How Often Do You Need HIPAA Training?
Considering the importance of HIPAA compliance and the potential penalties when HIPAA Rules are violated, it is important covered entities and business associates understand how often you need HIPAA training. However, neither the Privacy Rule nor the Security Rule provide specific timeframes for when initial training or refresher training should be provided.
What the Privacy Rule says about HIPAA Training
The reason for this apparent lack of guidance is that employees of covered entities and business associates have different levels of access to Protected Health Information and use it in different ways. Therefore, there is no one-size-fits-all training for HIPAA compliance. Indeed, §164.530(b)(1) of the Privacy Rule states:
“A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information […] as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity”.
The key term in this clause is “as necessary and appropriate”. After an employee´s initial HIPAA training – as required by §164.530(b)(2) – this term implies the need to provide HIPAA training should be determined by a risk assessment and the nature of the HIPAA training provided should be appropriate to the employee´s role – i.e., there is no need to train a hospital security guard on the procedures for notifying OCR of a data breach.
The exception to this clause is when an employee´s role affected by a “material change in policies or procedures”. In this scenario, training must be provided “within a reasonable period of time after the material change becomes effective”. Although no specific timeframe is provided, covered entities and business associates should provide HIPAA training as soon as possible to mitigate the risk of a material change in policies or procedures resulting in a data breach.
What the Security Rule says about HIPAA Training
The Security Rule has a little more guidance than the Privacy Rule about the nature of HIPAA training that should be provided to employees – §164.308(a)(5) stipulating covered entities must “implement a security awareness and training program for all members of its workforce (including management)”. This section of the Security Rule implies the training should be relevant to the “policies and procedures to prevent, detect, contain, and correct security violations”.
While the Security Rule fails to provide guidance about how often you need HIPAA training on policies and procedures, it is important to note the Privacy Rule and Security Rule are not independent of each other. Therefore, if a material change is made to a security policy, training must be provided within a reasonable period of time after the material change becomes effective. Again, depending on the nature of the material change, training should be provided as soon as possible.
It is important to consider extending security training after a material change to beyond those for whom the training is “necessary and appropriate” due to the extent at which healthcare personnel are targeted by cybercriminals. So, while a risk assessment may not identify the need to explain the blacklisting and whitelisting capabilities of an Internet filter to a hospital receptionist, it may be worth including the receptionist in the security training to maintain awareness of Internet threats.
Ultimately, it is the responsibility of each covered entity and business associate to provide and document an appropriate level of HIPAA training for each employee. If an avoidable violation of HIPAA occurs due to a lack of training, and the need for training should have been identified in a risk assessment, the Office for Civil Rights may consider the violation a Category 2 violation – potentially attracting a higher financial penalty for failing to exercise reasonable due diligence.
HIPAA Training FAQs
What does the Privacy Rule say about initial employee training?
The Privacy Rule says covered entities must provide training to each new member of the workforce within a reasonable period of time after a person joins the covered entity´s workforce. In most cases, the basics of HIPAA should be provided during the employee´s induction, with further training appropriate to the employee´s role provided soon after.
What would be considered the “basics of HIPAA”?
Basic HIPAA training should include an explanation of HIPAA (plus any state privacy laws that pre-empt HIPAA), why HIPAA is important, and the rules relating to disclosures of PHI. Employees should also be made aware of sanctions for HIPAA violations and best practices for safeguarding PHI in order to avoid HIPAA violations.
Can you provide an example of a material change to policies and procedures?
During the COVID pandemic, OCR announced it would be applying “enforcement discretion” for telehealth providers. This enabled telehealth providers to use technologies that did not have the required security safeguards to communicate with patients with the caveat that the personnel providing telehealth services underwent refresher training on allowable disclosures.
Is refresher training necessary for every new technology?
If the technology provides access to ePHI, employees who will use the technology need to be trained on how to use the technology in compliance with HIPAA. This doesn´t necessary require a separate HIPAA training session, as HIPAA compliance can be integrated into the general training provided to employees on how to operate the technology.
Is a covered entity not liable for a HIPAA violation if it has provided training?
That depends on the nature of the violation. In most cases the covered entity will have some degree of liability for – for example - not providing adequate supervision or not implementing sufficient security safeguards. However, if it can be shown the covered entity did everything necessary to mitigate the risk of a violation, it will likely attract a minimal sanction.