Strangely, while training employees on HIPAA requirements is absolutely necessary, the requirements laid out by the legislation regarding training are vague. This is in part due to the fact HIPAA covers a broad range of covered entities (CEs) and their business associates (BAs). The training requirements for a healthcare clearinghouse will naturally be different to those of a healthcare provider, so it is left to the discretion of each covered entity to determine what is reasonable and appropriate.
Training, in some form, is required under the administrative requirements of the HIPAA Privacy Rule and is a requirement of the administrative safeguard of the HIPAA Security Rule. Neither provide very comprehensive information on what is required in terms of training. They state that training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule) and that CEs and BAs should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule).
Regrettably, this lack of certainty regarding HIPAA training does lend itself to confusion. Despite the lack of clear rules, should a breach of Protected Health Information (PHI) occur and it is found that staff weren’t adequately trained, the CE and BAs may be issued with a fine by the Office for Civil Rights (OCR).
Objectives of HIPAA Training
To prevent such a breach happening, it is essential that regular risk analyses are conducted by CEs and BAs. These will help to establish the role each employee with respect to PHI. This can help ensure that each employee gets training appropriate to his/her role.
CEs should tailor security awareness and training programs for the role of each employee, manager, associate etc., that come in contact with PHI. For complex roles, many training sessions may be required.
Providing training can be costly and time-consuming, which is often off-putting. It is, however, necessary. We recommend that training sessions are offered in shorter, frequent sessions rather than one long session. This way, employees are more likely to stay focused and retain critical information.
Top Training Tips
To help CEs and their business associates navigate the confusing world of HIPAA compliance training, we have compiled a simple list of best practices for employee training.
Do try to keep training sessions short. This will make employees more likely to retain information and thus help prevent further breaches. Remember: Ignorance is not considered an excuse for PHI breaches or HIPAA violations.
Do provide regular training sessions. Each can focus on a different aspect of training, update staff on new developments, or even just remind employees of the most important aspects of HIPAA Rules.
Do inform employees of the dangers of a PHI breach. These can include fines and legal action for the CE, privacy violations for patients, and even criminal charges in some situations. Such information can help highlight the need for HIPAA compliance.
Do include all levels of management in training. Everybody needs a refresher from time to time, and a lack of training provided to higher levels reflects poorly on the CE in an audit.
Don’t forget to make clear records of when the training occurred, who was involved and what information was handed out. If OCR carries out an investigation or an audit, this information will need to be provided.
Don’t just read passages from HIPAA. Explain legal jargon and summarize important pieces of information. Try to ensure that participants both know the required legislation but also understand how to enact it in their day-to-day roles.
Don’t go into the history of HIPAA – it is not essential information and is likely to cause participants to lose focus before you even begin. Having so much information thrown at you before you even get into the important information will alienate employees.
Designing a training course can be complicated, and it can be difficult to decide what is appropriate for different employees. Here we describe a sample HIPAA training curriculum, which can be tailored as needed. Some modules – such as the Introduction to HIPAA – are core elements for all employees, whilst others are more suitable for those in specific roles. Who receives what training is at the discretion of the CE.
- Introduction to HIPAA – This should include a brief overview of HIPAA legislation, as well as detail the main aspects of the act. This should not, however, include a long introduction to the history of HIPAA.
- Why is HIPAA needed? – Though this may seem intuitive, there is no harm in reminding employees of why acts such as HIPAA are required. This can include case-studies of recent incidents where HIPAA was breached.
- HIPAA terminology – HIPAA is a complex piece of legal documentation. It would be unreasonable to expect all employees to understand the terminology, so providing a “glossary” of common terms (e.g. “covered entity”) will be hugely beneficial.
- Applicability of HIPAA – Knowing who has to abide by HIPAA policy is essential in ensuring compliance.
- Covered Entities – A covered entity is an entity that creates healthcare information or uses healthcare data for providing healthcare, payment for healthcare, or performs healthcare operations and conducts healthcare transactions electronically. They must be HIPAA compliant, meaning they must ensure the confidentiality, integrity, and availability of PHI.
- Examples of CEs – Generally, any hospital, medical practitioner, healthcare clearinghouse or billing company are considered to be CEs.
- Are employers CEs? – Generally, employers are not considered to be CEs, though they often have healthcare records of their employees.
- Business Associates – Business Associates are any organisation or individual that is contracted by the CE to perform a service that requires contact with PHI. They must also be HIPAA-compliant, and thus any BAs must train their employees on HIPAA requirements.
- Types of BA – BA’s essentially include any external body hired by the CE to perform a service. This can range from management consultants to accountants and software providers. As long as they have access to PHI, they must be HIPAA-compliant.
- Business Associate Agreement – Before providing access to PHI to a BA, a CE must ensure that the BA signs a Business Associate Agreement. This is a legal document confirming they understand their responsibilities with respect to PHI and HIPAA.
- What is PHI? – Under the HIPAA Privacy Rule, certain classes of information are deemed to be “protected” and must remain confidential. They cannot be transmitted to or accessed by unauthorized personnel. Any employee that comes into contact with such information must be trained to identify it and treat it accordingly.
- Examples of PHI – PHI includes one of 18 identifiers in combination with health information in the past, present, and future that is used for providing healthcare, payment for healthcare, or healthcare operations.
- HIPAA Rules – Since it was originally written, many aspects of HIPAA have been amended. This includes the addition of many “rules” that address specific aspects of patient and data privacy. Most employees will deal with specific rules or aspects of the rules, so the next section can be tailored to their need.
- Privacy Rule – The Privacy Rule defined PHI and also instructed CEs on allowable uses and disclosures. It also gave patients privacy rights, including the right not to disclose private health care information to health insurers. The Privacy Rule also includes the Minimum Necessary Rule, which stipulates that only the minimum amount of information required to complete a task may be passed on to another authorized entity.
- Security Rule – The Security Rule addresses electronic PHI (ePHI). It outlines the administrative, physical and technical safeguards needed to protect health data.
- Enforcement Rule – To help ensure that HIPAA is being followed, the Enforcement Rule was introduced. It outlines the penalties for non-compliance, and gives the Department of Health and Human Services the ability to prosecute for HIPAA violations.
- Breach Notification Rule – The Breach Notification Rule stipulates that a CE or BA has 30 days after the discovery of a breach to notify the OCR, patients and the media.
- Omnibus Final Rule – The most recent addition to HIPAA, the Omnibus Rule addresses a wide range of areas and implemented the requirements of the HITECH Act.
- HIPAA Password Policies
- Password strength – Passwords should contain a good mixture of upper- and lower-case letters, as well as numbers and special characters where permitted. Longer passwords are better. Check NIST advice and set policies and train employees accordingly.
- HITECH Act – The Health Information Technology for Economic and Clinical Health Act was introduced to help the healthcare sector adapt to the modern age.
- Meaningful use – Under HITECH, those holding electronic health records (EHR) must show that there is legitimate purpose for holding onto healthcare records. Initially optional, it is now mandatory for all healthcare providers.
- HITECH and HIPAA – Though separate from HIPAA, it is closely related to the act and acts to reinforcement. HIPAA Rules. Whilst HIPAA focuses on all aspects of privacy, the HITECH Act has special focus on digital health records.
- Exceptions to HIPAA Privacy – Children and Minors
- Cases of abuse – Unfortunately, working in the healthcare profession, medics may come across distressing cases. If a CE has reasonable grounds to believe that a minor is being abused/neglected, the CE can choose not to disclose the patient’s health information with the legal guardian. They may also inform the police or child services.
- Independent minors – If a minor has emancipated him/herself from their legal guardian, they must be treated as a legal adult.
- Legal requirements – If a court decides that someone other than the minor’s legal parent or guardian must make their medical decisions, a third party may access the child’s healthcare data.
- Threats to Privacy
- Cybercrime – Regrettably, healthcare data is an increasingly prominent target for cybercriminals as it has huge value on the black market. Thus, cybercrime – primarily in the form of hacking – poses a huge threat to the data privacy. Adopting some of the aforementioned policies and practices can help lessen the threat.
- Human error – All employees will make mistakes from time to time – it is completely normal. However, when this threatens patient privacy, such mistakes can have resounding consequences. It is essential that employees understand the potential dangers of HIPAA non-compliance and that they understand that they must report breaches.
- Penalties for Non-Compliance – For any piece of legislation to have authority, there must be adequate penalties to act as a deterrent. HIPAA is no exception. Ensuring employees have adequate understanding of the potential penalties for HIPAA non-compliance can help prevent breaches.
- Administrative fines – Financial penalties for HIPAA non-compliance be as high as $1.5 million per violation category per year. Penalty amounts depend on the level of culpability.
- Personal fines – If an individual violated HIPAA and there was malicious intent behind their actions, they can face a personal fine of up to $250,000.
- Jail sentences – In some instances, if a violation is deemed sufficiently severe, an individual may receive a jail sentence of up to 10 years.
- Security Awareness – All employees must be given security awareness training to help them identity threats and vulnerabilities to the confidentiality, integrity, and availability of PHI.
- Phishing awareness – It is important to train employees how to recognize phishing emails and the actions they should and should not take when such an email is received
HIPAA Compliance Training: Summary
The phrasing of HIPAA legislation means it is up to covered entities and their business associates to determine how best to provide training to employees. Ultimately, so long as sufficient training is provided to allow employees understand how to prevent PHI breaches, privacy violations, and be aware of patient rights it should be adequate. Training should also be tailored to the role of individual employees, which both maximizes efficiency and increases the likelihood of knowledge retention. The sample curriculum supplied here is a good base from which a full training course can be developed.
HIPAA Training FAQs
Who is responsible for organizing HIPAA training in a healthcare system?
The organization of HIPAA training is the responsibility of the HIPAA Privacy and Security Officers; although it should be a collaborative effort that involves nursing managers, HR, and IT – especially when a new policy, process, or technology is implemented. It may also be the case third party consultants are used to conduct training when new HIPAA guidance is issued by HHS.
Does every staff member undergo the same HIPAA training?
HIPAA training should be relevant to each staff member´s role; and while there are areas of the Privacy, Security, and Breach Notification Rules that should be included in all HIPAA training courses, training should be designed so each staff member can fulfil their role in compliance with HIPAA.
How regularly should risk analyses be conducted by CEs and BAs?
Each time there is a change of policy, process, or technology, a risk assessment should be carried out to determine the impact the new policy, process, or technology will have on HIPAA compliance. CEs and BAs should then analyze the results of the risk assessment (and document the analysis) in order to determine any additional training requirements.
Should the frequency of HIPAA training be the same for BAs as CEs?
BAs have the same HIPAA training obligations as CEs to make sure the workforce is capable of performing duties in a HIPAA-compliant manner, and therefore the frequency of HIPAA training should be “as necessary”. However, while the training obligations remain the same, it is likely a BA will have a less diverse workforce than a CE, and managing the training requirements should be simpler.
How long does documentation relating to training courses have to be retained?
All HIPAA-related documentation has to be retained for six years from the date it was last used. Therefore, all risk assessments and analyses must be retained for six years, as must the content of training courses and documentation relating to who attended the courses and when. For example, if as CE developed a training course in 2015, and refreshed it 2019, the content of the original training course has to be retained until 2025.