HIPAA training for employees and other members of the workforce must go beyond the mandatory HIPAA training requirements of the HIPAA Privacy Rule and HIPAA Security Rule in order to prevent avoidable HIPAA violations attributable to a lack of knowledge. However, workforce training should not be the sole responsibility of employers.
Every year, the Department of Health and Human Servicesโ (HHS) Office for Civil Rights receives around 6,000 justified HIPAA complaints and more than 60,000 notifications of HIPAA data breaches. The leading cause of justified HIPAA complaints is impermissible uses and disclosures of Protected Health Information (PHI), while employee errors account for almost 30% of data breaches. Many of these HIPAA compliance failures are avoidable.
In response to complaints and breach notifications, HHSโ Office for Civil Rights conducts compliance reviews and investigations. Most HIPAA compliance issues are resolved by technical assistance, changes to privacy practices, and corrective actions. Around one hundred cases each year are referred to the Department of Justice for criminal investigation, while an average of eleven cases each year are resolved by financial settlements or civil monetary penalties.
Even when investigations do not result in criminal or civil penalties, compliance reviews are disruptive. Furthermore, when HHSโ Office for Civil Rights requires changes to privacy practices and corrective actions, the changes can impact workplace operations and delay the delivery of healthcare while the workforce becomes accustomed to new procedures. Many of these disruptions can be avoided if the compliance failures that prompt investigations are eliminated.
In 2023, hundreds of healthcare workers were invited to complete a HIPAA Awareness Assessment. The results of the assessments suggest that more than 50% of participants lacked a comprehensive understanding of HIPAA standards. However, the low pass rate was not attributable to a lack of HIPAA employee training. More than 87% of participants said they received HIPAA training at least annually.
In the context of the complaints and notifications received by HHSโ Office for Civil Rights mentioned above, 49% of participants believed they had witnessed an impermissible use or disclosure of PHI (including snooping and gossiping), while 61% of participants failed the segment of the assessment relating to computer safety rules โ the most common compliance issues being password sharing and the failure to log off.
What the results imply is that healthcare employers are complying with โ or surpassing – the mandatory HIPAA training requirements. However, because the HIPAA training requirements focus on policies and procedures and security awareness, it is possible for gaps to exist in employeesโ knowledge. A lack of additional โintroductoryโ knowledge could also be responsible for employersโ HIPAA training on policies and procedures being misunderstood.
From this research, it is reasonable to conclude that the way to eliminate many avoidable HIPAA compliance failures is to provide additional introductory HIPAA employee training to all members of the workforce – ideally before they undergo policy and procedure or security awareness training. The provision of introductory HIPAA compliance training would give employees a solid foundation in HIPAA compliance and would ensure employersโ HIPAA policy and procedure training is better understood.
Introductory HIPAA training for employees consists of the information all members of the workforce need to know to avoid impermissible disclosures of PHI. It includes topics such as what is PHI, why it needs protecting, and the consequences of disclosing PHI impermissibly. The consequences should not only focus on sanctions, but also the possibility of identity theft and loss of trust that can negatively affect the provision or effectiveness of healthcare.
It can also be helpful to explain what uses and disclosures of PHI are permitted, when conditions or restrictions apply to permitted uses and disclosures (i.e., attestations and agreed privacy protections), and the importance of verifying the identities of individuals requesting access to PHI. This type of HIPAA training for employees should be supported by an explanation of the minimum necessary standard and when it applies.
It may also be important to explain patientsโ HIPAA rights in introductory HIPAA training for employees to avoid scenarios in which a complaint is escalated to HHSโ Office for Civil Rights due to a misunderstanding. This can be covered generally by providing all members of the workforce with a copy of the Notice of Privacy Practices. However, it will still be necessary to explain to public-facing employees the procedures to follow when patients exercise their rights.
With regards to cybersecurity, it is advisable to assume all employees have minimal cybersecurity skills. Although many may be aware of the risks of sharing passwords and failing to log off, some may not understand why specific services are not suitable for communicating PHI or why they should not download unsanctioned apps โto get the job doneโ. It is best to cover introductory cybersecurity training before any employee has access to electronic PHI.
The provision of introductory HIPAA training supports HIPAA compliance by mitigating the risk that a member of the workforce with no authorized access to PHI inadvertently discloses PHI due to a lack of knowledge. For example, if an inexperienced member of the environmental services or catering team identifies a celebrity entering a healthcare facility, they will be less likely to share that information impermissibly on social media when their shift finishes.
Alternatively, if a โbehind-the-scenesโ employee is asked about the wellbeing of a patient by a hospital visitor, they will know to check the personโs identity, confirm the patient has given their consent for family members to be kept informed of their condition, and only disclose the minimum permissible PHI. These processes are not necessarily included in policy and procedure training, and often not explained to employees who do not have public-facing roles.
Similarly, if the member of the medical team needs to communicate the condition of a patient to a colleague, the provision of introductory HIPAA training might prevent them using their personal mobile device to send a WhatsApp message to the colleague. While sharing PHI with a colleague for healthcare purposes is a permissible disclosure of PHI, the use of a WhatsApp on a personal device to share the information is a violation of HIPAA because the channel of communication does not support HIPAA compliance.
Finally, the provision of introductory HIPAA compliance training provides employees with a better understanding of the terminologies used in HIPAA policy and procedure training. Examples of terms that might result in misunderstandings include โdesignated record setsโ, โhealthcare operationsโ, and โdirect/indirect treatment relationshipsโ. By understanding what these terms mean prior to undertaking HIPAA policy and procedure training, employees are more likely to understand โ and comply with – the content of policy and procedure training.
HIPAA covered entities and business associates are required to protect against โreasonably anticipatedโ impermissible disclosures of electronic PHI (ยง164.306) and conduct a risk analysis to identify risks to the confidentiality of electronic PHI (ยง164.308). If a risk analysis identifies a reasonably anticipated impermissible disclosure attributable to a lack of HIPAA knowledge, the covered entity/business associate must provide the necessary training.
However, employees cannot assume that a risk analysis will identify the need for more HIPPA training, or that a covered entity/business associate will provide the necessary training. In this case, it is recommended employees take responsibility for their knowledge of applicable HIPAA standards and terminologies by investing in a third party training course โ ideally an accredited course that concludes with a test and certification of completion.
The benefit of taking responsibility for oneโs own HIPAA knowledge and understanding is that it can reduce the risk of unintentional HIPAA violations and the possibility of identity theft or a loss of trust. Taking responsibility for oneโs own knowledge and understanding can also prevent the application of sanctions for violations of the HIPAA Privacy Rule โ particularly violations of standards that have not been covered in policy and procedure training.
The reason employees can be sanctioned for violations of standards not covered in training is that ยง164.530 of the HIPAA Privacy Rule requires covered entities to apply sanctions against members of the workforce who violate any HIPAA Privacy Rule standard. A similar standard applies (ยง164.308) to members of the workforce who fail to comply with policies or procedures developed to comply with the HIPAA Security Rule.
It is advisable to provide/take introductory training at the earliest possible opportunity. As mentioned above, an inexperienced member of the workforce with no knowledge of HIPAA or with few cybersecurity skills could easily disclose PHI accidentally due to a lack of knowledge. Thereafter, Privacy Rule policy and procedure HIPAA training must be provided โwithin a reasonable period of timeโ or as mandated by the state. For example, in Texas, policy and procedure training must be provided within 90 days.
With regards to how often should subsequent HIPAA employee training be provided, it is recommended that refresher HIPAA training is provided at least annually. Depending on what โmaterial changeโ training has taken place during the year, annual training could be a repeat of the policy and procedure training or a repeat of the introductory HIPAA training. It could also be combined with other annual mandatory requirements (i.e., OSHAโs bloodborne pathogen training, CMSโ emergency planning training, etc.).
However, refresher HIPAA training for employees can also be requiredย as a workforce sanction or as a sanction imposed by HHSโ Office for Civil Rights following enforced changes to privacy practices or corrective action plans. In such circumstances, it may not be advisable to repeat a previously provided HIPAA course โ or combine โsanction trainingโ with OSHA or CMS training – as this may limit how much of the knowledge required to prevent a repeat of the sanctionable event is absorbed.
In most cases, the content of annual HIPAA training for employees should be determined by a risk assessment. As covered entities and business associates are required to โperform a periodic technical and nontechnical evaluationโ of compliance with the HIPAA Security Rule (ยง164.308(a)(8)), and โreview and modify the security measures implemented [โฆ] as neededโ to protect electronic PHI (ยง164.306(e)), it makes sense to include risks attributable to a lack of technical and nontechnical HIPAA knowledge in HIPAA risk analyses.
HIPAA training certification signifies an employee has completed a HIPAA training course and passed a test at the end of the course. Provided the HIPAA course is accredited by a recognized training assessor – for example, by the American Health Information Management Association (AHIMA) – covered entities can use the HIPAA training certification to demonstrate a good faith effort to eliminate foreseeable HIPAA violations attributable to a lack of workforce knowledge.
Employees who take responsibility for their knowledge of applicable HIPAA standards and terminologies by investing in a third party training course, not only reduce the likelihood of violating a HIPAA Privacy Rule standard, but can also use the HIPAA training certification to demonstrate a commitment to compliance. This can mitigate what level of sanctions are applied by a covered entity or business associate in the event of an accidental HIPAA violation.
HIPAA training certification can also be beneficial to medical students and jobseekers who can demonstrate to prospective employers they have the knowledge required to respect the privacy and security of PHI. However, as students need to be more careful about how PHI is used in reports, and jobseekers may not have witnessed โHIPAA in actionโ, both categories of trainees should ensure the chosen HIPAAย course meets their long term requirements.
It is important to remember that introductory HIPAA training is additional to an employerโs HIPAA training for employees on policies and procedures and security awareness. The certification awarded at the end of the HIPAA course demonstrates a knowledge of HIPAA, not that the employee โ or the employer โ is HIPAA compliant. Nonetheless, passing an introductory HIPAA training course is a good first step to becoming a HIPAA compliant employee.
Most covered entities and business associates acknowledge that complying with the mandated HIPAA training requirements for employees ย is not sufficient to mitigate the risk of avoidable HIPAA violations attributable to a lack of workforce knowledge. While gaps in knowledge can be resolved by the provision of an introductory HIPAA course, some covered entities may feel that training employees on basic privacy and security is not their responsibility.
As workforce members can be sanctioned for violating the HIPAA Privacy Rule due to a lack of knowledge, it is their best interests to ensure that โ if an introductory HIPAA course is not provided by their employer โ they take responsibility for their knowledge of HIPAA. Third party HIPAA training courses can help fill gaps in knowledge, but it is important to check the course curriculum covers the information required, it is provided by an accredited provider, and it awards a certificate following an end of course test.
There are two federal requirements for HIPAA training. The first is that covered entities must provide policy and procedure training โto each new member of the workforce within a reasonable period of time after the person joins the covered entities workforceโ (45 CFR ยง 164.530), and the second is that covered entities and business associates โimplement a security and awareness training program for all members of the workforceโ (45 CFR ยง 164.308).
Policy and procedure training must be provided โas necessary and appropriate for the members of the workforce to carry out their functions within the covered entityโ and repeated whenever there is a โmaterial changeโ to the policies and procedures. The security and awareness training program does not have to exclusively focused on HIPAA, but it is a good idea to use HIPAA as an explanation for why certain security controls and configurations exist.
The organization of HIPAA training in a healthcare is the responsibility of the HIPAA Privacy and Security Officers; although it should be a collaborative effort that involves nursing managers, HR, and IT – especially when a new policy, process, or technology is implemented. It may also be appropriate to use third party consultants to conduct HIPAA employee training when new HIPAA guidance is issued by HHS.
Every staff member should undergo the same introductory HIPAA training in order to ensure all staff members have the same baseline of HIPAA knowledge. Every staff member should also undergo the same security awareness training .Thereafter, HIPAA policy and procedure training should be relevant to each staff memberโs role and designed so each staff member can fulfil their role in compliance with HIPAA.
Risk analyses should be conducted periodically and each time there is a change of policy, process, or technology. The risk assessment should determine the impact a new policy, process, or technology will have on HIPAA compliance, and the results should be analyzed to determine if any additional or material change training is necessary.
The frequency of HIPAA training should be determined by material changes, risk analyses, and workforce sanctions regardless of the HIPAA status of an organization. Business associates may have the same training obligations as covered entities under certain circumstances, but this does not mean the frequency of HIPAA training has to be the same.
Documentation relating to HIPAA courses has to be retained by a covered entity or business associate for six years from the date it was last in effect. Therefore, all risk assessments and analyses must be retained for a minimum of six years, as must the content of training courses and documentation relating to who attended the courses and when. For example, if an organization developed a HIPAA course in 2018, and refreshed it 2022, the content of the original HIPAA course has to be retained until 2028.
HIPAA training for employees is never completed. This is because whenever new regulations, policies, working practices, or technologies are introduced, employees require refresher training to ensure the new regulations, policies, working practices, or technologies are applied in compliance with HIPAA. Furthermore, security and awareness training must be ongoing.
HIPAA training should be done on a regular basis to prevent poor compliance practices developing into a cultural norm. Most sources recommend training is repeated annually, but refresher training may also be necessary due to a material change, the outcome of a risk analysis, or a sanction. Due to the speed at which cybersecurity threats evolve and increase in sophistication, security and awareness training should be done monthly.
HIPAA training is necessary so that all members of the workforce understand the importance of protecting patient data from unauthorized uses and disclosures. Consequently, HIPAA compliance training should not only be about policies and procedures, but also why the policies and procedures exist and the consequences of HIPAA violations to employers, employees, and patients.
At present, there are no states that require covered entities or business associates to provide annual HIPAA training for employees despite it being a recognized best practice to reduce HIPAA violations and data breaches. Other regulations have mandatory annual training requirements into which HIPAA refresher training can be incorporated (i.e., OSHAโs bloodborne pathogens training), while personnel employed by the Defense Health Agency are required to undergo Privacy Act and HIPAA privacy training annually.
HIPAA training provided by an employer does not expire unless a change in policies or procedures affects your role, a need for additional training is identified in a risk analysis, or you change jobs and work for another employer who has different policies and procedures. Certified HIPAA training sometimes has an expiration date applied by the training provider. However, regardless of any expiration date, it is a best practice to refresh your knowledge of HIPAA at least annually.
New employees must complete HIPAA training โwithin a reasonable period of time after the person joins the covered entityยดs workforceโ โ ideally after having completed an introductory HIPAA course. New employees of a business associate are required to take part in a security and awareness training program, but HIPAA does not stipulate how soon this is required after the person joins the workforce โ although ideally before they are exposed to electronic PHI.
All HIPAA documentation has to be maintained for six years after the event(s) the document(s) relate to. Therefore, if an employee signed an attestation that they received HIPAA privacy training in 2018, and refresher training wasnโt provided until 2021, the original attestation will have to be kept until 2027. The same principle applies if refresher or additional privacy training is provided as the result of a policy change, risk assessment, corrective action order, or employee sanction.
There are various kinds of HIPAA training one can take to get certified. Some HIPAA courses are role specific, whereas others provide general HIPAA privacy training. Both types of courses can be beneficial to job seekers, while general HIPAA privacy training is often used by employers to provide periodic refresher training โ a copy of the certificate being used as documentation that training was provided in the event of an OCR audit, investigation, or inspection.
The responsibility for training all employees on HIPAA depends on the size of an organization, the nature of its operations, and the available resources. In smaller organizations, a healthcare administrator will likely be responsible for HIPAA Privacy Rule training, while a senior member of the IT team will be responsible for HIPAA Security Rule training. Sometimes, one person will fill both roles. In larger organizations, the responsibility for training all employees on HIPAA is shared between a compliance team led by a HIPAA Privacy Officer and a HIPAA Security Officer.
The HIPAA training that is required is stipulated by ยง164.530 of the HIPAA Privacy Rule (โpolicy and procedureโ training and โmaterial changeโ training) and ยง164.308 of the HIPAA Security Rule (security and awareness training). Further HIPAA training may be required if a need for HIPAA employee training is identified in a risk analysis or if further HIPAA compliance training is required as a sanction for a HIPAA violation.
The length of HIPAA training โ per session โ will be dependent on the amount of content included in the session, the number of people attending the session, and the volume of questions asked during and after the session. Ideally, training sessions should be no longer than 60 minutes so information is retained. In terms of how long HIPAA training takes in total, training should be ongoing and refreshed at least annually to help employees remain compliant with HIPAA.
HIPAA training is never completed. This is because whenever new regulations, policies, working practices, or technologies are introduced, members of the workforce are required to receive โmaterial changeโ training on the new regulations, policies, working practices, or technologies and how the changes should be applied in compliance with HIPAA. Furthermore, HIPAA refresher training should be provided at least annually to help support HIPAA compliance.
Additionally, the security and awareness training required under the Administrative Requirements of the HIPAA Security Rule is a program rather than a one-off event. There should be no beginning and end to the security and awareness training program โ only updates on changes to the threat landscape and the increasing sophistication of threats, and training on how members of the workforce can reduce their susceptibility to threats.
You need HIPAA training when you first start working with a covered entity or business associate so you are familiar with the policies and procedures relating to HIPAA. Because each covered entity and business associate has its own HIPAA policies and procedures, you will also need to retake training if you leave your job and go to work for another covered entity or business associate.
While working for the same covered entity or business associate, you will need refresher HIPAA ย training if there is a โmaterial changeโ to a HIPAA policy or procedure that affects your role. You may also need refresher training when a risk assessment identifies a need for further training, when your employer receives a complaint that can be resolved by training, or when training is required as a sanction โ either from your employer or from HHSโ Office for Civil Rights.
HIPAA training for employees is important because it explains how employees should protect patient privacy and ensure the confidentiality, integrity, and availability of PHI to perform their duties without violating HIPAA regulations. Refresher training is equally important to prevent bad habits and compliance shortcuts deteriorating into cultural norms of non-compliance.
HIPAA training is necessary so that employees, students, and volunteers understand why protecting patient data from unauthorized uses and disclosures is crucial to the organization they work for, for the patients they care for, and for themselves. In some cases, the failure to comply with the lessons learned in HIPAA training can end an individual’s career.
HIPAA patient privacy training is necessary for all members of the workforce, but particularly those with public-facing roles. HIPAA patient privacy training explains the requirements of the Privacy Rule in relation to patientsโ rights, permissible uses and disclosures of patient data, and the minimum necessary standard which states when you should limit disclosures of PHI.
Everybody who qualifies as a member of a covered entityโs or business associateโs workforce is required to have HIPAA training. This not only means employees have to be trained on HIPAA policies, but also volunteers, students, and contractors who may encounter Protected Health Information in visual, verbal, written, or electronic form.
Every member of a covered entityโs or business associateโs workforce must take HIPAA training โ including students, volunteers, and contractors. The nature of training will vary according to the activities of the organization and individualsโ functions, but it is necessary for everyone to understand what PHI is, why it should be protected, and how it is protected.
The requirement for all members of the workforce to take HIPAA security and awareness training extends to employees who do not have access to PHI. This is because hackers look for any access point to an organizationโs network regardless of an individual employeeโs access permissions. Once inside the network, hackers can move laterally across the network to seek vulnerabilities that will provide them with unauthorized access to PHI.
HIPAA training is valid until you change jobs and work for a different employer with different policies and procedures. Additionally, some of your initial HIPAA training may be superseded if your current employer changes HIPAA-related policies or procedures due to a change in the law, as the result of a risk assessment, or in response to a patient complaint or investigation. You can ensure your HIPAA training remains valid by retaking HIPAA training at least annually.
HIPAA training does not expire unless you change jobs and work for another covered entity or business associate. This is because each covered entity and business associate is required to develop their own HIPAA-compliant policies and procedures. Therefore, when you go to work for a new organization that is a covered entity or business associate, the new organization will likely have different HIPAA-compliant policies and procedures from those you have been trained on.
Although HIPAA training does not expire, most covered entities provide annual refresher training to prevent bad habits and compliance shortcuts deteriorating into a culture of non-compliance. The refresher training can repeat initial โpolicy and procedureโ training, or repeat introductory HIPAA training depending on what has been determined by a risk analysis or depending on the nature of violations that have occurred since the last time training was provided.
The HIPAA compliance training requirements for new hires vary according to whether the employer is a covered entity or a business associate. Covered Entities must train new hires on policies and procedures and the HIPAA Breach Notification Rule (as required by the HIPAA Privacy Rule) and include them in a security and awareness training program (as required by the HIPAA Security Rule).
Business associates are only required to provide a security and awareness training program unless elements of the HIPAA Privacy Rule apply to the new hireโs role. In such cases, it is necessary to train the new hire on the elements of the HIPAA Privacy Rule that apply to their functions, and explain the procedures for reporting unauthorized disclosures and security incidents.
Covered entitiesโ new hires must complete theirย initialย HIPAA training โwithin a reasonable period of time after the person joins the covered entityโs workforceโ โ ideally before they are put into an unsupervised situation in which they could inadvertently and impermissibly disclose PHI. New hires of covered entities and business associates must also take part in a security and awareness training program. HIPAA does not stipulate how soon this is required after the new hires start working, but HIPAA security training should start prior to a new hire having unsupervised access to electronic PHI.
The best way to prepare a new hire for HIPAA training is to provide the new hire with introductory HIPAA training that covers the basics of HIPAA compliance โ for example, topics such as why HIPAA exists, what HIPAA protects, and what PHI is. This will ensure every new hire entering policy and procedure training has the same level of knowledge and will put the content of the policy and procedure training into context.
Training documentation is necessary for HIPAA compliance because, in the event of an inspection or audit by HHSโ Office for Civil Rights, the documentation not only shows that training has been provided, but could determine liability for a HIPAA violation if liability is dependent on whether a covered entity failed to provide โnecessary and appropriateโ training (i.e., based on a risk analysis), or whether an employee failed to apply the training while carrying out their duties โ resulting in a HIPAA violation.
HIPAA training for mental health professionals differs from HIPAA training for general health professionals inasmuch as a mental health professional will need to know about the different disclosure rules that apply to (for example) psychotherapy notes, risks of self-harm, and threats to others. There are also times when HIPAA is preempted by state or federal drug abuse confidentiality regulations, and these will affect the content of HIPAA training for mental health professionals.
Employee HIPAA training is required annually for employees of the Defense Health Agency. It is recommended โ rather than required โ that employees of other organizations receive employee HIPAA training annually to maintain their knowledge of HIPAA rules and regulations and to stay informed of any changes that may have occurred but which do not affect their roles directly.
The nature of HIPAA training for office staff can be the same as HIPAA training for public facing employees depending on the roles of the office staff. In some cases, HIPAA training for office staff can include more administrative areas of HIPAA compliance such as document retention and the content of Notices of Privacy Practices or Business Associate Agreements, while public facing employees will learn more about permissible verbal disclosures of PHI and verification requirements.
The HIPAA Guide is a registered trademark. Copyright © 2007-2024 The HIPAA Guide. All rights reserved.