The HIPAA Guide - Celebrating Over 15 Years Online

HIPAA Awareness Training

HIPAA awareness training can mean the provision of policy and procedure training required by the HIPAA Privacy Rule, the provision of security awareness training required by the HIPAA Security Rule, or training on the basics of HIPAA to put role-specific training into context. It is advisable for all members of the workforce to receive some form of HIPAA awareness training to prevent unintentional HIPAA violations attributable to a lack of knowledge.

Why Some Members of the Workforce Might Not Receive HIPAA Privacy Training

The HIPAA Privacy Rule training standard (45 CFR § 164.530) states that all new members of a Covered Entity´s workforce must undergo training on the Covered Entity´s “policies and procedures with respect to PHI […] as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity”.

This standard can be interpreted to imply that only members of the workforce who would normally use or disclose PHI when they carry out their functions within the Covered Entity need to undergo training on policies and procedures. Indeed, it seems reasonable to exclude those who would not normally interact with PHI from training (i.e., environment services personnel, maintenance teams, etc.) because they would never have reason to comply with the policies and procedures.

Nonetheless, it is important that members of the workforce who would not normally interact with HIPAA are aware of the Privacy Rule because there may be occasions when they see or hear health information about a patient. If they subsequently disclose the information without authorization (for example, posting the identity of a celebrity patient on social media), this is a violation of HIPAA for which the Covered Entity will be liable due to the failure to provide HIPAA awareness training.

Isn´t This Type of Scenario Identified in a Risk Analysis?

This type of scenario should be identified in a risk analysis but can often be overlooked. This is because the standard relating to risk analyses appears in the Administrative Safeguards of the Security Rule (45 CFR § 164.308) and requires Covered Entities and Business Associates to conduct an assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability, of electronic PHI – not necessarily verbal or visual PHI.

Although the same Administrative Safeguards require Covered Entities and Business Associates to implement a security and awareness training program for all members of the workforce, this can also be interpreted to relate only to electronic PHI. Furthermore, if some members of the workforce have not received HIPAA awareness training on the Privacy Rule, the content of a security and awareness training program may well be lost on them.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The way to overcome this potential issue is to provide all members of the workforce with basic HIPAA awareness training. This will not only help fill any gaps in the provision of training, but can also provide a grounding in HIPAA to those members of the workforce who will subsequently receive training on the Covered Entity´s policies and procedures. This not only provides context for the policies and procedures, but will help with retention and compliance.

The Importance of Documenting All HIPAA Training

Under the Administrative Requirements of the Privacy Rule, Covered Entities are required to document initial “policy and procedure” training and any subsequent “material change” training. There are no requirements to document training provided as the result of a risk assessment or as part of a corrective action plan. There are also no requirements to document security and awareness training nor HIPAA refresher training.

However, it is important all HIPAA training is documented because – in the event of an investigation into a patient complaint, an HHS audit, or an OCR inspection – organizations have a burden of proof to demonstrate they have taken steps to mitigate the likelihood of foreseeable HIPAA violations. Documented HIPAA training can be used as evidence that Covered Entities and Business Associates have tried to meet their compliance obligations as best they can.

Copyright © 2007-2024 The HIPAA Guide       Site Map      Privacy Policy       About The HIPAA Guide       Terms and Conditions       Accessibility Statement