information about a patient. If they subsequently disclose the information without authorization (for example, posting the identity of a celebrity patient on social media), this is a violation of HIPAA for which the Covered Entity will be liable due to the failure to provide HIPAA awareness training.
This type of scenario should be identified in a risk analysis but can often be overlooked. This is because the standard relating to risk analyses appears in the Administrative Safeguards of the Security Rule (45 CFR § 164.308) and requires Covered Entities and Business Associates to conduct an assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability, of electronic PHI – not necessarily verbal or visual PHI.
Although the same Administrative Safeguards require Covered Entities and Business Associates to implement a security and awareness training program for all members of the workforce, this can also be interpreted to relate only to electronic PHI. Furthermore, if some members of the workforce have not received HIPAA awareness training on the Privacy Rule, the content of a security and awareness training program may well be lost on them.
The way to overcome this potential issue is to provide all members of the workforce with basic HIPAA awareness training. This will not only help fill any gaps in the provision of training, but can also provide a grounding in HIPAA to those members of the workforce who will subsequently receive training on the Covered Entity´s policies and procedures. This not only provides context for the policies and procedures, but will help with retention and compliance.
Under the Administrative Requirements of the Privacy Rule, Covered Entities are required to document initial “policy and procedure” training and any subsequent “material change” training. There are no requirements to document training provided as the result of a risk assessment or as part of a corrective action plan. There are also no requirements to document security and awareness training nor HIPAA refresher training.
However, it is important all HIPAA training is documented because – in the event of an investigation into a patient complaint, an HHS audit, or an OCR inspection – organizations have a burden of proof to demonstrate they have taken steps to mitigate the likelihood of foreseeable HIPAA violations. Documented HIPAA training can be used as evidence that Covered Entities and Business Associates have tried to meet their compliance obligations as best they can.