HIPAA Training is a Federal Requirement
The provision of HIPAA training is a federal requirement for individuals and organizations that qualify as HIPAA covered entities or business associates as defined by the HIPAA Administrative Simplification Regulations. The content of HIPAA training is dependent on the activities of each individual or organization and the risks to the privacy and security of PHI.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law passed in 1996 with the objective of reforming the health insurance industry. Due to concerns that the cost of the reforms would be passed onto employers and employees, and that this would impact federal tax revenues, a second title was added to HIPAA to mitigate the cost of the reforms.
Title II of HIPAA includes measures to tackle health insurance fraud, fund enforcement action, and simplify the administration of healthcare transactions between healthcare providers and payers. The measures introduced to simplify the administration of healthcare transactions evolved into the HIPAA Administrative Simplification Regulations.
The HIPAA Administrative Simplification Regulations
The HIPAA Administrative Simplification Regulations are the regulations promulgated by the Department of Health Human Services (HHS) in response to instructions issued by Congress. For example, via HIPAA Congress instructed HHS to adopt standards for electronic healthcare transactions and safeguards to protect the integrity and confidentiality of data maintained or transmitted in connection with healthcare transactions.
In response to these instructions, HHS proposed the first sets of standards for healthcare transactions and the regulations for the security of data in 1998. The first transaction standards were finalized in 2000 and have been expanded frequently thereafter to account for advances in healthcare and technologies. Due to the complexity of the proposed security regulations, the Final HIPAA Security Rule did not become effective until April 2003.
HIPAA also instructed the Secretary for Health and Human Services to submit recommendations for the privacy of health information to Congress. The recommendations were to be adopted as regulations if Congress did not pass its own privacy legislation within three years. When the self-imposed deadline expired, the proposed HIPAA Privacy Rule was published in 1999. Subsequent revisions delayed the Rule being effective until October 2002.
How the Federal HIPAA Training Regulations Evolved
Although HIPAA training is a federal requirement, it is a federal requirement by regulation rather than by law. The first effective HIPAA training regulation (ยง164.530(b) of the HIPAA Privacy Rule) reads much the same today as it did in 2002 with the exception that the requirement to train members of the workforce on policies and procedures relating to the HIPAA Breach Notification Rule (โsubpart D of this partโ) were added in 2009 following the passage of the HITECH Act.
The HIPAA Security Rule training standard (ยง164.308(a)(5)) reads exactly the same as when the HIPAA Security Rule Final Rule was published in 2003. However, prior to the passage of the HITECH Act, HHS did not have the authority to impose training requirements on business associates. Covered entities were required โto require their business associates to implement certain safeguardsโ in Business Associate Agreements and monitor their associatesโ compliance with HIPAA.
Because this requirement was impractical and led to multiple HIPAA violations, Congress included two provisions in the HITECH Act which made business associates directly liable for violations of any applicable privacy standard (ยง17931) and violations of any safeguard in ยง164.308 to ยง164.312 and any standard in ยง164.316 of the HIPAA Security Rule (ยง17934). These changes were made to the HIPAA Administrative Simplification Regulations via the Omnibus HIPAA Final Rule in 2013.
Today, HIPAA Training is a Federal Requirement for All Covered Entities and Associates
Although today HIPAA training is a federal requirement for all covered entities and associates, it is not necessarily in the way Congress intended in the HITECH Act. Rather than make business associates directly liable for violations of applicable privacy standards and security safeguards, the Omnibus HIPAA Final Rule amended the Applicability clause (ยง160.102) in the General Provisions to make business associates liable for violations of any applicable HIPAA Administrative Simplification Regulation.
This means that the HIPAA training standard in the HIPAA Security Rule had to be implemented by business associates โin accordance with ยง164.306โ. (This requirement already existed for covered entities). The significance of this requirement is that security awareness and training programs must include content designed to โprotect against any reasonably anticipated uses or disclosures of [electronic PHI] that are not permitted or required [by the HIPAA Privacy Rule].โ
Therefore, business associates and covered entities cannot only provide generic security awareness training to comply with the HIPAA Security Rule training standard. The training must also include topics such as what is considered PHI, why PHI is more highly sought by cybercriminals than other types of personal data, and what the real consequences are of impermissible disclosures (i.e., medical identity theft rather than regulatory enforcement action).
Complying with the Federal Requirements for HIPAA Training
Despite stating in the 2002 HIPAA Privacy Rule Final Rule that โwe expect to provide general training materialsโ and develop specialized materials for โclasses of providers, plans, and patientsโ, there is minimal guidance on HHSโ โTraining Materialsโ web page to help covered entities and business associates comply with the federal requirements for HIPAA training.
The fact that HIPAA training is a federal requirement, but the federal agency responsible for enforcing the requirement does not provide much in the way of guidance is explained by HHS thus: โThe HIPAA Rules are flexible and scalable to accommodate the enormous range in types and sizes of entities that must comply with them. This means that there is no single standardized program that could appropriately train employees of all entities.โ
Therefore, it is important for all covered entities and business associates to determine what training their workforces require to โreasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of [the HIPAA Privacy Rule]โ (ยง164.530(c)). In most cases, this will involve providing HIPAA awareness training to all workforce members.
HIPAA awareness training provides a foundation level of HIPAA knowledge to all members of the workforce and can be used to support HIPAA policy and procedure training (required by ยง164.530(b)) so that policies and procedures are more understandable. The training can also be used alongside generic security awareness training to ensure an organizationโs security awareness and training program complies with the requirement to implement the program โin accordance with ยง164.306โ.
Seek Advice before Implementing HIPAA Awareness Training
In recent years, there has been a substantial growth in vendors offering HIPAA online training. It is clear from reviewing the marketing materials that some vendorsโ training may not be adequate for filling gaps in HIPAA knowledge or supporting mandated HIPAA training. Covered entities and business associates are advised to seek advice before implementing HIPAA awareness training to ensure it is accredited by a recognized training assessor and that it covers any threats to the privacy and security of PHI identified in a HIPAA risk assessment.