Unsure about how often you need HIPAA training? In this post we explain how often HIPAA training should be provided by employers and what that training should entail.
How Often Do You Need HIPAA Training?
Considering the importance of HIPAA compliance and the potential penalties for covered entities, business associates, and their employees when the HIPAA Rules are violated, it may seem strange that only a few lines of the HIPAA text cover training on HIPAA. The HIPAA Privacy Rule does not state what training courses need to include and how often HIPAA training must be provided is rather vague.
Naturally, all employees who are likely to encounter protected health information are required to receive training with respect to PHI, such as the allowable uses and disclosures of PHI and how to protect healthcare data. This training must be provided soon after an individual joins the organization. In contrast to other aspects of the HIPAA Privacy Rule such as providing patients with a copy of their medical records, there is no maximum time stated for providing the training. The HIPAA Privacy Rule only states training must be provided “within a reasonable period of time after the person joins the covered entity’s workforce.”
If you have not received training on HIPAA in the first few days of starting a new job, it does not mean that your employer is noncompliant. If a nurse takes a new job with a different healthcare provider, they will already be familiar with HIPAA, so training does not need to be prioritized to such a degree as when a newly qualified nurse joins an organization. HIPAA provides that flexibility. That said, you should receive training on HIPAA in the first few weeks after commencing employment.
After initial training, HIPAA only calls for periodic retraining on the HIPAA requirements. These additional training sessions are required following any change to policies and procedures, the introduction of new technology, or any changes to the HIPAA Rules. Even if there are no changes to the HIPAA Rules or working practices, refresher training sessions must be provided to the workforce periodically.
Again, there is no deadline for providing these refresher training sessions, but ‘periodic’ means at least every 2 years, with the best practice for refresher training sessions being annual re-training.
If you are asking the question, “How often do you need HIPAA training?” you may feel that your knowledge of the requirements of HIPAA is lacking or maybe you have questions about how HIPAA applies in certain situations. If you have any doubts about HIPAA compliance, you should contact your HIPAA officer to arrange retraining and to get answers to your questions.
Employees Must be Taught about Security Awareness
The HIPAA Security Rule requires the implementation of a security awareness training program for the workforce, which must include management. All workforce members must be trained how to protect PHI and any electronic equipment that provides access to healthcare networks or could be used to access PHI. Security awareness training needs to cover the threats employees are likely to face, provide practical advice on how to identify and avoid those threats, and how to report any threats that are encountered. Training sessions should teach cybersecurity best practices that should be followed to reduce the risk of a data breach.
These training sessions should be provided soon after joining the company and periodically thereafter. The best practice is to provide these training sessions at least annually, with bi-annual training sessions now considered to be necessary given the extent to which healthcare employees are targeted by cyber actors.