What are the HIPAA Training Requirements?
HIPAA applies to Covered Entities (CEs) – healthcare providers, health plans, healthcare clearinghouses – and Business Associate (BA), therefore, HIPAA training requirements are somewhat flexible. What is right for one organization will not necessarily be right for another. While training is not covered in much detail, employees do need to be trained on the requirements of the HIPAA Security Rule (45 CFR §164.308) and the HIPAA Privacy Rule (45 CFR §164.530). What is stipulated in the HIPAA Privacy Rule, is training is mandatory for members of the workforce to allow them to perform their work duties in a HIPAA-compliant manner. The HIPAA Security Rule states that CEs and BAs must provide security awareness training for all members of the workforce.
Think about the Goals of HIPAA Training
The role of each employee, manager, contractor, volunteer or trainee who is required to come into contact with PHI or ePHI will dictate what training needs to be provided and what aspects of HIPAA must be covered.
Developing an effective training program can take a lot of time and resources as it must be tailored to each user or user group. Don’t cram every provision of the HIPAA Privacy and Security Rules into a six hour training session. That would make it difficult for staff to assimilate all of the information. The goal of HIPAA training should be to ensure that all relevant knowledge is understood and retained. The training program therefore may need to be spread across several sessions, each covering a different aspect of HIPAA Rules or data security.
How Often Should the HIPAA Training be Conducted?
The Privacy Rule and Security Rule do provide some recommendations for training, but no time period is stated. As per the Privacy Rule, every new employee must undergo HIPAA training within a reasonable time period from the time he/she joins starts employment. Further training must also be provided when there are changes to policies and procedures that affect the employees’ duties – once again, training should take place within a reasonable time period.
The Security Rule states that HIPAA training is necessary “periodically”. A lot of organizations understand “periodically” to mean yearly, which is not necessarily correct. HIPAA training must be provided every time working practices or technology change, as well as when the Department for Health and Human Services issues new rules or guidelines. To assess the need for the HIPAA training, Privacy and Security Officers need to:
- Keep track of HHS and state publications to make sure they are aware of rule changes and new guidance.
- When there are new rules or guidelines, a risk assessment should be performed to find out how the organization’s operations will be affected and whether further HIPAA training is necessary.
- Collaborate with HR and Practice Managers to obtain advance notice of recommended modifications to check the effect on HIPAA Privacy Rule compliance.
- Work together with IT managers to find out about hardware or software upgrades that could impact HIPAA Security Rule compliance.
- Conduct risk assessments regularly to see how policy or procedural changes may affect compliance.
- Prepare a training program to address not only changes or updates to HIPAA, but how they apply to employees roles or work duties.
Obviously, when working practices and technology change, only the employees affected need to undergo HIPAA training again. At least one representative of the senior management must be present in the training sessions – even when they are not directly impacted by the changes in policies or procedures.
What Must be Included in a HIPAA Training Course?
Though a HIPAA training course should be customized to reflect the jobs of employees participating in the program, some important elements must be included. A basic HIPAA training course ought to include the topics listed below. CEs may focus on some topics rather than others, but they should not omit any of the elements below completely.
- What is HIPAA?
- Why HIPAA is Important
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Definitions
- Disclosures of PHI
- Safeguarding ePHI
- Breach Notifications
- Patients’ Rights
- Potential Violations
- BA Agreements
- Employee Sanctions
Best Practices for HIPAA Compliance Training
Because the HIPAA training requirements are not specified, the following best practices may be considered when putting together a security awareness and training program.
- Training sessions should be short and concise. Forty minute sessions are ideal and should be provided regularly.
- Don’t spend too much time explaining the background of HIPAA. Employees don’t really need to know the history or development of HIPAA. What they need is to know how to safeguard PHI and ePHI when they do their jobs.
- Discuss the consequences of a HIPAA breach. This does not only include the financial impact on the CE or BA, but also the impact on trainees, their colleagues, and on the individual(s) whose private data has been compromised.
- Don’t read the exact text from the HIPAA guidebook. If you can, use multimedia presentations to help them retain the information and apply it to their day-to-day working duties.
- Senior management must join the training sessions even if they are not directly handling PHI. It is important for them to be seen to be involved with HIPAA compliance training. Knowing that the training is being taken seriously by upper management will encourage others to take it seriously.
- Remember to document your HIPAA training. In case OCR investigates or conducts an audit, it is necessary to show the training content, the dates it was provided, and who participated in training.
Be Careful of Free HIPAA Training Courses
Only the Department of Health and Human Services (HHS) provides detailed HIPAA training for free. See the HHS website for more information about HIPAA training and to access its training resources.
Some training companies have been known to provide free HIPAA training for healthcare organizations, only to show videos and then require payment to provide certificates of HIPAA compliance. Thirty minutes of watching a video is not enough to teach HIPAA to healthcare employees in diverse disciplines. Besides not being free, the HIPAA training is a waste of time.
Another trick of “free” online HIPAA training for employees is asking for money to get individual exam scores. After an employee completes a free online HIPAA training course, he/she takes an examination. To know if he/she passed or not, payment is required to get the exam score.