Every HIPAA-covered entity is required to implement policies and procedures to ensure compliance with the HIPAA Rules. They must also provide training to the workforce on those policies and procedures and ensure that they are followed, but how often is HIPAA training required on those policies? In this post we will explain when HIPAA training needs to be provided and how often refresher HIPAA training sessions should be conducted to help you comply with the HIPAA training regulations.
What Does the HIPAA Privacy Rule Say About HIPAA Training?
The HIPAA Privacy Rule states that covered entities must train workforce members on policies and procedures with respect to protected health information “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity”. It is important to remember that ‘workforce’ does not just mean paid employees. The definition of workforce is “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”
The requirement to provide training “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity” acknowledges that different categories of workforce members will require different training. Therefore, HIPAA training courses should be tailored to each type of role within the organization and the policies and procedures that impact functions within that role – taking care not to provide too much unnecessary training that might obscure the key purposes of the Privacy Rule (e.g. permissible uses and disclosures, and individuals´ rights).
How Often is HIPAA Training Required?
When a new member of the workforce joins a HIPAA-covered organization, training must be provided “within a reasonable period of time after the person joins the covered entity’s workforce.” It is not necessary to provide training before work duties are commenced, but training should certainly be provided within a few days to the first few weeks. Training must also be provided when “functions are affected by a material change in the policies or procedures,” again, with the training provided “within a reasonable period of time after the material change becomes effective.”
There is no requirement for refresher HIPAA training to be provided to ensure organizational policies and procedures are not forgotten. However, it is advisable to hold refresher training sessions periodically. The best practice adopted by many healthcare organizations is to provide annual refresher HIPAA training sessions as regular HIPAA training sessions will help prevent noncompliant practices developing “to get the job done” and accidental HIPAA violations.
What Are the HIPAA Security Rule Training Requirements?
The HIPAA Security Rule training requirements are intended to ensure the confidentiality, integrity, and availability of protected health information. The Security Rule standard on training is to “Implement a security awareness and training program for all members of its workforce (including management)” and this standard applies to both covered entities and business associates.
Security awareness training should also be provided within a reasonable period of time after the person joins the workforce, and periodically thereafter. While there are no implementation specifications in the HIPAA Privacy Rule concerning training course content, the HIPAA Security Rule has addressable specifications which are security reminders, password management, log-in monitoring, and protection from malicious software. While not stated, you should provide training to help employees avoid phishing emails and other threats workforce members are likely to encounter.
How Often Must Security Awareness Training be Provided?
A few years ago, providing an annual security awareness training session was sufficient, but cyberattacks on the healthcare industry have skyrocketed in recent years, as have data breaches.
The consensus among security professionals is that an annual training session is no longer sufficient. The best practice is now to provide ongoing security awareness training, given the rapidly changing threat landscape and the sheer number of attacks that are now attempted, especially on healthcare organizations. The accepted best practice is to provide security awareness training at least twice a year, with security reminders also sent to the workforce – via email for example – to reinforce training and highlight new threats that target employees.
How Often is HIPAA Training Required? FAQs
How might training differ for different categories of the workforce?
This can depend on the nature of the covered entity´s operations, but a good example is when a covered entity employs public-facing employees and “backroom” employees who never deal with the public. Those with public-facing roles may need more training on policies relating to the Minimum Necessary standard, while those who never deal with the public may need more training on the Administrative Requirements.
How could a covered entity provide unnecessary training?
Topics such as the background to HIPAA and the evolution of HIPAA may be interesting to trainers; but, for those who have to apply the HIPAA Rules in their day-to-day roles, such topics can be a distraction. While it can be helpful to include some background information to put the rest of the training in context, focusing too much on who signed HIPAA, or the effective date of each Rule, can obscure the purpose of HIPAA training.
Do Business Associates only have to comply with the Security Rule training requirements?
Although the only reference to HIPAA training for Business Associates appears in the Security Rule, it may be important for Business Associates to train members of the workforce on the Administrative Requirements, the Privacy Rule, and the Breach Notification Rule depending on the service they are providing for a Covered Entity. In most cases, a general understanding of these Rules – rather than an in-depth knowledge – is all that is necessary to satisfy due diligence requirements.
Why must all workforce members receive security and awareness training?
This is because anybody who has access to a network-connected device could be a target for a cybercriminal whether they have access to PHI or not. Cybercriminals that infiltrate a network-connected device could move laterally through the network to access systems containing PHI even though the point of entry does not have access to these systems.
What should be included in HIPAA security and awareness training?
The contents of a security and awareness training program should be determined by a risk analysis. The risk analysis will help Security Officers identify vulnerabilities that could result in a data breach and should help identify the best solutions to fix the vulnerabilities. Importantly, security and awareness training should be an ongoing program rather than a one-off event, giving Security Officers the opportunity to revise the content of training as new vulnerabilities are identified.