What are the HIPAA Training Requirements?
HIPAA applies to all types of Covered Entities (CEs) – healthcare providers, health plans, and healthcare clearinghouses – and Business Associates (BA); and due to the many different types of role within CEs and BAs, HIPAA training requirements are flexible because what may be appropriate for one organization will not necessarily be appropriate for another.
While the HIPAA training requirements are not covered in much detail throughout the regulations, employees do need to be trained on the requirements of the HIPAA Privacy Rule (45 CFR §164.530) and HIPAA Security Rule (45 CFR §164.308). What is stipulated in the HIPAA Privacy Rule, is that training is mandatory for members of the workforce to allow them to perform their work duties in a HIPAA-compliant manner. The HIPAA Security Rule states that CEs and BAs must provide security awareness training for all members of the workforce.
Think about the Goals of HIPAA Training
The role of each employee, manager, contractor, volunteer, or trainee will determine what training needs to be provided and what aspects of HIPAA must be covered. Therefore developing an effective training program can take a lot of time and resources as it must be tailored to each user or user group.
The key to effective HIPAA training is not to cram every provision of the Privacy and Security Rules into a six hour training session. That would make it difficult for staff to assimilate all of the information. The goal of HIPAA training should be to ensure that all relevant knowledge is understood and retained. The training program(s) may therefore need to be spread across several sessions, each covering a different aspect of HIPAA Rules or data security.
How Often Should the HIPAA Training be Conducted?
The Privacy Rule and Security Rule do provide some recommendations for training, but no time period is stated. As per the Privacy Rule, every new employee must undergo HIPAA training within a reasonable time period from the time he/she joins starts employment. Further training must also be provided when there are changes to policies and procedures that affect the employees’ duties – once again, training should take place within a reasonable time period.
The Security Rule states that HIPAA training is necessary “periodically”. A lot of organizations understand “periodically” to mean yearly, which is not necessarily correct. HIPAA training must be provided every time working practices or technology change, as well as when the Department for Health and Human Services issues new rules or guidelines. To assess the need for the HIPAA training, Privacy and Security Officers need to:
- Keep track of HHS and state publications to make sure they are aware of rule changes and new guidance.
- When there are new rules or guidelines, a risk assessment should be performed to find out how the organization’s operations will be affected and whether further HIPAA training is necessary.
- Collaborate with HR and Practice Managers to obtain advance notice of recommended modifications to check the effect on HIPAA Privacy Rule compliance.
- Work together with IT managers to find out about hardware or software upgrades that could impact HIPAA Security Rule compliance.
- Conduct risk assessments regularly to see how policy or procedural changes may affect compliance.
- Prepare a training program to address not only changes or updates to HIPAA, but how they apply to employees roles or work duties.
Obviously, when working practices and technology change, only the employees affected need to undergo HIPAA training again. At least one representative of the senior management must be present in the training sessions – even when they are not directly impacted by the changes in policies or procedures.
What Must be Included in a HIPAA Training Course?
Though a HIPAA training course should be customized to reflect the jobs of employees participating in the program, some important elements must be included. A basic HIPAA training course ought to include the topics listed below. CEs may focus on some topics rather than others, but they should not omit any of the elements below completely.
- What is HIPAA?
- Why HIPAA is Important
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Definitions
- Disclosures of PHI
- Safeguarding ePHI
- Breach Notifications
- Patients’ Rights
- Potential Violations
- BA Agreements
- Employee Sanctions
Best Practices for HIPAA Compliance Training
Because the HIPAA training requirements are not specified, the following best practices may be considered when putting together a security awareness and training program.
- Training sessions should be short and concise. Forty minute sessions are ideal and should be provided regularly.
- Don’t spend too much time explaining the background of HIPAA. Employees don’t really need to know the history or development of HIPAA. What they need is to know how to safeguard PHI and ePHI when they do their jobs.
- Discuss the consequences of a HIPAA breach. This does not only include the financial impact on the CE or BA, but also the impact on trainees, their colleagues, and on the individual(s) whose private data has been compromised.
- Don’t read the exact text from the HIPAA guidebook. If you can, use multimedia presentations to help them retain the information and apply it to their day-to-day working duties.
- Senior management must join the training sessions even if they are not directly handling PHI. It is important for them to be seen to be involved with HIPAA compliance training. Knowing that the training is being taken seriously by upper management will encourage others to take it seriously.
- Remember to document your HIPAA training. In case OCR investigates or conducts an audit, it is necessary to show the training content, the dates it was provided, and who participated in training.
Be Careful of Free HIPAA Training Courses
Only the Department of Health and Human Services (HHS) provides detailed HIPAA training for free. See the HHS website for more information about HIPAA training and to access its training resources.
Some training companies have been known to provide free HIPAA training for healthcare organizations, only to show videos and then require payment to provide certificates of HIPAA compliance. Thirty minutes of watching a video is not enough to teach HIPAA to healthcare employees in diverse disciplines. Besides not being free, the HIPAA training is a waste of time.
Another trick of “free” online HIPAA training for employees is asking for money to get individual exam scores. After an employee completes a free online HIPAA training course, he/she takes an examination. To know if he/she passed or not, payment is required to get the exam score.
HIPAA Training Requirements FAQs
Who within an organization is responsible for preparing and conducting HIPAA training?
In most cases, the HIPAA Privacy Officer and HIPAA Security Officer share responsibility for HIPAA training, although this does not mean they will prepare and conduct it. Many organizations outsource some or all of their employees´ HIPAA training to specialist compliance agencies.
Does every member of staff have to undergo the same training?
HIPAA training should be designed to be relevant to each individual´s role. Therefore, although there may be elements of the Privacy, Security, and Breach Notification Rules that are common across many different roles, you wouldn´t provide the same training for (say) a midwife as you would for a computer systems engineer.
How regularly should risk assessments be conducted to determine training requirements?
Any time there is a change of processes or technology, organizations should at least consider whether or not the change impacts HIPAA compliance. The answer should be documented; and, if there is a likelihood of the change impacting HIPAA compliance, a risk assessment should be conducted to determine whether HIPAA training on the change of process or technology is required.
Do Business Associates have to conduct as much training as Covered Entities?
Business Associates have the same HIPAA training obligations as Covered Entities to enable members of the workforce to perform work duties in a HIPAA-compliant manner. However, while the training obligations remain the same, the content of the training only needs to be relevant to individuals´ roles. It is likely a Business Associate will have a less diverse workforce than a Covered Entity, and therefore simpler training requirements.
How long do copies of training courses have to be retained?
All HIPAA-related documentation has to be retained for six years since it was last used. Therefore, if you developed a training course in 2014, and didn´t refresh it until 2018, the original training course has to be retained until 2024. The same applies to risk assessments (which should be reviewed every year regardless of if any processes or technologies have changed) and any documentation explaining a decision made on the basis of a risk analysis.