While providing employees of Covered Entities (CEs) and Business Associates (Bas) with HIPAA training is a requirement of the Health Insurance Portability and Accountability Act, the text of the Act related to what type of training should be provided is limited.
The reason for this is that HIPAA applies to a broad range of organizations and the HIPAA training requirements for one type of organization (i.e., a healthcare provider) will naturally be different to those for another type of organization (i.e., a healthcare clearing house).
Nonetheless, according to the HIPAA Privacy Rule, training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” and when “functions are affected by a material change in policies or procedures”. Furthermore, the Security Rule stipulates CEs should “implement a security awareness and training program for all members of the workforce”.
Regrettably, the lack of clarity regarding the content of a HIPAA training course can cause confusion. However, despite the lack of clear rules, should a breach of Protected Health Information (PHI) occur, and it is found that staff weren’t adequately trained on HIPAA-compliant policies and procedures, CE and BAs may be fined by the Office for Civil Rights (OCR).
To help prevent avoidable breaches occurring, regular risk assessments should be conducted which will help establish the role each employee has with respect to PHI. From analyzing the risk assessments, CEs and BAs will be able to determine what training is appropriate for each employee’s role – the objective of HIPAA Training being to ensure each employee is aware of the requirements of HIPAA and can perform their job in a HIPAA-compliant manner.
Arranging and providing training can be costly and time-consuming. It is, however, necessary. Furthermore, by investing in training, you will be helping employees do their jobs, protecting the privacy of patients, and ensuring that – in the event of a compliance audit or investigation into a data breach or patient complaint – you will be able to demonstrate to regulators that you have taken HIPAA compliance seriously.
To help CEs and their business associates navigate the confusing world of HIPAA compliance training, we have compiled a simple list of best practices for employee training. We recommend training sessions are offered in shorter, frequent sessions rather than one long session. This way, employees are more likely to stay focused and retain critical information.
Do provide regular training sessions. Each can focus on a different aspect of training, update staff on new developments, or just remind employees of the most important aspects of HIPAA Rules.
Do inform employees of the consequences of a PHI breach. These can include fines and legal action for the CE, privacy violations for patients, and even criminal charges against employees in some situations.
Do include all levels of management in training. Everybody needs a refresher from time to time, and a lack of training provided to higher levels reflects poorly on the CE in an audit.
Don’t forget to document what training is provided, who it is provided to, and which subjects are covered. If OCR carries out an investigation or an audit, this information will need to be provided.
Don’t just read passages from the HIPAA text. Explain legal jargon and summarize important pieces of information. Try to ensure that participants both know the required legislation but also understand how to enact it in their day-to-day roles.
Don’t go too deeply into the history of HIPAA. While it is important to understand why HIPAA was enacted, it is more important employees are aware of the key regulations that directly impact their roles.
To further help CEs and their business associates meet the obligations and objectives of HIPAA Training, we have prepared three sample curricula. The first – “Basic HIPAA Training – could either be used as a foundation course or refresher course. The second curriculum – “Comprehensive HIPAA Training” – contains modules that will be relevant to employees in specific roles; while the third curriculum – “HIPAA Training for Students” – contains selected elements from both the Basic and Comprehensive curricula, along with student-specific modules.
The Basic Training sample curriculum contains areas of HIPAA that will be common to all roles. As mentioned above, this curriculum could be used as a foundation course for new employees – provided it is supplemented with comprehensive role-based HIPAA training) or as refresher training.
An overview of HIPAA is a good place to start any HIPAA Training course as it ensures all employees have the same understanding of the purpose of the Act, what its objectives are, and who it applies to in the context of preventing unauthorized access to PHI.
The content of HIPAA is deliberately flexible and consequently uses terminology that employees may be unfamiliar with – with the potential for regulations to be misinterpreted. Before further training, is undertaken, employees should understand the most common terms they will encounter.
The HITECH Act was the facilitator of the Meaningful Use program – which drove the adoption of technology in the healthcare industry – and subsequent Promoting Interoperability program, which most employees will encounter in their daily roles.
There are five main HIPAA regulatory rules, and while most employees will not need to have a deep understanding of the Enforcement Rule and Breach Notification Rule, it is important they are aware of the content of the HIPAA Omnibus Final Rule, Privacy Rule, and Security Rule.
The HIPAA Omnibus Final Rule implemented provisions of the HITECH Act to strengthen existing privacy and security protections. It also made business associates and their subcontractors directly liable for their own compliance with HIPAA – and directly liable for violations of HIPAA.
The Privacy Rule defines Protected Health Information and how CEs and business associates need to protect it from loss, theft, and unauthorized disclosure. It also explains patients´ rights and the Minimum Necessary Standard which limits how much information can be disclosed by employees.
The technical, administrative, and physical safeguards of the Security Rule will impact every employee´s day-to-day routines and this module of HIPAA training should be used as an introduction to more advanced modules in the suggested comprehensive training curriculum.
Although patients´ rights may have already been mentioned in the Privacy Rule module, it may be necessary for frontline healthcare and administration employees to undergo specific training on what providing patients with Privacy Notices and handling patient requests.
The HIPAA disclosure rules apply to all employees in whatever function they perform. Ideally, this module should be presented at the same time as the Privacy and Security Rule modules to deepen employee understanding of allowable disclosures and the Minimum Necessary Standard.
HIPAA violations can have consequences for patients, organizations, and employees. To make this module more relevant for trainees, this is a good opportunity to introduce and explain the organization´s sanction policy and how employees may be impacted by violations of HIPAA.
As part of a basic HIPAA training course or refresher course, this module should be used as an overview of compliance best practices. Ideally, the module on preventing HIPAA violations should be tailored to specific groups of the workforce to be more relevant to their roles.
An appropriate refresher module, training on being a HIPAA compliant employee can summarize what has been discussed previously, include general do´s and don´ts, or focus on specific roles. This module can also be used to explain the procedure for reporting HIPAA violations.
The basic HIPAA training course provides employees with the fundamentals of HIPAA, but more comprehensive training is often necessary for employees to apply the fundamentals in real-life situations. The following curriculum can be tailored according to employees´ roles and refreshed to meet the HIPAA training requirements whenever “functions are affected by a material change”.
This module can help employees better understand the objectives of HIPAA by providing a timeline to HIPAA and the timing of the main HIPAA regulatory rules were introduced. The module should be updated annually to reflect changes to HIPAA and emerging compliance challenges.
This comprehensive module should explains both the online threats to patient data and physical threats such as failing to safeguard hard copies of patient data, leaving mobile devices unattended, and positioning workstations in public view.
Organizations should have policies and procedures in place to govern how computers should be used. Employees need to be made aware of these policies and procedures – even the policies and procedures that are not directly relevant to HIPAA – i.e., personal use.
Healthcare professionals have to be particularly careful about what they share on social media platforms because it is very easy to disclose PHI unintentionally. Consequently, employees should be trained on how best practices for managing social media accounts safely.
In some emergency situations, disclosures of PHI beyond what is normally allowed may be permitted for public health purposes. It may also be the case the Office for Civil Rights waives certain elements of HIPAA to remove obstacles to the flow of healthcare information.
It is important for employees to know who the organization´s HIPAA Officers are what their roles and responsibilities are. Ideally, a HIPAA Officer would lead the presentation of this module so employees can put a face to a name.
A HIPAA compliance checklist is most used by HIPAA Officers and IT managers to avoid oversights. However, a checklist can also be used towards the end of basic HIPAA training to gauge how well employees have understood and absorbed the training.
HIPAA is constantly evolving, and it is important employees are made aware of recent HIPAA updates to ensure compliance. It is especially important this module is included in refresher training if there has been an update or new rule published since training was last provided.
The Texas Medical Privacy Act and HB 300 applies to all organizations that create, use, maintain, or transmit the health information of a Texas resident – regardless of where the organization is located. Therefore, this module may apply to HIPAA covered organizations outside of Texas.
One of the best ways to train employees on cybersecurity best practices to mitigate the risk of a data breach is to teach them about the threats that exist that can impact their own personal accounts. This will help change online behaviors and create a culture of security throughout the organization.
There are many ways to protect PHI from cyberthreats, and this module should educate employees on password management and resilience to phishing, as well as explaining concepts such as multi-factor authentication, access controls, and network monitoring.
Healthcare students should be provided with HIPAA training before they start working with patients and accessing EHRs. Because it is not always known during their education which roles and responsibilities students will have once they graduate, the curriculum for healthcare students should include modes from both the basic and comprehensive HIPAA training courses – with additional modules specifically designed to appeal to a student population. For example:
During training, students are usually permitted to access EHRs under supervision. This module should explain the rules about password sharing (to access PHI maintained in EHRs) and what students can and cannot do with the PHI they have access to.
Students need to be aware that the policies and procedures they will encounter when becoming an employee of a CE apply when writing reports, preparing case studies, or giving presentations. It may need to be re-enforced that they are unable to use PHI in any report or project unless the subject of the PHI has given their informed consent or data are de-identified by removing PHI identifiers.
It is equally important students understand the CE´s other HIPAA policies and procedures and comply with them just as if they were healthcare professionals. Therefore, they may need to be given additional training on how to identify a HIPAA violation and who to report the violation to.
The terminology of HIPAA legislation means it is at the discretion of CEs and their business associates to determine how best to provide training to employees. Ultimately, it is necessary to provide sufficient basic training to prevent unauthorized disclosures of PHI; while further, more comprehensive training should be tailored to the roles of individual employees.
The organization of HIPAA training is the responsibility of the HIPAA Privacy and Security Officers; although it should be a collaborative effort that involves nursing managers, HR, and IT - especially when a new policy, process, or technology is implemented. It may also be appropriate to use third party consultants to conduct training when new HIPAA guidance is issued by HHS.
HIPAA training should be relevant to each staff member´s role; and while there are areas of the Privacy, Security, and Breach Notification Rules that should be included in all HIPAA training courses, training should be designed so each staff member can fulfil their role in compliance with HIPAA.
Each time there is a change of policy, process, or technology, a risk assessment should be carried out to determine the impact the new policy, process, or technology will have on HIPAA compliance. CEs and BAs should then analyze the results of the risk assessment (and document the analysis) in order to determine if any additional training is necessary.
BAs have the same HIPAA training obligations as CEs to make sure their workforce is capable of performing duties in a HIPAA-compliant manner, and therefore the frequency of HIPAA training should be “as necessary”. However, while the training obligations remain the same, it is likely a BA will have a less diverse workforce than a CE, and managing the training requirements should be simpler.
All HIPAA-related documentation has to be retained for six years from the date it was last used. Therefore, all risk assessments and analyses must be retained for six years, as must the content of training courses and documentation relating to who attended the courses and when. For example, if as CE developed a training course in 2015, and refreshed it 2019, the content of the original training course has to be retained until 2025.
In theory, HIPAA training is never completed. This is because whenever new regulations, policies, working practices, or technologies are introduced, members of the workforce will require refresher training to ensure the new regulations, policies, working practices, or technologies are applied in compliance with HIPAA. Furthermore, security and awareness training should be ongoing.
HIPAA training should be done on a regular basis to prevent poor compliance practices developing into a cultural norm. Unfortunately, many Covered Entities do not have the resources to provide HIPAA training on a regular basis, which is why it can be beneficial to take advantage of online refresher training courses to mitigate the risk of a HIPAA violation.
HIPAA training is necessary so that members of the workforce understand the importance of protecting patient data from unauthorized uses and disclosures. Consequently, training should not only be about policies and procedures, but also why the policies and procedures exist and the consequences of HIPAA violations to employers, employees, and patients.
At present, there are no states that require Covered Entities or Business Associates to provide annual HIPAA training. However, some states have privacy laws that supersede HIPAA and that have specific training requirements, while personnel employed by the Defense Health Agency are required to undergo Privacy Act and HIPAA privacy training annually.
HIPAA training provided by a Covered Entity or Business Associate does not expire unless a change in policies and procedures affects your role, a need for additional training is identified in a risk analysis, or you change jobs and work for another Covered Entity or Business Associate who has different policies and procedures from your former employer. You may also have to undergo additional training if you employer is issued with a corrective action order by the Office for Civil Rights.
New employees of a Covered Entity must complete HIPAA training “within a reasonable period of time after the person joins the Covered Entity´s workforce” – ideally before they are exposed to PHI. New employees of a Business Associate are required to take part in a security and awareness training program, but HIPAA does not stipulate how soon this is required after the person joins the Business Associate´s workforce – although ideally before they are exposed to ePHI.
All HIPAA documentation has to be maintained for six years after the event(s) the document(s) relate to. Therefore, if an employee signed an attestation that they received Privacy Rule training in 2018, and refresher training wasn´t provided until 2021, the original attestation will have to be kept until 2027. The same principle applies if refresher or additional privacy training was provided as the result of a policy change, risk assessment, corrective action order, or employee promotion.
There are various online training courses one can take to get certified. Some courses are role specific, whereas others provide general HIPAA training. Both types of courses can be beneficial to job seekers, while general HIPAA training is often used by Covered Entities and Business Associates to provide periodic refresher training – a copy of the certificate being used as documentation that training was provided in the event of an OCR audit, investigation, or inspection.
There are two federal requirements for HIPAA training. The first is that Covered Entities must provide policy and procedure training “to each new member of the workforce within a reasonable period of time after the person joins the Covered Entities workforce” (45 CFR § 164.530), and the second is that Covered Entities and Business Associates “implement a security and awareness training program for all members of the workforce” (45 CFR § 164.308).
Responsibility varies depending on the size of the organization, the nature of its operations, and the available resources. In smaller healthcare organizations, a healthcare administrator will likely be responsible for Privacy Rule training, while a senior member of the IT team will be responsible for Security Rule training. Sometimes, one person will fill both roles. In larger organizations, the responsibility for training all employees on HIPAA is shared between a compliance team.
There are two answers to this question. The first is that – according to the Privacy and Security Rules – members of the workforce must be trained on HIPAA-related policies and procedures relevant to their roles and provided with security and awareness training. The second answer is that the amount of HIPAA training required (beyond that stipulated by the Privacy and Security Rules) should be determined by the results of a risk assessment.
The length of HIPAA training – per session – will be dependent on the amount of content included in the session, the number of people attending the session, and the volume of questions asked during and after the session. Ideally, training sessions should be no longer than 60 minutes so information is retained. In terms of how long HIPAA training takes in total, training should be ongoing to ensure members of the workforce remain compliant with HIPAA.
HIPAA training is never completed. This is because whenever new regulations, policies, working practices, or technologies are introduced, members of the workforce are required to receive “material change” training on the new regulations, policies, working practices, or technologies and how the changes should be applied in compliance with HIPAA.
Additionally, the security and awareness training required under the Administrative Requirements of the Security Rule is a program rather than a one-off event. There should be no beginning and end to this program – only updates on changes to the threat landscape and training on how members of the workforce can reduce their susceptibility to the threats.
You need HIPAA training when you first start working with a Covered Entity or Business Associate so you are familiar with the policies and procedures relating to HIPAA. Because each Covered Entity and Business Associate has their own policies and procedures relating to HIPAA, you will also need HIPAA training if you leave your job and go to work for another Covered Entity or Business Associate.
While working for the same Covered Entity or Business Associate, you will need refresher HIPAA training if there is a “material change” to a HIPAA-related policy or procedure that affects your role. You may also need HIPAA training when a risk assessment identifies a need for further training, when your employer receives a complaint that can be resolved by training, or when training is required as a sanction – either from your employer or from HHS´ Office for Civil Rights.
HIPAA training is important because it explains to members of the workforce how they should protect patient privacy and ensure the confidentiality, integrity, and availability of PHI to perform their duties without violating HIPAA regulations. Refresher training is equally as important to prevent bad habits deteriorating into cultural norms of non-compliance.
HIPAA training is necessary so that employees, students, and volunteers understand why protecting patient data from unauthorized uses and disclosures is crucial to the organization they work for, for the patients they care for, and for themselves. In some cases, the failure to comply with the lessons learned in HIPAA training can end an individual's career.
HIPAA patient privacy training is necessary for all members of the workforce, but particularly those with public-facing roles. HIPAA patient privacy training explains the requirements of the Privacy Rule in relation to patients´ rights, permissible uses and disclosures of patient data, and the minimum necessary standard which states you should limit unnecessary disclosures of PHI.
Everybody who qualifies as a member of a Covered Entity´s or Business Associate´s workforce is required to have HIPAA training. This not only means employees have to be trained on HIPAA policies, but also volunteers, students, and contractors who may encounter Protected Health Information in visual, verbal, written, or electronic form.
Every member of a Covered Entity´s or Business Associate´s workforce must take HIPAA training – including students, volunteers, and contractors. The nature of training will vary according to the activities of the organization and individuals´ functions, but it is necessary for everyone to understand what PHI is, why it should be protected, and how it is protected.
HIPAA training is valid until you change jobs and work for a different employer with different policies and procedures. Additionally, some of your initial HIPAA training may be superseded if your current employer changes HIPAA-related policies or procedures due to a change in the law, as the result of a risk assessment, or in response to a patient complaint or OCR investigation.
HIPAA training does not expire unless you change jobs and work for another Covered Entity or Business Associate. This is because each Covered Entity and Business Associate is required to develop their own HIPAA-compliant policies and procedures. Therefore, when you go to work for a new organization that is a Covered Entity or Business Associate, the new organization will likely have different HIPAA-compliant policies and procedures from those you have been trained on.
The HIPAA training requirements for new hires vary according to whether the employer is a Covered Entity or a Business Associate. Covered Entities must train new hires on policies and procedures and the Breach Notification Rule (as required by the Privacy Rule) and include them in a security and awareness training program (as required by the Security Rule).
Business Associates are only required to provide a security and awareness training program unless elements of the Privacy Rule apply to the new hire´s role. In such cases, it is necessary to train the new hire on the elements of the Privacy Rule that apply and explain the procedures for reporting unauthorized disclosures and security incidents.
Covered Entities´ new hires must complete their initial HIPAA training “within a reasonable period of time after the person joins the Covered Entity´s workforce” – ideally before they are put into an unsupervised situation in which they could inadvertently and impermissibly disclose PHI. New hires of Covered Entities and Business Associates must also take part in a security and awareness training program. HIPAA does not stipulate how soon this is required after the new hires start working, but HIPAA security training should start prior to having unsupervised access to ePHI.
The best way to prepare a new hire for HIPAA training is to familiarize them with the basics of HIPAA – especially topics such as why HIPAA exists, what HIPAA protects, and what PHI is. This will ensure every new hire entering policy and procedure training has the same level of knowledge and will put the content of the policy and procedure training into context.
Training documentation is necessary for HIPAA compliance because, in the event of an inspection or audit by HHS´ Office for Civil Rights, it not only shows that training has been provided, but could determine liability for a HIPAA violation if liability is dependent on whether a Covered Entity failed to provide “necessary and appropriate” training, or whether a member of the workforce failed to apply the training while carrying out their duties – resulting in a HIPAA violation.
HIPAA training documents must be kept for six years from the date the policies and procedures the training relates to were last in force. For example, if training on individuals´ rights was provided in 2019, but the procedures for responding to patient access requests was changed in 2022 (and further training was provided), the HIPAA training documents relating to the original training must be kept until 2028. It will also be necessary to maintain a document of the training provided to employees when a “material change” occurred in 2022.
HIPAA training for mental health professionals differs from HIPAA training for general health professionals inasmuch as a mental health professional will need to know about the different disclosure rules that apply to (for example) psychotherapy notes, risks of self-harm, and threats to others. There are also times when HIPAA preempts FERPA, or when HIPAA is preempted by state or federal drug abuse confidentiality regulations.