What is HIPAA Refresher Training?
HIPAA refresher training is training provided to covered entities’ and business associates’ workforces to refresh their knowledge of applicable HIPAA Administrative Simplification Regulations. While it is not mandatory to provide HIPAA refresher training, the general nature of the training can help prevent gaps developing in workforce members’ HIPAA knowledge. Consequently, HIPAA refresher training should be provided at least annually.
The HIPAA training requirements stipulate that covered entities – and business associates “where provided” – must provide training on the policies and procedures implemented to comply with the HIPAA Privacy Rule and HIPAA Breach Notification Rule to each new member of the workforce within a reasonable period of time of the person joining the workforce. In some states, “HIPAA policy and procedure training” must be provided within 90 days.
Thereafter, workforce members must receive further HIPAA training whenever their functions are affected by a material change to HIPAA policies and procedures. “HIPAA material change training” only has to be provided to those members of the workforce whose functions are affected by the material change, but there are a number of scenarios in which it is advisable to inform all members of the workforce that a material change has occurred.
In addition, all members of covered entities’ and business associates’ workforces must participate in a security awareness and training program that complies with the HIPAA Security Rule’s General Requirements (§164.306(a)). As a result, the security awareness and training program must be designed to support HIPAA policy and procedure training in order to protect against reasonably anticipated impermissible disclosures of Protected Health Information.
Beyond the Basic HIPAA Training Requirements
Beyond the basic HIPAA training requirements, there are multiple scenarios in which training on HIPAA standards may be incorporated into other types of training. These include when training mandated by other regulations (i.e., OSHA, CMS, etc.) touch on the privacy and security of Protected Health Information, or when a new technology is introduced and configured in such a way to protect electronic Protected Health Information from reasonably anticipated threats.
HIPAA training might also be provided in response to a privacy complaint from a patient or plan member, as a sanction against a member of the workforce for violating a HIPAA standard, or as part of a corrective action plan imposed by HHS’ Office for Civil Rights in lieu of a civil monetary penalty. In these scenarios, the content of the HIPAA training will most likely reflect the cause of the complaint, the nature of the violation, or the event that prompted an HHS investigation.
The issue with piecemeal and reactive HIPAA training is that it can be provided and/or taken out of context with other applicable HIPAA standards – leading to gaps in workforce members’ HIPAA knowledge. For example, when a new technology is introduced, it may be important to include topics such as privacy protections, HIPAA authorizations, and identity verification when providing training on how the technology should be used in compliance with HIPAA.
The provision of periodic HIPAA refresher training overcomes this issue by refreshing workforce members’ general HIPAA knowledge so that the topics covered in piecemeal or reactive HIPAA training can be applied in context of other applicable HIPAA standards. Refreshing workforce members’ HIPAA knowledge also has the potential benefit of mitigating future HIPAA violations and reducing the need for reactive HIPAA training following a privacy complaint or as a sanction.
What Should HIPAA Refresher Training Consist Of?
So that piecemeal and reactive HIPAA training can be applied in context of other applicable HIPAA standards, it is advisable for HIPAA refresher training to cover the basics of HIPAA awareness that all workforce members need to be familiar with. Therefore, at a minimum, HIPAA refresher training should consist of policies relating to uses and disclosures of Protected Health Information, the HIPAA minimum necessary standard, and individuals’ HIPAA rights.
Regardless of their functions, all workforce members should be reminded of why HIPAA exists, the main regulatory Rules, and the sanctions for violating any standard of the HIPAA Privacy, Security, or Breach Notification Rules (including standards that have not been covered in HIPAA policy and procedure training, material change training, and security awareness training). All members of the workforce should also be reminded of computer and mobile device security.
HIPAA refresher training also provides an opportunity to inform members of the workforce about material changes that have not directly affected their functions, but which it may be important to be aware of. Recent examples include the addition of attested disclosures to the HIPAA Privacy Rule to better protect reproductive health information and modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR Part 2.
Additional HIPAA refresher training can cover topics relevant to individuals’ functions if a risk assessment or evaluation identifies a need for targeted HIPAA training. For this reason, it is advisable to provide HIPAA refresher training in a modular format, so that members of the workforce with limited access to Protected Health Information (i.e., environmental services teams, catering staff, etc.) are not overwhelmed by training unconnected to their functions.
There are several sources of online HIPAA refresher training that offer modular training. When assessing these sources, it is important to consider whether the content of the online HIPAA refresher training aligns with the HIPAA policies and procedures developed by the covered entity, whether the training is accredited by a recognized training assessor, and whether the training awards Continuing Education Units (CEUs) that are recognized by state licensing bodies.