HIPAA Training

Strangely, while training employees on HIPAA requirements is absolutely necessary, the requirements laid out in the legislation regarding training are limited. This is in part due to the fact HIPAA covers a broad range of covered entities (CEs) and their business associates (BAs). The training requirements for a healthcare clearinghouse will naturally be different to those of a healthcare provider, so it is left to the discretion of each covered entity to determine what is reasonable and appropriate. The main reason why specific information on the required content of training courses is not provided is because it makes the HIPAA legislation timeless. When there are changes to training best practices the HIPAA text does not need to be updated.

Training is required under the administrative requirements of the HIPAA Privacy Rule and also under the administrative safeguards of the HIPAA Security Rule. Neither provide very comprehensive information on what is required in terms of training. They state that training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule) and that CEs and BAs should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule). There is also the requirement to provide additional training to staff members when “functions are affected by a material change in policies or procedures.”

Regrettably, this lack of certainty regarding HIPAA training does lend itself to confusion. Despite the lack of clear rules, should a breach of Protected Health Information (PHI) occur and it is found that staff weren’t adequately trained, the CE and BAs may be issued with a fine by the Office for Civil Rights (OCR).

Objectives of HIPAA Training

To prevent such a breach happening, it is essential that regular risk analyses are conducted by CEs and BAs. These will help to establish the role each employee has with respect to PHI. From the risk analysis, CEs and BAs can determine what training is appropriate for each employee’s role. The purpose of HIPAA training is to make each employee aware of the requirements of HIPAA to ensure that they can perform their job in a HIPAA compliant manner.

CEs should tailor security awareness and training programs to the role and responsibilities of each employee, manager, associate etc., that comes in contact with PHI. For complex roles, multiple training sessions may be required to cover different aspects of the HIPAA Rules.

Providing training can be costly and time-consuming, which may be off-putting. It is, however, necessary. We recommend that training sessions are offered in shorter, frequent sessions rather than one long session. This way, employees are more likely to stay focused and retain critical information.

By investing in training you will be helping employees do their jobs, protecting the privacy of patients, and will ensure that in the event of a compliance audit you will be able to demonstrate to regulators that you have taken HIPAA compliance seriously. Should auditors discover issues with HIPAA compliance, they will be more likely to provide technical assistance than to pursue a financial penalty.

Top Training Tips

To help CEs and their business associates navigate the confusing world of HIPAA compliance training, we have compiled a simple list of best practices for employee training.

Do try to keep training sessions short. This will make employees more likely to retain information and thus help HIPAA violations. Remember: Ignorance is not considered an excuse for privacy breaches and other HIPAA violations.

Do provide regular training sessions. Each can focus on a different aspect of training, update staff on new developments, or just remind employees of the most important aspects of HIPAA Rules.

Do inform employees of the dangers of a PHI breach. These can include fines and legal action for the CE, privacy violations for patients, and even criminal charges in some situations. Such information can help highlight the need for HIPAA compliance.

Do include all levels of management in training. Everybody needs a refresher from time to time, and a lack of training provided to higher levels reflects poorly on the CE in an audit.

Don’t forget to keep clear records of when the training occurred, who was involved and what information was handed out. If OCR carries out an investigation or an audit, this information will need to be provided.

Don’t just read passages from the HIPAA text. Explain legal jargon and summarize important pieces of information. Try to ensure that participants both know the required legislation but also understand how to enact it in their day-to-day roles.

Don’t go into the history of HIPAA – it is not essential information and is likely to cause participants to lose focus before you even begin. Having so much information thrown at you before you even get into the important information will alienate employees.

Sample Curriculum

Designing a training course can be complicated, and it can be difficult to decide what is appropriate for different employees. Here we describe a sample HIPAA training curriculum, which can be tailored as needed. Some modules – such as the Introduction to HIPAA – are core elements for all employees, while others are more suitable for specific roles. Who receives what training is at the discretion of the CE.

  1. Introduction to HIPAA – This should include a brief overview of HIPAA legislation, as well as detail the main aspects of the act. This should not, however, include a long introduction to the history of HIPAA.
    1. Why is HIPAA needed? – Though this may seem intuitive, but there is no harm in reminding employees of why acts such as HIPAA are required. This can include case-studies of recent incidents where HIPAA was breached.
    2. HIPAA terminology – HIPAA is a complex legislative act. It would be unreasonable to expect all employees to understand the terminology, so providing a “glossary” of common terms (e.g. “covered entity” and “protected health information”) will be hugely beneficial.
    3. Applicability of HIPAA – Knowing who has to abide by your HIPAA policies is essential for ensuring compliance.
  2. Covered Entities – A covered entity is an entity that creates healthcare information or uses healthcare data for providing healthcare, payment for healthcare, or performs healthcare operations and conducts healthcare transactions electronically. They must be HIPAA compliant, meaning they must ensure the confidentiality, integrity, and availability of PHI.
    1. Examples of CEs – Generally, any hospital, medical practitioner, healthcare clearinghouse or billing company is considered to be a CE.
    2. Are employers CEs? – Generally, employers are not considered to be CEs, though they often store some healthcare data of their employees.
  3. Business Associates – Business Associates are any organization or individual that is contracted by the CE to perform a service that requires contact with PHI. They must also be HIPAA-compliant, and thus any BA must train their employees on HIPAA requirements.
    1. Types of BA – BAs essentially include any external company hired by the CE to perform a service. This can range from management consultants to accountants and software providers. As long as they have access to PHI, they must be HIPAA-compliant.
    2. Business Associate Agreement – Before providing access to PHI to a BA, a CE must ensure that the BA signs a Business Associate Agreement. This is a legal document confirming they understand their responsibilities with respect to PHI and HIPAA.
  4. What is PHI? – Under the HIPAA Privacy Rule, certain classes of information are deemed to be “protected” and must remain confidential. They cannot be transmitted to or accessed by unauthorized personnel. Any employee that comes into contact with such information must be trained to identify it and treat it accordingly.
    1. Examples of PHI – PHI includes one of 18 identifiers in combination with health information relating to the past, present, or future that is used for providing healthcare, payment for healthcare, or healthcare operations.
  5. HIPAA Rules – Since it was originally written, many aspects of HIPAA have been amended. This includes the addition of many “rules” that address specific aspects of patient and data privacy. Most employees will deal with specific rules or aspects of the rules, so the next section can be tailored to their needs.
    1. Privacy Rule – The Privacy Rule defines PHI and also instructs CEs about allowable uses and disclosures of PHI. It also gives patients privacy rights, including the right to restrict discloses of their private healthcare information to health insurers. The Privacy Rule also includes the Minimum Necessary Rule, which stipulates that only the minimum amount of information required to complete a task may be passed on to another authorized entity.
    2. Security Rule – The Security Rule addresses electronic PHI (ePHI). It outlines the administrative, physical and technical safeguards needed to protect health data.
    3. Enforcement Rule – To help ensure that HIPAA is being followed, the Enforcement Rule was introduced. It outlines the penalties for non-compliance, and gives the Department of Health and Human Services the ability to prosecute for HIPAA violations.
    4. Breach Notification Rule – The Breach Notification Rule stipulates that a CE or BA has 60 days after the discovery of a breach to notify the OCR, patients and the media.
    5. Omnibus Final Rule – The most recent addition to HIPAA, the Omnibus Rule addresses a wide range of areas and implements the requirements of the HITECH Act.
  6. HIPAA Password Policies
    1. Password strength – Passwords should contain a good mixture of upper- and lower-case letters, as well as numbers and special characters where permitted. Longer passwords are better. Check NIST advice and set policies and train employees accordingly.
  7. HITECH Act – The Health Information Technology for Economic and Clinical Health Act was introduced to help the healthcare sector adapt to the modern age.
    1. Meaningful use – Under the HITECH Act, those holding electronic health records (EHR) must show that there is legitimate purpose for holding onto healthcare records. Initially optional, it is now mandatory for all healthcare providers.
    2. HITECH and HIPAA – Though separate from HIPAA, it is closely related to the act and reinforces the HIPAA Rules. Whilst HIPAA focuses on all aspects of privacy, the HITECH Act has special focus on digital health records.
  8. Exceptions to HIPAA Privacy – Children and Minors
    1. Cases of abuse – Unfortunately, working in the healthcare profession, medics may come across distressing cases. If a CE has reasonable grounds to believe that a minor is being abused/neglected, the CE can choose not to disclose the patient’s health information to the child’s legal guardian. They may also inform the police or child services.
    2. Independent minors – If a minor has emancipated him/herself from their legal guardian, they must be treated as a legal adult.
    3. Legal requirements – If a court decides that someone other than the minor’s legal parent or guardian must make their medical decisions, that third party may access the child’s healthcare data.
  9. Patient Rights Under HIPAA
    1.  Right to obtain, inspect, and correct PHI – Individuals have the right to obtain a copy of their PHI, have that information provided in electronic form, and inspect and request corrections. Staff should be made aware of these rights.
    2. Right to restrict disclosures of PHI – Staff should be informed about when patients can restrict disclosures and to whom.
    3. Right to a notice of privacy practices and accounting of disclosures – Staff should be made aware that patient must be provided with a notice of privacy practices and to be told to whom their protected health information has been disclosed to.
  10. PHI Uses and Disclosures
    1. Uses and Disclosures – Healthcare employees must be told when disclosures of PHI are permitted and the allowable uses that do not require authorizations, including disclosures to friends and family members.
    2. HIPAA Authorizations – Employees should be aware that authorizations are needed before PHI is disclosed for reasons other than those permitted by the HIPAA Privacy Rule.
  11. Threats to Privacy
    1. Cybercrime – Regrettably, healthcare data is an increasingly prominent target for cybercriminals as it has huge value on the black market. Thus, cybercrime – primarily in the form of hacking – poses a huge threat to the data privacy. Adopting some of the aforementioned policies and practices can help lessen the threat.
    2. Human error – All employees will make mistakes from time to time – it is completely normal. However, when this threatens patient privacy, such mistakes can have resounding consequences. It is essential that employees understand the potential dangers of HIPAA non-compliance and that they understand that they must report breaches.
  12. Penalties for Non-Compliance – For any piece of legislation to have authority, there must be adequate penalties to act as a deterrent. HIPAA is no exception. Ensuring employees have adequate understanding of the potential penalties for HIPAA non-compliance can help prevent breaches.
    1. Administrative fines – Financial penalties for HIPAA non-compliance can be as high as $1.5 million per violation category per year. Penalty amounts depend on the level of culpability.
    2. Personal fines – If an individual violates HIPAA and there was malicious intent behind their actions, they can face a personal fine of up to $250,000.
    3. Jail sentences – In some instances, if a violation is deemed sufficiently severe, an individual may be prosecuted and receive a jail sentence of up to 10 years.
  13. Security Awareness – All employees must be given security awareness training to help them identity threats and vulnerabilities to the confidentiality, integrity, and availability of PHI.
    1. Phishing awareness – It is important to train employees how to recognize phishing emails and the actions they should and should not take when such an email is received
    2. Cyber Hygiene – It is important not to assume that individuals have a good understanding about cybersecurity best practices. Employees should be taught how to maintain good cyber hygiene to reduce risk.

HIPAA Refresher Training

It is essential to provide HIPAA training to all new employees as soon as possible after they join your company or organization, ideally during the onboarding process. Thereafter, HIPAA training requirements are for refresher training sessions to be provided periodically. It is left to the discretion of each CA and BA as to how often these refresher training sessions are provided, but be sure to develop a formal training policy and ensure it is followed.

It is a recognized best practice to provide refresher HIPAA training at least annually. This could be an annual training course to remind employees about the requirements of HIPAA, or shorter more frequent training courses spread throughout the year.

Security awareness training must also be provided periodically to comply with the HIPAA Security Rule. Security awareness training should be provided at least annually, but this is far from a checkbox item to ensure HIPAA compliance. Hackers and other cybercriminals actively target healthcare employees. Providing regular training on how to recognize and respond to threats such as suspicious emails will go a long way toward preventing data breaches. If you want to develop a security aware culture in your organization, you will need to provide security awareness refresher training sessions more regularly than annually.

Refresher HIPAA training and refresher security awareness training will not need to be as in depth as initial training, so much shorter sessions can be provided to remind employees about their responsibilities. As with the initial training, these sessions should be documented.

Recommended Elements of HIPAA Refresher Training Courses

As with initial HIPAA training, refresher training sessions should be tailored to each individual’s role and responsibilities. Some of the most important elements to include in these training sessions are detailed in the table below:

Main HIPAA Regulatory Rules HIPAA and Social Media Threats to Patient Data
Privacy Rule Uses and Disclosures HIPAA Compliance in Emergencies HIPAA Sanctions Policy
Patient Rights under HIPAA How to be a HIPAA Compliant Employee Consequences of HIPAA Violations
HIPAA Security Rule Safeguards Changes to HIPAA Policies and Procedures Reporting Potential HIPAA Violations

HIPAA Compliance Training: Summary

The phrasing of HIPAA legislation means it is up to covered entities and their business associates to determine how best to provide training to employees. Ultimately, it is necessary to provide sufficient training to allow employees understand how to prevent PHI breaches, privacy violations, and be aware of patient rights. Training should also be tailored to the roles of individual employees, which both maximizes efficiency and increases the likelihood of knowledge retention. The sample curriculum supplied here is a good base from which a full training course can be developed.

HIPAA Training FAQs

Who is responsible for organizing HIPAA training in a healthcare system?

The organization of HIPAA training is the responsibility of the HIPAA Privacy and Security Officers; although it should be a collaborative effort that involves nursing managers, HR, and IT – especially when a new policy, process, or technology is implemented. It may also be appropriate to use third party consultants to conduct training when new HIPAA guidance is issued by HHS.

Does every staff member undergo the same HIPAA training?

HIPAA training should be relevant to each staff member´s role; and while there are areas of the Privacy, Security, and Breach Notification Rules that should be included in all HIPAA training courses, training should be designed so each staff member can fulfil their role in compliance with HIPAA.

How regularly should risk analyses be conducted by CEs and BAs?

Each time there is a change of policy, process, or technology, a risk assessment should be carried out to determine the impact the new policy, process, or technology will have on HIPAA compliance. CEs and BAs should then analyze the results of the risk assessment (and document the analysis) in order to determine if any additional training is necessary.

Should the frequency of HIPAA training be the same for BAs as CEs?

BAs have the same HIPAA training obligations as CEs to make sure their workforce is capable of performing duties in a HIPAA-compliant manner, and therefore the frequency of HIPAA training should be “as necessary”. However, while the training obligations remain the same, it is likely a BA will have a less diverse workforce than a CE, and managing the training requirements should be simpler.

How long does documentation relating to training courses have to be retained?

All HIPAA-related documentation has to be retained for six years from the date it was last used. Therefore, all risk assessments and analyses must be retained for six years, as must the content of training courses and documentation relating to who attended the courses and when. For example, if as CE developed a training course in 2015, and refreshed it 2019, the content of the original training course has to be retained until 2025.