The HIPAA Privacy Rule requires all individuals who have any interactions with protected health information to undergo HIPAA awareness training. If training is not provided, individuals would be unaware of the need for compliance, what compliance entails, and accidental HIPAA violations would be all but guaranteed.
To meet the training requirements of the HIPAA Privacy Rule, all covered entities must provide training “as necessary and appropriate for members of the workforce to carry out their functions.”
The provisions of the HIPAA Privacy Rule related to HIPAA awareness training give covered entities a degree of flexibility over when training should be provided. In an ideal world, all individuals would receive training on the requirements of HIPAA before they commenced employment. In practice, that can be a major challenge. Training should be provided as soon as possible, and ideally before an employee has any interactions with PHI, but the time frame for providing training is not specified.
The HIPAA Privacy Rule only states that HIPAA awareness training needs to be provided to “each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce.” ‘Within a reasonable period of time,’ is naturally open to interpretation. That should be taken as meaning within the first few days if possible, and certainly in the first few weeks. Thereafter, further training is required when “functions are affected by a material change in policies or procedures.” Similarly, this should be provided within a reasonable period of time from the date of the change.
It is worth noting that workforce does not only mean paid employees. Any individual who is likely to encounter PHI must receive training. That means employees, students, interns, and volunteers.
A one-time training session is not sufficient, even if there have been no changes to the HIPAA Rules, best practices, or policies and procedures. Over time, aspects of HIPAA compliance could easily be forgotten if regular HIPAA awareness training is not provided. Refresher HIPAA training sessions should be provided to the workforce at least every two years, although the best practice is to provide individuals with a refresher HIPAA awareness training session annually.
The HIPAA Privacy Rule does not specify what must be covered in training sessions, but training should be appropriate to the role and responsibilities of each individual. Similarly, there is no minimum length of training session. This is left to the discretion of a covered entity. Naturally, if you provided only 5 minutes of HIPAA awareness training, it would be difficult to explain to regulators that this was sufficient to cover all appropriate aspects of the HIPAA Rules.
The length of training should be sufficient to cover all provisions of the HIPAA Rules appropriate to each employee role. Try to avoid long training sessions, as it can be difficult for employees to take everything on board and maintain concentration. Individual training sessions of 40 minutes to an hour are ideal.
There are also training requirements outlined in the HIPAA Security Rule. HIPAA covered entities and business associates are required to comply with the HIPAA Security Rule, and all must provide security awareness training to the workforce. As with the HIPAA Privacy Rule, there is little information about the content of security awareness training, as this will be specific to each covered entity.
Security awareness training should cover the threats to PHI that individuals are likely to encounter, teach cybersecurity best practices and good cyber hygiene, cover password requirements, securing and protecting PHI, how to recognize and avoid phishing emails, and reporting potential threats and data breaches.
As with training to make employees aware of HIPAA, a one-time training session is not sufficient. Regular security awareness training should be provided to the workforce – including the C-Suite. The best practice is to provide a refresher training session at least every six-months. The frequency of security awareness training should be guided by a risk assessment.
As is the case with all other aspects of HIPAA compliance, you must be able to provide evidence of compliance to regulators. In the event of an audit, regulators will want proof that you have provided HIPAA and security awareness training to the workforce.
You must therefore create and maintain a training log that includes all members of the workforce, the training provided, when it was provided, and what training was given. You should keep the training log with the rest of your HIPAA documentation.