What is HIPAA HITECH Training?
HIPAA HITECH training is a term most often used to identify amendments to the HIPAA training requirements attributable to the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH). Although the significance of the term has diminished over the past decade, there are some provisions of the original Act – and subsequent amendments – that have not yet been integrated into HIPAA.
In 2009, Congress passed the HITECH Act as part of the much larger American Recovery and Reinvestment Act. One of the primary objectives of the HITECH Act was to incentivize healthcare providers to adopt Electronic Health Records and – to address concerns about the increased volume of Protected Health Information being stored and transmitted electronically – provisions were included in the HITECH Act to strengthen the HIPAA Privacy and Security Rules.
In addition, the HITECH Act introduced the HIPAA Breach Notification Rule and a tiered penalty structure for violations of HIPAA. The tiered penalty structure was accompanied by a significant increase in the civil monetary penalties that could be imposed by HHS’ Office for Civil Rights, and clarification that individuals who knowingly disclosed Protected Health Information without authorization would be subject to criminal penalties under §1177 of the Social Security Act.
The publication of Interim Final Rules almost immediately meant that the HIPAA Breach Notification Rule and the increases in civil monetary penalties were effective by the end of the year. The changes to the HIPAA Privacy and Security Rules attributable to the HITECH Act were announced as proposed Rules in 2010. In January 2013, the Interim and Proposed Rules were finalized in the HIPAA Omnibus Final Rule, which had an effective date of March 26, 2013.
How HITECH amended the HIPAA Training Requirements
The most noteworthy way in which HITECH amended the HIPAA training requirements was by making business associates directly liable for compliance with the HIPAA Security and Breach Notification Rules, and with applicable standards of the HIPAA Privacy Rule “where provided”. This amendment resulted in business associates having to provide a security awareness and training program for all workforce members, and privacy and policy training where applicable. The HIPAA Journal is the leading HIPAA training vendor and regularly updates its HIPAA training for any changes to HIPAA regulations.
Other HIPAA HITECH training requirements were more subtle. Changes to the HIPAA Privacy Rule included standards that prohibited the sale of PHI without individual authorization, and that limited uses and disclosures of PHI for marketing and fundraising purposes. Other measures were introduced to facilitate disclosures of PHI for research and to schools when proof of immunization was required. These had limited impact on HIPAA HITECH training.
Some changes had a greater impact on the functions of workforce members who were involved in specific activities. For example, those responsible for responding to individuals exercising their HIPAA rights now had to be trained on individuals’ rights to receive electronic copies of PHI and the access rights of decedents to PHI of family members. Patients also now had the right to request information was withheld from a health plan when treatment was paid for privately.
What Should HIPAA HITECH Training Consist Of?
As the amendments to the HIPAA training requirements attributable to HITECH are more than a decade old, the term HIPAA HITECH training is rarely used. Furthermore, rather than develop HIPAA training chronologically (i.e., according to the Rules in 2002, then 2013, and so on), the most effective way to develop HIPAA training is by taking a holistic view of the HIPAA requirements and any other training requirements that can be integrated into them.
For example, CMS’ emergency planning requirements and OSHA’s bloodborne pathogen standards both require new members of the workforce to receive training when they start working for a qualifying healthcare organization and thereafter at least annually. It should be possible to integrate both these training requirements with the HIPAA training requirements and vice versa to provide HIPAA refresher training to all members of the workforce at least annually.
When integrating other training requirements with the HIPAA training requirements, it may also be important not to forget that the security awareness and training program required by the Administrative Safeguards of the HIPAA Security Rule must be provided “in accordance with §164.306 (the HIPAA Security Rule’s General Requirements)”. The General Requirements stipulate that any security awareness training must be based on identified threats to electronic PHI and reasonably anticipated impermissible disclosures of PHI (in any format).
Provisions of HITECH Not Yet Integrated into HIPAA
Although the term HIPAA HITECH training has diminished in significance, there is one important provision that has not yet been integrated into HIPAA – the provision that settlements agreed by HHS’ Office for Civil Right for HIPAA violations should be shared among the victims of data breaches. In April 2022, the likelihood of this provision being enacted increased when HHS’ Office for Civil Rights published a Request for Information (RFI) in the Federal Register.
While this provision – if enacted – would not have an impact on HIPAA HITECH training (because it is not the workforce’s responsibility to share settlements), it might put pressure on HHS’ Office for Civil Rights to conduct more HIPAA compliance investigations and issue more financial penalties This would likely prompt covered entities and business associates to review the content of their existing HIPAA training and amend the content and/or increase the frequency of training if necessary.
The “settlement sharing” RFI published in April 2022 also invited stakeholders to comment on proposals suggested for what should constitute recognized security practices. This request was in response to an amendment to the HITECH Act passed in January 2021 instructing HHS to consider a covered entity’s or business associate’s existing security practices when calculating the amount of a civil monetary penalty, extent of a compliance audit, or length of a corrective action plan.
This amendment may not be enacted due to the publication of a Notice of Proposed Rulemaking (NPRM) in January 2025. The NPRM – if enacted in its current format – would require all covered entities and business associates to adopt more stringent security measures. The measures are designed to align with HHS’ Cybersecurity Performance Goals and will satisfy Congress’ instruction to consider a covered entity’s or business associate’s existing security practices when taking enforcement action.
