How Long is HIPAA Training Good For?

How long is HIPAA training good for? - HIPAAGuide.net

How long HIPAA training is good for can be subject to several factors – including material changes to policies and procedures, evaluations and risk assessments, workforce sanctions, and corrective actions plans. In addition, HIPAA training is only good for as long as you work for the same organization, as each covered entity and business associate is required to develop their own policies and procedures to comply with HIPAA.

There is no simple answer to the question how long is HIPAA training good for because some members of a covered entityโ€™s workforce may be required to undergo HIPAA training more frequently than other workforce members due to their functions, the environment in which they work, or their disciplinary record. Some organizations may also limit how long HIPAA training is good for by requiring workforce members to take annual refresher training.

It can also be the case that some HIPAA training replaces previous HIPAA training, while other HIPAA training builds on previous HIPAA training. In the first instance, the previous HIPAA training is no longer โ€œgoodโ€, while in the second instance, the previous HIPAA training is still valid.

  • A recent example of when HIPAA training replaces previous HIPAA training is the changes to the ways in which substance use disorder records and reproductive health information can be disclosed.
  • A recent example of when HIPAA training builds on previous HIPAA training is the adoption of Healthcare Cybersecurity Performance Goals to enhance an existing security awareness and training program.

How Long is HIPAA Training Good For? What HIPAA Says

The HIPAA training standards say very little about how long is HIPAA training good for. The HIPAA Privacy Rule training standard (ยง164.530(b)) requires covered entities (and some business associates) to provide HIPAA training to โ€œeach new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforceโ€ and whenever their functions are affected by a material change to policies and procedures.

In theory, a member of the workforce could receive HIPAA training when they first start working for a covered entity and, if their functions are never affected by a material change to policies and procedures, the HIPAA training would be โ€œgoodโ€ for as long as they continued to work for the same covered entity. Only if the member of the workforce changed jobs and worked for a different covered entity would the original training no longer be โ€œgoodโ€.

In practice, other factors can affect how long HIPAA training is good for. These factors include the outcomes of periodic technical and nontechnical evaluations (required by ยง164.308(a)(8)), risk assessments (required by ยง164.308(a)(1)), and workforce sanctions (required by ยง164.0308(a)(1) and ยง164.530(e)). The validity of HIPAA training can also be affected by a compliance review or the imposition of a corrective action plan.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

How Factors Affect How Long HIPAA Training is Good For

When a periodic nontechnical evaluation identifies a security issue, and a risk assessment determines the security issue could be remedied with HIPAA training, covered entities must provide the required training. Whether this is โ€œreplacementโ€ training or โ€œbuild onโ€ training will determine whether the HIPAA training members of the workforce have already received related to the cause of the security issue is still valid.

Additional HIPAA training is one of the most common sanctions for minor violations of covered entitiesโ€™ HIPAA policies and procedures. In most cases, when HIPAA training is used as a sanction, it is โ€œrepeatโ€ training unless the violation is attributable to a misunderstanding of the covered entityโ€™s HIPAA policies and procedures – in which case the HIPAA training should be regarded as โ€œreplacementโ€ training.

When HHSโ€™ Office for Civil Rights conducts a compliance review, the issue that triggered the review (privacy complaint, data breach, etc.) is usually remedied with โ€œreplacementโ€ training on the specific issue. Corrective Action Plans requiring HIPAA training are more comprehensive and may require the complete revision of a covered entityโ€™s HIPAA awareness training, HIPAA policy and procedure training, and HIPAA security training.

How Long is Certified HIPAA Training Good For?

One of the reasons how long is HIPAA training good for gets asked is that some HIPAA online training courses award certificates on completion of a test. These courses may be provided by covered entities as an introduction to HIPAA, taken by members of the workforce to improve their own HIPAA knowledge, or used by job applicants to demonstrate a HIPAA qualification to a prospective employer.

How long is HIPAA training good for when it is certified depends on the type of course and its objectives. For example, if a covered entity provides certified HIPAA training as annual HIPAA refresher training, the certified HIPAA training is good for a year. If a course awards Continuing Education Units (CEUs) for workforce members, the certificate of completion may be valid for three years depending on state licensing requirements.

However, before subscribing to an online HIPAA training course to earn CEUs, it is important to check the course is accredited by a recognized training assessor – for example, by the American Health Information Management Association (AHIMA) โ€“ that the CEUs awarded by the course are accepted by the workforce memberโ€™s licensing body, and how long the licensing body considers the HIPAA training to be good for.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/