What are the HIPAA Training Requirements for New Hires?

What are the HIPAA Training requirements for new hires? HIPAAGuide.net

The HIPAA training requirements for new hires vary depending on the new hires’ roles and responsibilities for a covered entity or business associate, and their potential access – authorized or otherwise – to Protected Health Information (PHI). However, due to the potential for sanctions from Day 1, new hires should be provided with online HIPAA awareness training prior to joining the workforce.

Many sources discussing the HIPAA training requirements for new hires default to the training standard in the HIPAA Privacy Rule (§164.530(b)). This states “a covered entity must train all members of its workforce on the policies and procedures with respect to Protected Health Information […] as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity”.

The HIPAA training for new hires must be provided within a reasonable period of time after a new hire joins the covered entity’s workforce and repeated within a reasonable period of time of a material change to the policies and procedures. In addition, new hires must participate in the security awareness and training program required by §164.308(a)(5) of the HIPAA Security Rule, regardless of their access to PHI.

Issues with the HIPAA Training Requirements for New Hires

Defaulting to the training standards of the HIPAA Privacy Rule and HIPAA Security Rule and taking them out of context of other HIPAA Administrative Simplification Regulations can create issues with the HIPAA training requirements for new hires that can lead to unintentional HIPAA violations. For example, the HIPAA Privacy Rule training standard also applies to business associates’ workforces “where provided” (§160.102).

More importantly, covered entities (and business associates where provided) are required to safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule (§164.530(c)). This standard does not apply “within a reasonable period of time”. It applies all the time. Therefore, if a new hire violates a privacy policy due to not yet having received HIPAA training, the covered entity is liable.

Worse still, if a new hire is a member of (for example) a non-public facing catering team, they may never receive HIPAA training on policies and procedures with respect to PHI because they would not ordinarily have access to PHI “to carry out their functions”. In this case, the new hire could at any time identify a celebrity patient entering a healthcare facility, and unknowingly violate HIPAA by sharing the story via social media.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

The way to overcome this issue is to provide all new hires with online HIPAA awareness training prior to joining the workforce. HIPAA awareness training introduces HIPAA to new hires, explains what PHI is, and why it should be protected. The provision of HIPAA awareness training will also help make a covered entity’s policy and procedure training more understandable when new hires with access to PHI undergo policy and procedure training.

Issues with the HIPAA Security Rule Training Standard

The HIPAA Security Rule training standard appears in the Administrative Safeguards of the HIPAA Security Rule (§164.308). The opening line of the Administrative Safeguards states “covered entities and business associates must in accordance with §164.306 … “. Standard §164.306 covers the General Security Rules. These require covered entities and business associates to:

(1) Ensure the confidentiality, integrity, and availability of all electronic PHI the covered entity or business associate creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the HIPAA Privacy Rule.

(4) Ensure compliance with the HIPAA Security Rule by the workforce.

This implies that the security awareness and training program required by §164.308(a)(5) of the HIPAA Security Rule must be more than just generic security awareness training. While it is still necessary to cover topics such as password security, phishing awareness, and the prohibition of unsanctioned apps, it is also necessary to include an explanation of what information is being protected and why it is so highly sought by cybercriminals.

With regards to the HIPAA training requirements for new hires who would not ordinarily have access to PHI – or who have “no view access” to electronic PHI because it is encrypted at source – it is still necessary for these members of the workforce to participate in a security awareness and training program to prevent cybercriminals obtaining access to a network and moving laterally through the network to access PHI.

Sanctions for New Hires and Other Workforce Members

One further reason why there are issues with the HIPAA training requirements for new hires is that §164.530(e) of the HIPAA Privacy Rule and §164.308(a)(1) of the HIPAA Security Rule both require covered entities and business associates to apply sanctions against members of the workforce who fail to comply with privacy and/or security policies. Again, these standard do not apply “within a reasonable period of time”. They apply all the time.

In addition, the HIPAA Privacy Rule sanctions standard requires covered entities (and business associates “where provided”) to apply sanctions on members of the workforce for any violation of the HIPAA Privacy Rule or HIPAA Breach Notification Rule – even when no training has been provided on the violated standard. This puts new hires and other workforce members at risk of sanctions for unintentional violations due to a lack of knowledge.

While this may not seem fair, new hires and other workforce members can mitigate the risk of a sanction by themselves subscribing to online HIPAA awareness training. HIPAA training courses covering the basics of HIPAA are widely available on the Internet and often award a certificate of completion at the end of the course that can be used to demonstrate a good faith effort to be a HIPAA compliant member of the workforce.

While subscribing to online HIPAA awareness training and receiving a certificate will not absolve a workforce member for a violation of HIPAA, it may reduce the level of sanction applied. In some cases, this can make the difference between a verbal or written warning that permanently remains on a workforce member’s personnel record, and having to take refresher HIPAA training to make sure the violation never happens again.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/