While providing employees of Covered Entities (CEs) and Business Associates (Bas) with HIPAA training is a requirement of the Health Insurance Portability and Accountability Act, the text of the Act related to what type of training should be provided is limited.
The reason for this is that HIPAA applies to a broad range of organizations and the HIPAA training requirements for one type of organization (i.e., a healthcare provider) will naturally be different to those for another type of organization (i.e., a healthcare clearing house).
Nonetheless, according to the HIPAA Privacy Rule, training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” and when “functions are affected by a material change in policies or procedures”. Furthermore, the Security Rule stipulates CEs should “implement a security awareness and training program for all members of the workforce”.
Regrettably, the lack of clarity regarding the content of a HIPAA training course can cause confusion. However, despite the lack of clear rules, should a breach of Protected Health Information (PHI) occur, and it is found that staff weren’t adequately trained on HIPAA-compliant policies and procedures, CE and BAs may be fined by the Office for Civil Rights (OCR).
To help prevent avoidable breaches occurring, regular risk assessments should be conducted which will help establish the role each employee has with respect to PHI. From analyzing the risk assessments, CEs and BAs will be able to determine what training is appropriate for each employee’s role – the objective of HIPAA Training being to ensure each employee is aware of the requirements of HIPAA and can perform their job in a HIPAA-compliant manner.
Arranging and providing training can be costly and time-consuming. It is, however, necessary. Furthermore, by investing in training, you will be helping employees do their jobs, protecting the privacy of patients, and ensuring that – in the event of a compliance audit or investigation into a data breach or patient complaint – you will be able to demonstrate to regulators that you have taken HIPAA compliance seriously.
To help CEs and their business associates navigate the confusing world of HIPAA compliance training, we have compiled a simple list of best practices for employee training. We recommend training sessions are offered in shorter, frequent sessions rather than one long session. This way, employees are more likely to stay focused and retain critical information.
Do provide regular training sessions. Each can focus on a different aspect of training, update staff on new developments, or just remind employees of the most important aspects of HIPAA Rules.
Do inform employees of the consequences of a PHI breach. These can include fines and legal action for the CE, privacy violations for patients, and even criminal charges against employees in some situations.
Do include all levels of management in training. Everybody needs a refresher from time to time, and a lack of training provided to higher levels reflects poorly on the CE in an audit.
Don’t forget to document what training is provided, who it is provided to, and which subjects are covered. If OCR carries out an investigation or an audit, this information will need to be provided.
Don’t just read passages from the HIPAA text. Explain legal jargon and summarize important pieces of information. Try to ensure that participants both know the required legislation but also understand how to enact it in their day-to-day roles.
Don’t go too deeply into the history of HIPAA. While it is important to understand why HIPAA was enacted, it is more important employees are aware of the key regulations that directly impact their roles.
To further help CEs and their business associates meet the obligations and objectives of HIPAA Training, we have prepared three sample curricula. The first – “Basic HIPAA Training – could either be used as a foundation course or refresher course. The second curriculum – “Comprehensive HIPAA Training” – contains modules that will be relevant to employees in specific roles; while the third curriculum – “HIPAA Training for Students” – contains selected elements from both the Basic and Comprehensive curricula, along with student-specific modules.
The Basic Training sample curriculum contains areas of HIPAA that will be common to all roles. As mentioned above, this curriculum could be used as a foundation course for new employees – provided it is supplemented with comprehensive role-based HIPAA training) or as refresher training.
An overview of HIPAA is a good place to start any HIPAA Training course as it ensures all employees have the same understanding of the purpose of the Act, what its objectives are, and who it applies to in the context of preventing unauthorized access to PHI.
The content of HIPAA is deliberately flexible and consequently uses terminology that employees may be unfamiliar with – with the potential for regulations to be misinterpreted. Before further training, is undertaken, employees should understand the most common terms they will encounter.
The HITECH Act was the facilitator of the Meaningful Use program – which drove the adoption of technology in the healthcare industry – and subsequent Promoting Interoperability program, which most employees will encounter in their daily roles.
There are five main HIPAA regulatory rules, and while most employees will not need to have a deep understanding of the Enforcement Rule and Breach Notification Rule, it is important they are aware of the content of the HIPAA Omnibus Final Rule, Privacy Rule, and Security Rule.
The HIPAA Omnibus Final Rule implemented provisions of the HITECH Act to strengthen existing privacy and security protections. It also made business associates and their subcontractors directly liable for their own compliance with HIPAA – and directly liable for violations of HIPAA.
The Privacy Rule defines Protected Health Information and how CEs and business associates need to protect it from loss, theft, and unauthorized disclosure. It also explains patients´ rights and the Minimum Necessary Standard which limits how much information can be disclosed by employees.
The technical, administrative, and physical safeguards of the Security Rule will impact every employee´s day-to-day routines and this module of HIPAA training should be used as an introduction to more advanced modules in the suggested comprehensive training curriculum.
Although patients´ rights may have already been mentioned in the Privacy Rule module, it may be necessary for frontline healthcare and administration employees to undergo specific training on what providing patients with Privacy Notices and handling patient requests.
The HIPAA disclosure rules apply to all employees in whatever function they perform. Ideally, this module should be presented at the same time as the Privacy and Security Rule modules to deepen employee understanding of allowable disclosures and the Minimum Necessary Standard.
HIPAA violations can have consequences for patients, organizations, and employees. To make this module more relevant for trainees, this is a good opportunity to introduce and explain the organization´s sanction policy and how employees may be impacted by violations of HIPAA.
As part of a basic HIPAA training course or refresher course, this module should be used as an overview of compliance best practices. Ideally, the module on preventing HIPAA violations should be tailored to specific groups of the workforce to be more relevant to their roles.
An appropriate refresher module, training on being a HIPAA compliant employee can summarize what has been discussed previously, include general do´s and don´ts, or focus on specific roles. This module can also be used to explain the procedure for reporting HIPAA violations.
The basic HIPAA training course provides employees with the fundamentals of HIPAA, but more comprehensive training is often necessary for employees to apply the fundamentals in real-life situations. The following curriculum can be tailored according to employees´ roles and refreshed to meet the HIPAA training requirements whenever “functions are affected by a material change”.
This module can help employees better understand the objectives of HIPAA by providing a timeline to HIPAA and the timing of the main HIPAA regulatory rules were introduced. The module should be updated annually to reflect changes to HIPAA and emerging compliance challenges.
This comprehensive module should explains both the online threats to patient data and physical threats such as failing to safeguard hard copies of patient data, leaving mobile devices unattended, and positioning workstations in public view.
Organizations should have policies and procedures in place to govern how computers should be used. Employees need to be made aware of these policies and procedures – even the policies and procedures that are not directly relevant to HIPAA – i.e., personal use.
Healthcare professionals have to be particularly careful about what they share on social media platforms because it is very easy to disclose PHI unintentionally. Consequently, employees should be trained on how best practices for managing social media accounts safely.
In some emergency situations, disclosures of PHI beyond what is normally allowed may be permitted for public health purposes. It may also be the case the Office for Civil Rights waives certain elements of HIPAA to remove obstacles to the flow of healthcare information.
It is important for employees to know who the organization´s HIPAA Officers are what their roles and responsibilities are. Ideally, a HIPAA Officer would lead the presentation of this module so employees can put a face to a name.
A HIPAA compliance checklist is most used by HIPAA Officers and IT managers to avoid oversights. However, a checklist can also be used towards the end of basic HIPAA training to gauge how well employees have understood and absorbed the training.
HIPAA is constantly evolving, and it is important employees are made aware of recent HIPAA updates to ensure compliance. It is especially important this module is included in refresher training if there has been an update or new rule published since training was last provided.
The Texas Medical Privacy Act and HB 300 applies to all organizations that create, use, maintain, or transmit the health information of a Texas resident – regardless of where the organization is located. Therefore, this module may apply to HIPAA covered organizations outside of Texas.
One of the best ways to train employees on cybersecurity best practices to mitigate the risk of a data breach is to teach them about the threats that exist that can impact their own personal accounts. This will help change online behaviors and create a culture of security throughout the organization.
There are many ways to protect PHI from cyberthreats, and this module should educate employees on password management and resilience to phishing, as well as explaining concepts such as multi-factor authentication, access controls, and network monitoring.
Healthcare students should be provided with HIPAA training before they start working with patients and accessing EHRs. Because it is not always known during their education which roles and responsibilities students will have once they graduate, the curriculum for healthcare students should include modes from both the basic and comprehensive HIPAA training courses – with additional modules specifically designed to appeal to a student population. For example:
During training, students are usually permitted to access EHRs under supervision. This module should explain the rules about password sharing (to access PHI maintained in EHRs) and what students can and cannot do with the PHI they have access to.
Students need to be aware that the policies and procedures they will encounter when becoming an employee of a CE apply when writing reports, preparing case studies, or giving presentations. It may need to be re-enforced that they are unable to use PHI in any report or project unless the subject of the PHI has given their informed consent or data are de-identified by removing PHI identifiers.
It is equally important students understand the CE´s other HIPAA policies and procedures and comply with them just as if they were healthcare professionals. Therefore, they may need to be given additional training on how to identify a HIPAA violation and who to report the violation to.
The terminology of HIPAA legislation means it is at the discretion of CEs and their business associates to determine how best to provide training to employees. Ultimately, it is necessary to provide sufficient basic training to prevent unauthorized disclosures of PHI; while further, more comprehensive training should be tailored to the roles of individual employees.
The organization of HIPAA training is the responsibility of the HIPAA Privacy and Security Officers; although it should be a collaborative effort that involves nursing managers, HR, and IT – especially when a new policy, process, or technology is implemented. It may also be appropriate to use third party consultants to conduct training when new HIPAA guidance is issued by HHS.
HIPAA training should be relevant to each staff member´s role; and while there are areas of the Privacy, Security, and Breach Notification Rules that should be included in all HIPAA training courses, training should be designed so each staff member can fulfil their role in compliance with HIPAA.
Each time there is a change of policy, process, or technology, a risk assessment should be carried out to determine the impact the new policy, process, or technology will have on HIPAA compliance. CEs and BAs should then analyze the results of the risk assessment (and document the analysis) in order to determine if any additional training is necessary.
BAs have the same HIPAA training obligations as CEs to make sure their workforce is capable of performing duties in a HIPAA-compliant manner, and therefore the frequency of HIPAA training should be “as necessary”. However, while the training obligations remain the same, it is likely a BA will have a less diverse workforce than a CE, and managing the training requirements should be simpler.
All HIPAA-related documentation has to be retained for six years from the date it was last used. Therefore, all risk assessments and analyses must be retained for six years, as must the content of training courses and documentation relating to who attended the courses and when. For example, if as CE developed a training course in 2015, and refreshed it 2019, the content of the original training course has to be retained until 2025.
In theory, HIPAA training is never completed. This is because whenever new regulations, policies, working practices, or technologies are introduced, members of the workforce will require refresher training to ensure the new regulations, policies, working practices, or technologies are applied in compliance with HIPAA. Furthermore, security and awareness training should be ongoing.
HIPAA training should be done on a regular basis to prevent poor compliance practices developing into a cultural norm. Unfortunately, many Covered Entities do not have the resources to provide HIPAA training on a regular basis, which is why it can be beneficial to take advantage of online refresher training courses to mitigate the risk of a HIPAA violation.
HIPAA training is necessary so that members of the workforce understand the importance of protecting patient data from unauthorized uses and disclosures. Consequently, training should not only be about policies and procedures, but also why the policies and procedures exist and the consequences of HIPAA violations to employers, employees, and patients.
At present, there are no states that require Covered Entities or Business Associates to provide annual HIPAA training. However, some states have privacy laws that supersede HIPAA and that have specific training requirements, while personnel employed by the Defense Health Agency are required to undergo Privacy Act and HIPAA privacy training annually.
HIPAA training provided by a Covered Entity or Business Associate does not expire unless a change in policies and procedures affects your role, a need for additional training is identified in a risk analysis, or you change jobs and work for another Covered Entity or Business Associate who has different policies and procedures from your former employer. You may also have to undergo additional training if you employer is issued with a corrective action order by the Office for Civil Rights.
New employees of a Covered Entity must complete HIPAA training “within a reasonable period of time after the person joins the Covered Entity´s workforce” – ideally before they are exposed to PHI. New employees of a Business Associate are required to take part in a security and awareness training program, but HIPAA does not stipulate how soon this is required after the person joins the Business Associate´s workforce – although ideally before they are exposed to ePHI.
All HIPAA documentation has to be maintained for six years after the event(s) the document(s) relate to. Therefore, if an employee signed an attestation that they received Privacy Rule training in 2018, and refresher training wasn´t provided until 2021, the original attestation will have to be kept until 2027. The same principle applies if refresher or additional privacy training was provided as the result of a policy change, risk assessment, corrective action order, or employee promotion.
There are various online training courses one can take to get certified. Some courses are role specific, whereas others provide general HIPAA training. Both types of courses can be beneficial to job seekers, while general HIPAA training is often used by Covered Entities and Business Associates to provide periodic refresher training – a copy of the certificate being used as documentation that training was provided in the event of an OCR audit, investigation, or inspection.
There are two federal requirements for HIPAA training. The first is that Covered Entities must provide policy and procedure training “to each new member of the workforce within a reasonable period of time after the person joins the Covered Entities workforce” (45 CFR § 164.530), and the second is that Covered Entities and Business Associates “implement a security and awareness training program for all members of the workforce” (45 CFR § 164.308).
Responsibility varies depending on the size of the organization, the nature of its operations, and the available resources. In smaller healthcare organizations, a healthcare administrator will likely be responsible for Privacy Rule training, while a senior member of the IT team will be responsible for Security Rule training. Sometimes, one person will fill both roles. In larger organizations, the responsibility for training all employees on HIPAA is shared between a compliance team.
There are two answers to this question. The first is that – according to the Privacy and Security Rules – members of the workforce must be trained on HIPAA-related policies and procedures relevant to their roles and provided with security and awareness training. The second answer is that the amount of HIPAA training required (beyond that stipulated by the Privacy and Security Rules) should be determined by the results of a risk assessment.