HIPAA Training

The organization of HIPAA training is the responsibility of the HIPAA Privacy and Security Officers; although it should be a collaborative effort that involves nursing managers, HR, and IT - especially when a new policy, process, or technology is implemented. It may also be appropriate to use third party consultants to conduct training when new HIPAA guidance is issued by HHS.

HIPAA training should be relevant to each staff member´s role; and while there are areas of the Privacy, Security, and Breach Notification Rules that should be included in all HIPAA training courses, training should be designed so each staff member can fulfil their role in compliance with HIPAA.

Each time there is a change of policy, process, or technology, a risk assessment should be carried out to determine the impact the new policy, process, or technology will have on HIPAA compliance. CEs and BAs should then analyze the results of the risk assessment (and document the analysis) in order to determine if any additional training is necessary.

BAs have the same HIPAA training obligations as CEs to make sure their workforce is capable of performing duties in a HIPAA-compliant manner, and therefore the frequency of HIPAA training should be “as necessary”. However, while the training obligations remain the same, it is likely a BA will have a less diverse workforce than a CE, and managing the training requirements should be simpler.

All HIPAA-related documentation has to be retained for six years from the date it was last used. Therefore, all risk assessments and analyses must be retained for six years, as must the content of training courses and documentation relating to who attended the courses and when. For example, if as CE developed a training course in 2015, and refreshed it 2019, the content of the original training course has to be retained until 2025.

In theory, HIPAA training is never completed. This is because whenever new regulations, policies, working practices, or technologies are introduced, members of the workforce will require refresher training to ensure the new regulations, policies, working practices, or technologies are applied in compliance with HIPAA. Furthermore, security and awareness training should be ongoing.

HIPAA training should be done on a regular basis to prevent poor compliance practices developing into a cultural norm. Unfortunately, many Covered Entities do not have the resources to provide HIPAA training on a regular basis, which is why it can be beneficial to take advantage of online refresher training courses to mitigate the risk of a HIPAA violation.

HIPAA training is necessary so that members of the workforce understand the importance of protecting patient data from unauthorized uses and disclosures. Consequently, training should not only be about policies and procedures, but also why the policies and procedures exist and the consequences of HIPAA violations to employers, employees, and patients.

At present, there are no states that require Covered Entities or Business Associates to provide annual HIPAA training. However, some states have privacy laws that supersede HIPAA and that have specific training requirements, while personnel employed by the Defense Health Agency are required to undergo Privacy Act and HIPAA privacy training annually.

HIPAA training provided by a Covered Entity or Business Associate does not expire unless a change in policies and procedures affects your role, a need for additional training is identified in a risk analysis, or you change jobs and work for another Covered Entity or Business Associate who has different policies and procedures from your former employer. You may also have to undergo additional training if you employer is issued with a corrective action order by the Office for Civil Rights.

New employees of a Covered Entity must complete HIPAA training “within a reasonable period of time after the person joins the Covered Entity´s workforce” – ideally before they are exposed to PHI. New employees of a Business Associate are required to take part in a security and awareness training program, but HIPAA does not stipulate how soon this is required after the person joins the Business Associate´s workforce – although ideally before they are exposed to ePHI.

All HIPAA documentation has to be maintained for six years after the event(s) the document(s) relate to. Therefore, if an employee signed an attestation that they received Privacy Rule training in 2018, and refresher training wasn´t provided until 2021, the original attestation will have to be kept until 2027. The same principle applies if refresher or additional privacy training was provided as the result of a policy change, risk assessment, corrective action order, or employee promotion.

There are various online training courses one can take to get certified. Some courses are role specific, whereas others provide general HIPAA training. Both types of courses can be beneficial to job seekers, while general HIPAA training is often used by Covered Entities and Business Associates to provide periodic refresher training – a copy of the certificate being used as documentation that training was provided in the event of an OCR audit, investigation, or inspection.

There are two federal requirements for HIPAA training. The first is that Covered Entities must provide policy and procedure training “to each new member of the workforce within a reasonable period of time after the person joins the Covered Entities workforce” (45 CFR § 164.530), and the second is that Covered Entities and Business Associates “implement a security and awareness training program for all members of the workforce” (45 CFR § 164.308).

Responsibility varies depending on the size of the organization, the nature of its operations, and the available resources. In smaller healthcare organizations, a healthcare administrator will likely be responsible for Privacy Rule training, while a senior member of the IT team will be responsible for Security Rule training. Sometimes, one person will fill both roles. In larger organizations, the responsibility for training all employees on HIPAA is shared between a compliance team.

There are two answers to this question. The first is that – according to the Privacy and Security Rules – members of the workforce must be trained on HIPAA-related policies and procedures relevant to their roles and provided with security and awareness training. The second answer is that the amount of HIPAA training required (beyond that stipulated by the Privacy and Security Rules) should be determined by the results of a risk assessment.

The length of HIPAA training – per session – will be dependent on the amount of content included in the session, the number of people attending the session, and the volume of questions asked during and after the session. Ideally, training sessions should be no longer than 60 minutes so information is retained. In terms of how long HIPAA training takes in total, training should be ongoing to ensure members of the workforce remain compliant with HIPAA.

HIPAA training is never completed. This is because whenever new regulations, policies, working practices, or technologies are introduced, members of the workforce are required to receive “material change” training on the new regulations, policies, working practices, or technologies and how the changes should be applied in compliance with HIPAA.

Additionally, the security and awareness training required under the Administrative Requirements of the Security Rule is a program rather than a one-off event. There should be no beginning and end to this program – only updates on changes to the threat landscape and training on how members of the workforce can reduce their susceptibility to the threats.

You need HIPAA training when you first start working with a Covered Entity or Business Associate so you are familiar with the policies and procedures relating to HIPAA. Because each Covered Entity and Business Associate has their own policies and procedures relating to HIPAA, you will also need HIPAA training if you leave your job and go to work for another Covered Entity or Business Associate.

While working for the same Covered Entity or Business Associate, you will need refresher HIPAA training if there is a “material change” to a HIPAA-related policy or procedure that affects your role. You may also need HIPAA training when a risk assessment identifies a need for further training, when your employer receives a complaint that can be resolved by training, or when training is required as a sanction – either from your employer or from HHS´ Office for Civil Rights.

HIPAA training is important because it explains to members of the workforce how they should protect patient privacy and ensure the confidentiality, integrity, and availability of PHI to perform their duties without violating HIPAA regulations. Refresher training is equally as important to prevent bad habits deteriorating into cultural norms of non-compliance.

HIPAA training is necessary so that employees, students, and volunteers understand why protecting patient data from unauthorized uses and disclosures is crucial to the organization they work for, for the patients they care for, and for themselves. In some cases, the failure to comply with the lessons learned in HIPAA training can end an individual's career.

HIPAA patient privacy training is necessary for all members of the workforce, but particularly those with public-facing roles. HIPAA patient privacy training explains the requirements of the Privacy Rule in relation to patients´ rights, permissible uses and disclosures of patient data, and the minimum necessary standard which states you should limit unnecessary disclosures of PHI.

Everybody who qualifies as a member of a Covered Entity´s or Business Associate´s workforce is required to have HIPAA training. This not only means employees have to be trained on HIPAA policies, but also volunteers, students, and contractors who may encounter Protected Health Information in visual, verbal, written, or electronic form.

Every member of a Covered Entity´s or Business Associate´s workforce must take HIPAA training – including students, volunteers, and contractors. The nature of training will vary according to the activities of the organization and individuals´ functions, but it is necessary for everyone to understand what PHI is, why it should be protected, and how it is protected.

HIPAA training is valid until you change jobs and work for a different employer with different policies and procedures. Additionally, some of your initial HIPAA training may be superseded if your current employer changes HIPAA-related policies or procedures due to a change in the law, as the result of a risk assessment, or in response to a patient complaint or OCR investigation.

HIPAA training does not expire unless you change jobs and work for another Covered Entity or Business Associate. This is because each Covered Entity and Business Associate is required to develop their own HIPAA-compliant policies and procedures. Therefore, when you go to work for a new organization that is a Covered Entity or Business Associate, the new organization will likely have different HIPAA-compliant policies and procedures from those you have been trained on.

The HIPAA training requirements for new hires vary according to whether the employer is a Covered Entity or a Business Associate. Covered Entities must train new hires on policies and procedures and the Breach Notification Rule (as required by the Privacy Rule) and include them in a security and awareness training program (as required by the Security Rule).

Business Associates are only required to provide a security and awareness training program unless elements of the Privacy Rule apply to the new hire´s role. In such cases, it is necessary to train the new hire on the elements of the Privacy Rule that apply and explain the procedures for reporting unauthorized disclosures and security incidents.

Covered Entities´ new hires must complete their initial HIPAA training “within a reasonable period of time after the person joins the Covered Entity´s workforce” – ideally before they are put into an unsupervised situation in which they could inadvertently and impermissibly disclose PHI. New hires of Covered Entities and Business Associates must also take part in a security and awareness training program. HIPAA does not stipulate how soon this is required after the new hires start working, but HIPAA security training should start prior to having unsupervised access to ePHI.

The best way to prepare a new hire for HIPAA training is to familiarize them with the basics of HIPAA – especially topics such as why HIPAA exists, what HIPAA protects, and what PHI is. This will ensure every new hire entering policy and procedure training has the same level of knowledge and will put the content of the policy and procedure training into context.

Training documentation is necessary for HIPAA compliance because, in the event of an inspection or audit by HHS´ Office for Civil Rights, it not only shows that training has been provided, but could determine liability for a HIPAA violation if liability is dependent on whether a Covered Entity failed to provide “necessary and appropriate” training, or whether a member of the workforce failed to apply the training while carrying out their duties – resulting in a HIPAA violation.

HIPAA training documents must be kept for six years from the date the policies and procedures the training relates to were last in force. For example, if training on individuals´ rights was provided in 2019, but the procedures for responding to patient access requests was changed in 2022 (and further training was provided), the HIPAA training documents relating to the original training must be kept until 2028. It will also be necessary to maintain a document of the training provided to employees when a “material change” occurred in 2022.

HIPAA training for mental health professionals differs from HIPAA training for general health professionals inasmuch as a mental health professional will need to know about the different disclosure rules that apply to (for example) psychotherapy notes, risks of self-harm, and threats to others. There are also times when HIPAA preempts FERPA, or when HIPAA is preempted by state or federal drug abuse confidentiality regulations.