Strangely, while training employees on HIPAA requirements is absolutely necessary, the requirements laid out in the legislation regarding training are limited. This is in part due to the fact HIPAA covers a broad range of covered entities (CEs) and their business associates (BAs). The training requirements for a healthcare clearinghouse will naturally be different to those of a healthcare provider, so it is left to the discretion of each covered entity to determine what is reasonable and appropriate. The main reason why specific information on the required content of training courses is not provided is because it makes the HIPAA legislation timeless. When there are changes to training best practices the HIPAA text does not need to be updated.
Training is required under the administrative requirements of the HIPAA Privacy Rule and also under the administrative safeguards of the HIPAA Security Rule. Neither provide very comprehensive information on what is required in terms of training. They state that training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule) and that CEs and BAs should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule). There is also the requirement to provide additional training to staff members when “functions are affected by a material change in policies or procedures.”
Regrettably, this lack of certainty regarding HIPAA training does lend itself to confusion. Despite the lack of clear rules, should a breach of Protected Health Information (PHI) occur and it is found that staff weren’t adequately trained, the CE and BAs may be issued with a fine by the Office for Civil Rights (OCR).
To prevent such a breach happening, it is essential that regular risk analyses are conducted by CEs and BAs. These will help to establish the role each employee has with respect to PHI. From the risk analysis, CEs and BAs can determine what training is appropriate for each employee’s role. The purpose of HIPAA training is to make each employee aware of the requirements of HIPAA to ensure that they can perform their job in a HIPAA compliant manner.
CEs should tailor security awareness and training programs to the role and responsibilities of each employee, manager, associate etc., that comes in contact with PHI. For complex roles, multiple training sessions may be required to cover different aspects of the HIPAA Rules.
Providing training can be costly and time-consuming, which may be off-putting. It is, however, necessary. We recommend that training sessions are offered in shorter, frequent sessions rather than one long session. This way, employees are more likely to stay focused and retain critical information.
By investing in training you will be helping employees do their jobs, protecting the privacy of patients, and will ensure that in the event of a compliance audit you will be able to demonstrate to regulators that you have taken HIPAA compliance seriously. Should auditors discover issues with HIPAA compliance, they will be more likely to provide technical assistance than to pursue a financial penalty.
To help CEs and their business associates navigate the confusing world of HIPAA compliance training, we have compiled a simple list of best practices for employee training.
Do try to keep training sessions short. This will make employees more likely to retain information and thus help HIPAA violations. Remember: Ignorance is not considered an excuse for privacy breaches and other HIPAA violations.
Do provide regular training sessions. Each can focus on a different aspect of training, update staff on new developments, or just remind employees of the most important aspects of HIPAA Rules.
Do inform employees of the dangers of a PHI breach. These can include fines and legal action for the CE, privacy violations for patients, and even criminal charges in some situations. Such information can help highlight the need for HIPAA compliance.
Do include all levels of management in training. Everybody needs a refresher from time to time, and a lack of training provided to higher levels reflects poorly on the CE in an audit.
Don’t forget to keep clear records of when the training occurred, who was involved and what information was handed out. If OCR carries out an investigation or an audit, this information will need to be provided.
Don’t just read passages from the HIPAA text. Explain legal jargon and summarize important pieces of information. Try to ensure that participants both know the required legislation but also understand how to enact it in their day-to-day roles.
Don’t go into the history of HIPAA – it is not essential information and is likely to cause participants to lose focus before you even begin. Having so much information thrown at you before you even get into the important information will alienate employees.
Full Access to
Designing a training course can be complicated, and it can be difficult to decide what is appropriate for different employees. Here we describe a sample HIPAA training curriculum, which can be tailored as needed. Some modules – such as the Introduction to HIPAA – are core elements for all employees, while others are more suitable for specific roles. Who receives what training is at the discretion of the CE.
It is essential to provide HIPAA training to all new employees as soon as possible after they join your company or organization, ideally during the onboarding process. Thereafter, HIPAA training requirements are for refresher training sessions to be provided periodically. It is left to the discretion of each CA and BA as to how often these refresher training sessions are provided, but be sure to develop a formal training policy and ensure it is followed.
It is a recognized best practice to provide refresher HIPAA training at least annually. This could be an annual training course to remind employees about the requirements of HIPAA, or shorter more frequent training courses spread throughout the year.
Security awareness training must also be provided periodically to comply with the HIPAA Security Rule. Security awareness training should be provided at least annually, but this is far from a checkbox item to ensure HIPAA compliance. Hackers and other cybercriminals actively target healthcare employees. Providing regular training on how to recognize and respond to threats such as suspicious emails will go a long way toward preventing data breaches. If you want to develop a security aware culture in your organization, you will need to provide security awareness refresher training sessions more regularly than annually.
Refresher HIPAA training and refresher security awareness training will not need to be as in depth as initial training, so much shorter sessions can be provided to remind employees about their responsibilities. As with the initial training, these sessions should be documented.
As with initial HIPAA training, refresher training sessions should be tailored to each individual’s role and responsibilities. Some of the most important elements to include in these training sessions are detailed in the table below:
|Main HIPAA Regulatory Rules||HIPAA and Social Media||Threats to Patient Data|
|Privacy Rule Uses and Disclosures||HIPAA Compliance in Emergencies||HIPAA Sanctions Policy|
|Patient Rights under HIPAA||How to be a HIPAA Compliant Employee||Consequences of HIPAA Violations|
|HIPAA Security Rule Safeguards||Changes to HIPAA Policies and Procedures||Reporting Potential HIPAA Violations|
The phrasing of HIPAA legislation means it is up to covered entities and their business associates to determine how best to provide training to employees. Ultimately, it is necessary to provide sufficient training to allow employees understand how to prevent PHI breaches, privacy violations, and be aware of patient rights. Training should also be tailored to the roles of individual employees, which both maximizes efficiency and increases the likelihood of knowledge retention. The sample curriculum supplied here is a good base from which a full training course can be developed.
The organization of HIPAA training is the responsibility of the HIPAA Privacy and Security Officers; although it should be a collaborative effort that involves nursing managers, HR, and IT – especially when a new policy, process, or technology is implemented. It may also be appropriate to use third party consultants to conduct training when new HIPAA guidance is issued by HHS.
HIPAA training should be relevant to each staff member´s role; and while there are areas of the Privacy, Security, and Breach Notification Rules that should be included in all HIPAA training courses, training should be designed so each staff member can fulfil their role in compliance with HIPAA.
Each time there is a change of policy, process, or technology, a risk assessment should be carried out to determine the impact the new policy, process, or technology will have on HIPAA compliance. CEs and BAs should then analyze the results of the risk assessment (and document the analysis) in order to determine if any additional training is necessary.
BAs have the same HIPAA training obligations as CEs to make sure their workforce is capable of performing duties in a HIPAA-compliant manner, and therefore the frequency of HIPAA training should be “as necessary”. However, while the training obligations remain the same, it is likely a BA will have a less diverse workforce than a CE, and managing the training requirements should be simpler.
All HIPAA-related documentation has to be retained for six years from the date it was last used. Therefore, all risk assessments and analyses must be retained for six years, as must the content of training courses and documentation relating to who attended the courses and when. For example, if as CE developed a training course in 2015, and refreshed it 2019, the content of the original training course has to be retained until 2025.
Full Access to