How Often Do You Have To Do HIPAA Training?
You have to do HIPAA training when you start working for a HIPAA covered entity, when your role is affected by a material change to the covered entity’s HIPAA policies, when a risk analysis identifies a need for HIPAA training, and when you are required to do HIPAA training as a sanction or as part of a corrective action plan following a HIPAA violation.
You may also have to do HIPAA training when a privacy compliant is filed or when a new technology is implemented. Elements of HIPAA training should be included in a security awareness and training program; and, if you work for a HIPAA business associate, you may have to do all of the above depending on the service(s) being provided by the business associate.
In addition, healthcare organizations can โ but are not required to โ integrate HIPAA training into other mandatory training. For example, threats to the privacy of Protected Health Information (PHI) could be included in annual OSHA bloodborne pathogen training or annual CMSโ emergency planning training depending on the context in which the training is provided.
How Often Do You Have To Do HIPAA Training?
Many sources discussing the question how often do you have to do HIPAA training tend to focus solely on the HIPAA Privacy Rule training standard and advocate that, if refresher HIPAA training is not triggered by a material change to HIPAA policies or procedures, it is a best practice to provide refresher HIPAA training to all members of the workforce at least annually.
This is an acceptable โcatch allโ solution to ensure that members of the workforce whose roles are not affected by a material change receive refresher training. However, it overlooks many other events that could trigger HIPAA training, and that some members of the workforce may โdoโ HIPAA training voluntarily in order to avoid sanctions, renew certifications, and earn CEUs.
The Significance of the Security Standard General Rules
Most events that could trigger HIPAA training are linked to an often-overlooked line in the HIPAA Security Ruleโs Administrative Safeguards. The line appears at the beginning of ยง164.308 and requires covered entities and business associates to comply with all the Administrative Safeguards โin accordance with ยง164.306โ โ the Security Standard General Rules.
Among the General Rulesโ General Requirements, covered entities and business associates are required by ยง164.306(a)(3) to โProtect against any reasonably anticipated uses or disclosures of such information [electronic Protected Health Information] that are not permitted or required under subpart E of this part [the HIPAA Privacy Rule].โ
What This Means for HIPAA Training Triggers
This means that standards in the Administrative Safeguards relating to risk analyses and management, contingency plan testing and revision, and periodic technical and nontechnical evaluations must consider reasonably anticipated uses and disclosures of Protected Health Information (PHI) that are not permitted by the HIPAA Privacy Rule.
If a risk analysis, contingency plan test, or periodic evaluation identifies a threat to the confidentiality, integrity, or availability of PHI that cannot be resolved by the implementation of technology, it will be necessary to provide HIPAA training to mitigate the threat. It may also be necessary to provide HIPAA training even when the threat can be resolved by technology.
HIPAA Training Elements in Security Awareness Training
With regards to how often do you have to do HIPAA training required by the HIPAA Security Rule, it is important to note that the HIPAA Security Rule training standard requires a training program for all members of the workforce rather than one-off training. This implies security awareness training should be scheduled at least quarterly.
It is also important to note that the HIPAA Security Rule training standard must be complied with โin accordance with ยง164.306โ. This means that generic or off-the-shelf security awareness training is not sufficient to comply with the standard, and that covered entities and business associates must make the training relevant to HIPAA compliance.
Other Events that Could Trigger HIPAA Refresher Training
Other events that could trigger HIPAA refresher training include privacy complaints, workforce sanctions, and corrective action plans. In most cases, HIPAA training triggered by a privacy complaint or workforce sanction may only impact a handful of workforce members. Corrective action plans most often apply to a whole organization.
HHSโ Office for Civil Rights imposes more corrective action plans than many people realize because most are in lieu of a civil monetary penalty and rarely make the headlines. However, in 2022, HHSโ Office for Civil Rights imposed 674 corrective action plans that required whole organizations to retrain all members of the workforce on the HIPAA Rules.
How Often Do Business Associates Do HIPAA Training?
In addition to mandatory HIPAA security awareness training (which should be relevant to HIPAA compliance), business associates are required by ยง160.102 of the HIPAA Administrative Simplification Regulations to provide HIPAA training on HIPAA Privacy Rule standards that are applicable to the services being provided for or on behalf of a covered entity.
This means that most business associate workforces should receive HIPAA training on topics such as what is considered PHI under HIPAA, why does it need to be protected, and what threats exist to the security of PHI. Practically the only type of business associates to which this would not apply is business associates with โno-view accessโ to a covered entityโs PHI.
Why Workforce Members ย โDoโ HIPAA Training Voluntarily?
There are circumstances in which, rather than asking how often do you have to do HIPAA training, the question should be how often should you do HIPAA training. The answer to the revised question varies depending on the comprehensiveness of HIPAA training provided by a covered entity or business associate, and certification or CEU requirements.
One of the reasons for wanting to do HIPAA training is the avoidance of workforce sanctions. Covered entities and business associates are required to impose and document sanctions for any violation of the HIPAA Privacy Rule or HIPAA Breach Notification Rule, regardless of whether members of the workforce have been trained on the violated standard.
If, for example, a covered entity has failed to provide training on privacy protections and patientsโ rights to request that PHI is withheld from specific people, and a member of the workforce discloses PHI impermissibly due to a lack of knowledge, the member of the workforce could receive a warning that remains on their personnel record indefinitely.
Therefore, it is workforce membersโ best interests to do HIPAA awareness training voluntarily in order to avoid sanctions for unintentional HIPAA violations due to a lack of knowledge. When the course awards a certification of completion or Continuing Education Units (CEUs), individuals can use these to advance their careers or meet professional licensing requirements.
How Often Do You Have To Do HIPAA Training? Summary
- The frequency of required HIPAA training is event specific.
- Many types of events could trigger required HIPAA training.
- Training can be limited to one workforce member or organization wide.
- HIPAA training should be an element of security awareness training.
- It should also be provided to most business associate workforces.
- HIPAA training can be done voluntarily to avoid sanction, renew certifications, and earn CEUs.
Covered entities and business associates with questions about the frequency of HIPAA training, or what must be included in training, should seek independent compliance advice. Workforce members with questions about how often do you have to do HIPAA training should speak with their HIPAA Privacy Officer, while those interested in doing HIPAA training voluntarily should reach out to an accredited HIPAA awareness training provider.