HIPAA Privacy Training
HIPAA privacy training is online training designed to support covered entitiesโ and business associatesโ HIPAA privacy and policy training and security awareness training by filling any gaps in workforce membersโ HIPAA knowledge. The training helps put mandated training into context and mitigates the risk of HIPAA violations attributable to a lack of understanding or carelessness.
One of the challenges of complying with the HIPAA training requirements is that HHSโ Office for Civil Rights provides virtually no guidance on complying with the requirements other than to state: โThe HIPAA Rules are flexible and scalable to accommodate the enormous range in types and sizes of entities that must comply with them. This means that there is no single standardized program that could appropriately train employees of all entitiesโ.
The problem the lack of official guidance creates is that entities regulated by HIPAA often turn to third party sources for guidance โ some of whom take the HIPAA training standards out of context of other applicable HIPAA Regulations. Consequently, the guidance provided by some third party sources is incomplete and can lead to avoidable HIPAA violations due to a lack of knowledge, lack of understanding, or carelessness.
HIPAA Training Standards Can Be Taken Out of Context
The most common example of how HIPAA training standards can be taken out of context relates to the HIPAA Security Rule training standard (ยง164.308(a)(5)). Several sources quote the standard verbatim (โImplement a security awareness and training program for all members of its workforceโ), omitting the instruction at the beginning of the Administrative Safeguards to implement the standards in ยง164.308 โin accordance with ยง164.306โ.
ยง164.306 includes the โGeneral Requirements for Security Standardsโ, which require covered entities and business associates to:
(1) Ensure the confidentiality, integrity, and availability of all electronic Protected Health Information the covered entity or business associate creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part (the HIPAA Privacy Rule).
(4) Ensure compliance with this subpart by its workforce.
Item #3 on the list of General Requirements implies the security awareness and training program required by ยง164.308(a)(5) must include an explanation of what electronic Protected Health Information (ePHI) is, why it requires protecting, the type of threats that exist to ePHI, and what disclosures of ePHI are not permitted by the HIPAA Privacy Rule. Effectively, some HIPAA privacy training must be included in security awareness training.
If the HIPAA Security Rule training standard is taken out of context of the General Requirements, this can result in only generic security awareness training being provided. While some generic security awareness training should be provided as part of a HIPAA security awareness and training program, by itself it is not sufficient to comply with the HIPAA Rules. Many organizations do not realize this and leave gaps in workforce HIPAA awareness as a result.
Other Examples of Unintentional HIPAA Training Failures
There is sometimes a misconception that the HIPAA privacy training standard applies only to HIPAA covered entities because ยง164.530(b) states: โA covered entity must train all members of its workforce on the policies and procedures with respect to PHI required by this subpart (the HIPAA Privacy Rule) and subpart D of this part (the HIPAA Breach Notification Rule), as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.โ
However, ยง160.102(b) of the HIPAA General Administrative Regulations states: โWhere provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a business associate.โ ย This means that business associates must comply with any standard (etc.) in the HIPAA General Administrative Regulations that applies to the service being provided by the business associate – including the HIPAA Privacy Rule training standard.
The reason this is relevant to HIPAA privacy training for business associates is that ยง164.530(c) of the HIPAA Privacy Rule requires covered entities (and business associates โwhere providedโ) to reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule. This suggests any member of a business associateโs workforce with access to PHI (including oral or visual access) should receive HIPAA privacy training.
The same applies to covered entities under the impression that HIPAA policy and procedure training only needs to be provided to members of the workforce who interact with PHI when carrying out their functions. Any member of a covered entityโs workforce (including those who would not normally interact with PHI) could โ for example – see a celebrity patient entering a medical facility and share their news via social media in violation of the rules for uses and disclosures of PHI.
The Evidence that Gaps Exist in HIPAA Awareness
There is plenty of evidence to support the argument that issues exist with the provision of HIPAA privacy training. Each year, HHSโ Office for Civil Rights submits a report to Congress on HIPAA compliance. In the most recent report, HHSโ Office for Civil Rights states it received 30,435 privacy complaints and 64,592 breach notifications in 2022. Note: these figures do not include privacy complaints made directly to covered entities that were not escalated to HHS.
By reviewing HHSโ Enforcement Highlights webpage, it is possible to see that the most common reason for privacy complaints is impermissible uses and disclosures of PHI. As around only one hundred complaints per year are referred to the Department of Justice for criminal investigation, it is reasonable to assume the majority of the remaining impermissible uses and disclosures are โinadvertentโ and attributable to a lack of knowledge, a lack of understanding, or carelessness.
With regards to carelessness, this cause of impermissible uses and disclosures and โ in particular โ data breaches is confirmed by the web descriptions of archived breach reports accessible via HHSโ Breach Portal. A quick review of the web descriptions reveals thousands of cases in which PHI has been mailed or emailed to the wrong recipients, unencrypted devices have been left unattended, or applications have been incorrectly configured.
Many of the cases allegedly attributable to โHacking/IT Incidentโ also demonstrate a lack of HIPAA awareness. Many descriptions of hacking and IT incidents are deliberately phrased to imply the event occurred because of the actions of an external party. However, according to Verizonโs 2024 Data Breach Investigations Report, 68% of all data breaches involve a human element โ in many cases, a lack of awareness when interacting with phishing emails.
The Real Impact of Privacy Complaints and Data Breaches
Returning to third party sources that provide guidance on HIPAA training, several claim that failing to comply with the HIPAA training requirements will result in civil monetary penalties being issued by HHSโ Office for Civil Rights. However, in the two decades that HHSโ Office for Civil Rights has been enforcing HIPAA compliance, only three civil monetary penalties have been issued for HIPAA violations in which a training failure was a factor.
The real impact of privacy complaints and data breaches is that patients lose confidence in their healthcare providers and are not so willing to share sensitive information about themselves. This makes it harder for physicians to accurately diagnose health issues and prescribe appropriate courses of treatment, resulting in worse patient outcomes. Patients are also less likely to adhere to treatment programs if they do not trust their healthcare providers.
For the millions of patients whose PHI is exposed in data breaches, there is also the risk of medical identity theft. In a survey conducted in 2013, the Ponemon Institute found that 15% of medical identity theft victims had been misdiagnosed due to the misuse of their health data by an imposter, 14% experienced treatment delays because of inaccuracies in medical records, and 11% had the wrong pharmaceuticals prescribed for the same reason.
For reference, the most common regulatory consequence of a privacy complaint or data breach is a corrective action plan. In 2022, HHSโ Office for Civil Rights issued 671 corrective action plans. These not only required organizations to correct the cause of the privacy compliant or data breach. They also required workforce retraining โ implying that the HIPAA violations behind the privacy complaints and data breaches might never have occurred with effective training.
How to Resolve the Issues with HIPAA Privacy Training
The best way to fill gaps in HIPAA knowledge and help workforce members better understand HIPAA privacy and policy training in order to reduce the number of inadvertent HIPAA violations is for all covered entities and business associates to provide HIPAA privacy training for all members of the workforce. HIPAA privacy training should be provided separately from โ and preferably prior to – HIPAA policy and procedure training and security awareness training.
The HIPAA privacy training should cover topics such as why HIPAA exists (specifically the HIPAA Administrative Simplification Regulations), what its purpose is, and how compliance with HIPAA can foster patient trust. Regardless of individualsโ access to PHI, the training should explain what is โ and what isnโt โ PHI, when PHI can be used or disclosed in compliance with HIPAA, and what rights patients have to request privacy protections or limit to whom PHI is disclosed.
The provision of HIPAA privacy training fulfils the General Security Requirement for security awareness training to be provided in accordance with ยง164.306. In addition, using HIPAA privacy training to explain the real impact of privacy complaints and data breaches can encourage members of the workforce to be more careful when mailing PHI, leaving devices unattended, configuring software and applications, or interacting with a phishing email.
Unlike HIPAA policy and procedure training and security awareness training for which there is โno single standardized program that could appropriately train employees of all entitiesโ, online HIPAA privacy training is available from multiple vendors. However, to ensure the HIPAA privacy training is suitable for their workforces, covered entities and business associates are advised to select from online HIPAA training courses that are accredited by recognized training assessors.
The Benefits of HIPAA Privacy Training for Workforce Members
One subject not yet discussed is the consequences for workforce members who inadvertently violate HIPAA. Under ยง164.530(e), covered entities and business associates are required to sanction members of the workforce who fail to comply with the HIPAA policies and procedures implemented by the covered entity or business associate, or who fail to comply with any HIPAA Privacy Rule or Breach Notification standard โ even if they are unaware the standard exists.
In most cases, the sanction for minor violations of HIPAA is refresher training on the standard that was violated. However, if an inadvertent HIPAA violation results in a significant security incident, the sanction could be much more severe. It is possible for workforce members to receive verbal or written warnings that could remain on their personnel records indefinitely, or lose their jobs and/or licenses if violations are attributable to gross carelessness or negligence.
Workforce members can mitigate the likelihood of sanctions by taking HIPAA privacy training voluntarily if HIPAA privacy training is not provided by their employer. The content of the training should cover the subjects mentioned above to fill gaps in HIPAA knowledge, help better understand HIPAA policy and procedure training, and add context to security awareness training. Again, it is best to subscribe to an online HIPAA training course accredited by a recognized training assessor.
Further benefits of subscribing to a training course accredited by a recognized training assessor include that the training assessor often awards a certificate of completion that can be used to enhance career prospects, and that the course may award Continuing Education Units (CEUs) that can count towards the workforce memberโs licensing requirements. However, the biggest benefit of taking HIPAA privacy training is that workforce members can avoid making a mistake that results in someone they care for becoming a victim of medical identity theft.