HIPAA Online Training
HIPAA online training is a basic HIPAA awareness training course that can be provided online and used by covered entities and business associates to support in-house training, provide refresher training, and/or fulfil the HIPAA sanction requirements for minor HIPAA violations. An online HIPAA training course can also help workforce members, students, and jobseekers improve their HIPAA knowledge in order to avoid sanctions and improve their employment prospects.
In recent years, there has been a significant growth in the number of companies offering HIPAA online training. Like most products and services available online, it is important to understand what you are subscribing to when undertaking a HIPAA online training course and whether it will fulfil its purpose. This article looks at online HIPAA training from several perspectives to help determine what subscribers should look for in a HIPAA online training course. The HIPAA Journal has a reputation for the highest quality online HIPAA training.
The Issues with the HIPAA Training Requirements
One of the reasons there has been a significant growth in the number of companies offering HIPAA online training is that issues exist with the HIPAA training requirements that can lead to gaps in workforce knowledge, carelessness, and compliance shortcuts being taken “to get the job done”. These issues can be identified by taking a closer look at the training standards as they appear in the HIPAA Privacy Rule and the HIPAA Security Rule.
The HIPAA Privacy Rule Training Standard
The HIPAA Privacy Rule training standard (§164.530(b)) requires covered entities to provide training to all members of the workforce on the policies and procedures they have implemented “with respect to Protected Health Information […] as necessary and appropriate for the members of the workforce to carry out their functions”. The first issue with this standard is that it implies training only has to be provided to workforce members with authorized access to PHI.
When a covered entity is public facing (i.e., a healthcare facility), any member of the workforce could identify a member of the public entering the facility and impermissibly share their news with family and friends or with a wider audience via social media. Consequently, all members of the workforce should receive basic HIPAA training online regardless of their functions and authorized access to PHI to improve their HIPAA awareness. The training should explain:
- What is considered Protected Health Information (PHI) under HIPAA.
- How PHI can be misused by third parties to commit medical identity theft and obtain healthcare for which they are not eligible.
- The consequences of impermissible disclosures of PHI for the victims of medical identity theft (i.e., future misdiagnoses, adverse reactions to medications, etc.).
Other issues with the HIPAA Privacy Rule training standard include that it implies only workforce members required to perform certain functions are trained on the procedures for performing those functions in compliance with HIPAA. For example, only those responsible for responding to patients exercising their HIPAA rights are trained on patients’ HIPAA rights. Other workforce members might receive no training on this important purpose of the HIPAA Privacy Rule.
The HIPAA Security Rule Training Standard
The HIPAA Security Rule training standard (§164.308(a)(5)) requires covered entities and business associates to “implement a security awareness and training program for all members of its workforce (including management)”. However, it is not possible to fulfil this requirement by providing members of the workforce with generic security awareness training. Security awareness training must be provided “in accordance with §164.306”.
164.306 of the HIPAA Security Rule (the “General Rules”) requires covered entities and business associates to ensure the confidentiality, integrity, and availability of electronic PHI, protect against any reasonably anticipated threats or hazards to the security or integrity of such information, and protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the HIPAA Privacy Rule.
The requirements to protect against reasonably anticipated threats, hazards, and impermissible uses and disclosures of PHI implies that members of the workforce – including those with no access to PHI – should be provided with HIPAA awareness training in order to understand what PHI is, why it needs protecting, why it is highly sought by cybercriminals, and the methods used by cybercriminals to hack into healthcare databases, steal PHI and resell it.
The failure to protect against these threats with the provision of HIPAA awareness training could be considered a violation of §164.308(a)(1) (“Risk analysis and management”) if a data breach is found to be attributable to a lack of knowledge. It could also lead to workforce members failing to understand why systems are configured the way they are, and (for example) trying to circumnavigate access controls or use unsanctioned apps and services to communicate PHI.
How Online HIPAA Awareness Training Helps Overcome These Issues
Online HIPAA awareness training or basic HIPAA training online can help overcome these issues by providing a baseline of HIPAA knowledge for all members of the workforce. HIPAA online training courses most often consist of an overview of the main HIPAA Rules, an explanation of what is considered Protected Health Information (PHI) under HIPAA, and why it is important it is protected. An online HIPAA training course will most often also cover topics such as:
- Patients HIPAA Rights
- Permissible Disclosures of PHI
- The Minimum Necessary Standard
- Why PHI is Sought by Hackers
- Common Threats to PHI
- Common Workforce Errors
- The Consequences of HIPAA Violations
By providing all members of the workforce with a basic knowledge of HIPAA, covered entities and business associates can ensure that all members of the workforce have a baseline understanding of the HIPAA Rules. The provision of HIPAA training online is convenient and can support in–house “policy and procedure” HIPAA training by facilitating a better understanding of policies and procedures – thus facilitating better compliance with policies and procedures.
In addition, the content of a basic HIPAA training course can be used to provide annual HIPAA refresher training – which although not mandated by HIPAA, is recommended as a best practice. The content can also be used in lieu of a verbal warning to fulfil the sanction requirements for minor violations of HIPAA. The application and documentation of workforce sanctions is required by both the HIPAA Privacy Rule and the HIPAA Security Rule training standards. The HIPAA Journal provides HIPAA online training that offers a flexible and accessible way for healthcare organizations to meet their compliance requirements. The training is available entirely online, making it easy for staff to complete at their own pace and from any location. Courses are accredited, include testing and certification to confirm comprehension, and offer Continuing Education Units (CEUs) to support professional development.
HIPAA Online Courses for Workforce Members
While on the subject of sanctions, it is important for workforce members to be aware covered entities are required by the HIPAA Privacy Rule training standard to apply sanctions against members of the workforce “who fail to comply with the privacy policies and procedures of the covered entity or the requirements of [the HIPAA Privacy Rule] or [the HIPAA Breach Notification Rule”. This requirement also applies to business associates “where provided”.
What this means for all members of a covered entity’s or business associate’s workforce is that sanctions can be applied for any violation of the HIPAA Privacy Rule or HIPAA Breach Notification Rule – even if the standard that has been violated has not been included in HIPAA training. When sanctions are applied, they will be documented on workforce members’ personnel records. This could potentially impact future professional career prospects.
For this reason, it can be beneficial for all workforce members to take responsibility for their HIPAA knowledge if HIPAA awareness training is not provided. The way for workforce members to take responsibility for their HIPAA knowledge is to subscribe to a HIPAA online course that covers the subjects discussed above. Some courses also award a certificate on completion that can be included in personnel records to enhance future career prospects.
With regards to the HIPAA Security Rule training standard and sanctions, covered entities and business associates are required to apply sanctions for violations of their security policies and procedures. HIPAA online courses cannot cover the content of security policies and procedures, as these have to be based on a risk assessment. However, the courses can help workforce members better understand the terminologies used in the policies and procedures.
HIPAA Online Courses for Students and Jobseekers
Medical students (who do not qualify as members of a covered entity’s workforce ) and jobseekers do not have to worry about the application of sanctions for violations of HIPAA, but can still benefit from subscribing to a HIPAA online course. Medical students in particular need to be aware of the rules for using PHI in reports and presentations, while there are many hundreds of jobs advertised on the Internet for which HIPAA certification is a requirement.
In both cases, it is important HIPAA online courses cover at least the topics discussed above and fulfill the purpose of subscribing to the course. For medical students, the training may also need to include the process for obtaining valid patient authorizations before using PHI in a report or presentation. For jobseekers, the most important consideration may be whether the certificate awarded on completion of the course will be recognized by prospective employers.
Other considerations with regards to online HIPAA training courses may include whether or not the course is accredited by a recognized healthcare training assessor and if any Continuing Education Units (CEUs) awarded on completion of the course are recognized by a licensing or professional body. While these considerations should not deter workforce members, students, and jobseekers from subscribing to basic HIPAA training online to immediately improve their HIPAA knowledge, they may be important considerations for the future.
HIPAA Online Training – 9 Key Points
- HIPAA online training can be used as an introduction to HIPAA that fills gaps in workforce knowledge which could result in impermissible disclosures of PHI and avoidable HIPAA violations.
- HIPAA online training can also be used to support in-house training, provide refresher training, and/or fulfil the HIPAA sanction requirements for minor HIPAA violations by workforce members.
- When HIPAA awareness training is not provided, workforce members can subscribe to an online HIPAA training course in order to mitigate the risk of sanctions due to a lack of knowledge.
- HIPAA online courses can also help workforce members better understand the terminologies used in policies and procedures to facilitate compliance with the policies and procedures.
- Medical students and jobseekers can also benefit from online HIPAA training in order to avoid unauthorized uses of PHI in reports and presentations and enhance employment prospects.
- Request details of the HIPAA online training course content to ensure it covers at least the topics discussed above and fulfils the purpose of subscribing to the HIPAA online course
- If a certificate is awarded on completion of the course, is the certification awarded on passing a test or self-attestation? Some authorities and employers may not recognize self-attestation.
- If a course is accredited by a training organization, ensure the organization is a recognized healthcare training assessor (i.e., the American Health Information Management Association).
- If the training awards Continuing Education Units (CEUs), ensure the CEUs are acceptable to your licensing or professional body before subscribing to the course.
HIPAA Online Training FAQs
Who within an organization is responsible for preparing and conducting HIPAA training?
In most cases, the HIPAA Privacy Officer and HIPAA Security Officer share responsibility for HIPAA training, although this does not mean they will prepare and conduct it. Many organizations outsource some or all of their HIPAA training obligations to specialist compliance agencies or support inhouse training with HIPAA online training.
Does every workforce member have to undergo the same training?
Although every workforce member should undergo the same basic HIPAA training online, it is impractical to provide the same policy and procedure training to all members of the workforce as it will result in some members of the workforce receiving training on topics that are irrelevant to their functions. For example, it would be wasteful for a covered entity to provide the same HIPAA training to a midwife as to a computer systems engineer.
How regularly should risk assessments be conducted to determine HIPAA training requirements?
Risk assessments should be conducted to determine HIPAA training requirements any time there is a change of processes or technology, any time an internal event identifies a need for training, or any time a covered entity or business associate receives a patient privacy complaint or notice of a compliance review from HHS’ Office for Civil Rights.
Do business associates have to conduct as much HIPAA training as covered entities?
Business associates have to conduct as much HIPAA training as applies to the services being provided for or on behalf of a covered entity. In some cases, this may mean business associates have to conduct as much HIPAA training as covered entities. In other cases, business associates may only have to implement a security awareness and training program – although it is recommended that the security awareness and training program is supported by HIPAA awareness training.
How long is HIPAA training certification good for?
The length of time HIPAA training certification is good for varies according to the nature of the training, any terms attached to the training, and changes to the HIPAA Rules which may invalidate the training. When CEUs are awarded on completion of training, some licensing and professional bodies only allow online HIPAA training to contribute to the CEU requirement once every two years.
When certification is awarded on completion of an online HIPAA training course provided by a covered entity or business associate as basic HIPAA training, a copy of the course content and the certificate must be retained by the covered entity or business associate for a minimum of six years, even if the online HIPAA training course is repeated annually and a new certificate awarded each time.
What is the difference between HIPAA awareness training and HIPAA security awareness training?
HIPAA awareness training is designed to train subscribers to the basics of HIPAA, while HIPAA security awareness training consists of policies, procedures, and best practices to protect the confidentiality, integrity, and availability of electronic PHI. HIPAA awareness training should be provided (or taken) at least annually if no other training is provided (i.e., due to a material change in the HIPAA Rules). HIPAA security awareness training is an ongoing program that should be scheduled at least quarterly with monthly security reminders.
Is taking HIPAA training online better than classroom training?
Taking HIPAA training online can be better than classroom training as it most often allows workforce members, students, and jobseekers to complete a HIPAA online course at their own pace. However, classroom training can be better for some individuals if they have questions and would prefer an immediate answer to their questions rather than having to wait for a response to an email or other communication.

