Healthcare Administrator HIPAA Training
Healthcare administrator HIPAA training can vary considerably depending on the nature of the healthcare administrator’s roles and the nature of their employer’s operations. Nonetheless, it is essential that all healthcare administrators have a basic understanding of HIPAA, even if the safeguards required by the HIPAA Privacy and Security Rules do not apply to their roles.
Not all healthcare administrators are veterans of the healthcare industry with many years’ experience of HIPAA compliance. An increasing number are recruited from outside the industry due to the growing influence of IT in healthcare and the subsequent need for personnel who understand the implications of new technologies for everything from legal issues to operational issues.
It is also the case that not all healthcare administrators work for healthcare organizations. It is common to see healthcare administrators employed at insurance companies, health IT startups, consulting firms, and public health agencies – not all of whom qualify as HIPAA covered entities or business associates.
In circumstances in which an organization is neither a covered entity nor a business associate, the HIPAA Rules do not apply. Nonetheless, it is still important that healthcare administrators have a basic knowledge of the HIPAA Privacy and Security Rules in order to perform their roles with an understanding of how the decisions they make may affect those for whom HIPAA does apply.
Healthcare Administrator HIPAA Training Requirements
The healthcare administrator HIPAA training requirements (“requirements” italicized for emphasis) are the same as for any new member of a covered entity’s or business associate’s workforce. If a healthcare administrator works for a covered entity, they must receive HIPAA training on the covered entities “policies and procedures with respect to Protected Health Information […] as necessary and appropriate for the healthcare administrator to carry out their functions within the covered entity” (§164.530(b)).
In addition, healthcare administrators are required to participate in a security awareness and training program that has been tailored to meet the requirements of the HIPAA Security Rule’s General Rules (§164.308(a)(5)). Because the program must be tailored to reduce the threats to electronic Protected Health Information identified in a risk analysis, there is no one-size-fits-all generic security training that satisfies the healthcare administrator HIPAA training requirements.
In some cases, the HIPAA training requirements for new hires can be inadequate to prevent avoidable HIPAA violations due to a lack of knowledge. Although most healthcare administrators will have an understanding of HIPAA due to their professional training – thus mitigating the likelihood of HIPAA violations due to a lack of knowledge – it may be beneficial for healthcare administrators to refresh their HIPAA knowledge via online HIPAA training.
Who is Responsible for HIPAA Training for Healthcare Administrators?
This depends on the HIPAA status of the healthcare administrator’s employer. When healthcare administrators are employees of covered entities, their employer’s HIPAA Privacy Officer is responsible for providing HIPAA policy and procedure training. As healthcare administrators’ functions may include managing facility staff, the patient care experience, and recordkeeping, the volume of privacy HIPAA training for healthcare administrators could be substantial.
HIPAA Privacy Officers also have the responsibility for healthcare administrator HIPAA training when the employer qualifies as a business associate who is required to comply with “applicable” standards of the HIPAA Privacy Rule. However, because the employer is not a covered entity, they will not have so many HIPAA policies and procedures to implement, and the volume of privacy HIPAA training for healthcare administrators will be greatly reduced.
With regards to the security awareness and training program required by §164.308, the responsibility for ensuring a program is provided “in accordance with §164.306 (the HIPAA Security Rule’s “General Rules”) belongs to the HIPAA Security Officer. However, the HIPAA Security Officer can delegate the delivery of the program to a senior member of the workforce or outsource some or all the security awareness training to a third party cybersecurity company.
When healthcare administrators work for business associates that are not required to provide policy and procedure training – or for organizations that are neither covered entities nor business associates – it is still important they are familiar with the HIPAA Rules and the standards for safeguarding the privacy and security of Protected Health Information. In such circumstances, individuals may have to assume self-responsibility for healthcare administrator HIPAA training.
HIPAA Certification for Healthcare Administrators
HIPAA certification for healthcare administrators is a simple way to refresh healthcare administrators’ HIPAA knowledge or demonstrate to new employers that healthcare administrators have an understanding of HIPAA. Healthcare administrators can acquire a HIPAA certification by subscribing to an accredited HIPAA online training course and passing a test at the end of the course. The course may also award Continuing Education Units (CEUs).
HIPAA certification for healthcare administrators does not fast-track new members of a covered entity’s workforce through HIPAA policy and procedure training, nor excuse them from participating in a security and awareness training program. However, it does show a good faith effort to be a complaint employee and, in some cases, is a required qualification or can elevate the profiles of job candidates in the eyes of prospective employers.
Healthcare Administrator HIPAA Training FAQs
Aren’t healthcare administrators usually responsible for providing HIPAA training?
Healthcare administrators are not usually responsible for providing HIPAA training unless the role is designated to them. For example, with regards to HIPAA policy and procedure training, healthcare administrator HIPAA training would usually be the responsibility of (although not necessarily provided by) the covered entity’s HIPAA Privacy Officer.
With regards to security awareness training, this is usually the responsibility of the HIPAA Security Officer. The role of HIPAA Security Officer is most usually assigned to a senior member of the IT team rather than a healthcare administrator.
What if an administrator has worked in the healthcare industry before and is recruited by a covered entity? Do they require HIPAA training for healthcare administrators again?
The administrator will require HIPAA training for HIPAA administrators again. This is because although the administrator will have a knowledge of HIPAA from a previous role, their new employer will still have to provide HIPAA policy and procedure training on their policies and procedures as these will likely be different from the previous employer’s HIPAA policies and procedures.
With regards to security awareness training, the same situation applies because security awareness training must be provided in accordance with the Security General Rules (§164.306). The General Rules allow a flexibility of approach, which can impact what security measures are implemented to ensure the confidentiality, integrity, and availability of ePHI, and this can impact what security policies and procedures are implemented.
If a healthcare administrator has no interaction with the public, do they still need training on subjects such as patients’ rights and seeking consent before disclosing PHI?
The HIPAA Privacy Rule states training must be provided “as necessary and appropriate for members of the workforce to carry out their functions”. Therefore, if a healthcare administrator has no interaction with the public, some subjects can be bypassed unless the administrator’s role includes managing staff who do interact with the public – in which case these subjects must be included.
Why might a risk assessment identify a need for further healthcare administrator HIPAA training?
In many healthcare facilities, healthcare administrators are under enormous pressure to “get the job done” as efficiently as possible. In some circumstances this may lead to shortcuts being taken with HIPAA compliance. If shortcuts are allowed to develop into a cultural norm, the risk of HIPAA violations and data breaches increases. Once it is identified that shortcuts are being taken, covered entities need to provide refresher healthcare administrator HIPAA training to reinforce the importance of HIPAA compliance.
Why might HIPAA awareness training be part of a corrective action plan?
HHS’ Office for Civil Rights investigates thousands of privacy complaints each year – most of which relate to unauthorized disclosures of PHI, the failure to comply with the Minimum Necessary Standard, and patients’ rights of access. When complaints are upheld, the most common course of action is a corrective action plan to prevent a repeat of the complaints, and when the complaints are attributable to a lack of HIPAA knowledge, the most common remedy is HIPAA awareness training.