HIPAA training is required at least annually to ensure the privacy and security of Protected Health Information (PHI) and the confidentiality, integrity, and availability of electronic PHI – notwithstanding that internal and external factors can increase the need to provide HIPAA training more frequently. This implies it is necessary to provide HIPAA training more frequently that mandated in the HIPAA Privacy and Security Rules.
What Does the HIPAA Privacy Rule Say About HIPAA Training?
The HIPAA Privacy Rule states that covered entities must train workforce members on policies and procedures with respect to protected health information “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. It is important to remember that ‘workforce’ does not just mean paid employees. The definition of workforce is “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”
The requirement to provide training “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity” acknowledges that different categories of workforce members will require different training. Therefore, HIPAA training courses should be tailored to each type of role within the organization and the policies and procedures that impact functions within that role – taking care not to provide too much unnecessary training that might obscure the key purposes of the Privacy Rule (e.g. permissible uses and disclosures, and individuals´ rights).
How Often is HIPAA Training Required?
When a new member of the workforce joins a HIPAA-covered organization, training must be provided “within a reasonable period of time after the person joins the covered entity’s workforce.” It is not necessary to provide training before work duties are commenced, but training should certainly be provided within a few days to the first few weeks. Training must also be provided when “functions are affected by a material change in the policies or procedures,” again, with the training provided “within a reasonable period of time after the material change becomes effective.”
There is no requirement for refresher HIPAA training to be provided to ensure organizational policies and procedures are not forgotten. However, it is advisable to hold refresher training sessions periodically. The best practice adopted by many healthcare organizations is to provide annual refresher HIPAA training sessions as regular HIPAA training sessions will help prevent noncompliant practices developing “to get the job done” and accidental HIPAA violations.
What Are the HIPAA Security Rule Training Requirements?
The HIPAA Security Rule training requirements are intended to ensure the confidentiality, integrity, and availability of protected health information. The Security Rule standard on training is to “Implement a security awareness and training program for all members of its workforce (including management)” and this standard applies to both covered entities and business associates.
Security awareness training should also be provided within a reasonable period of time after the person joins the workforce, and periodically thereafter. While there are no implementation specifications in the HIPAA Privacy Rule concerning training course content, the HIPAA Security Rule has addressable specifications which are security reminders, password management, log-in monitoring, and protection from malicious software. While not stated, you should provide training to help employees avoid phishing emails and other threats workforce members are likely to encounter.
How Often Must Security Awareness Training be Provided?
A few years ago, providing an annual security awareness training session was sufficient, but cyberattacks on the healthcare industry have skyrocketed in recent years, as have data breaches.
The consensus among security professionals is that an annual training session is no longer sufficient. The best practice is now to provide ongoing security awareness training, given the rapidly changing threat landscape and the sheer number of attacks that are now attempted, especially on healthcare organizations. The accepted best practice is to provide security awareness training at least twice a year, with security reminders also sent to the workforce – via email for example – to reinforce training and highlight new threats that target members of the workforce.
Other Factors that Affect the Frequency of HIPAA Training
There are several internal and external factors that can affect the frequency of HIPAA training. Internally, a risk assessment might identify the need for further training, or refresher training may be used as a sanction for a minor violation of HIPAA by a member of the workforce. Additional training might also be an option if the perception exists that patients do not trust healthcare professionals to keep their sensitive information confidential.
External factors include responding to a data breach with additional training or having HIPAA training enforced by HHS’ Office for Civil Rights (OCR) as part of a corrective action plan. In the first instance “retrained workforce members” is an option on the OCR Breach Notification Form that – provided the training can be supported by documentation – could be sufficient to avoid a breach investigation or further penalties for violating HIPAA.
In the second instance, OCR can enforce a corrective action plan on a covered entity or business associate in lieu of issuing a civil monetary penalty. Because corrective action plans most often involve the revision of policies and procedures, members of the workforce whose roles are affected by the revised policies and procedures must undergo “material change” HIPAA training, while all members of the workforce will have to undergo security training.
Penalties for the Failure to Provide HIPAA Training
When OCR issues penalties for HIPAA violations, it is usually the “headline” violation that gets noticed (i.e., data breach due to unencrypted laptop). However, in many cases, an underlying reason for a data breach is the failure to provide HIPAA training. When this is the case, OCR can increase the amount of a penalty to account for the secondary HIPAA violation. Examples of penalties for the failure to provide HIPAA training include:
In September 2020, Athens Orthopedic Clinic agreed to pay $1.5 million to resolve alleged violations of HIPAA including the failure to provide any Privacy Rule training prior to 2018. As part of a corrective plan, the Clinic was required to retrain its workforce within 30 days.
In November 2023, St. Joseph’s Medical Center agreed to an $80,000 settlement for disclosing the PHI of three patients to news reporters. Although only a few workforce members were responsible for the impermissible disclosure, all members of the workforce had to undergo refresher training as part of the settlement.
In December 2019, West Georgia Ambulance Inc agreed to pay $65,000 and adopt a corrective action plan following the loss of an unencrypted laptop containing the PHI of 500 individuals. During the investigation into the breach, OCR found the organization did not have a security awareness training program as required by §164.308.
State Attorneys General can also issue fines for violations of HIPAA; and, in October 2023, the NY State Attorney General fined Personal Touch Holding Corp. $350,000 for multiple violations of HIPAA and state law, including inadequate HIPAA security training.
Previously, a 2022 settlement between Aveanna Healthcare and the Massachusetts Attorney General had unique training requirements attached inasmuch as members of the workforce that did not complete a mandatory training course where to have access to PHI removed.
How Often is HIPAA Training Required? FAQs
How might training differ for different categories of the workforce?
This can depend on the nature of the covered entity´s operations, but a good example is when a covered entity employs public-facing employees and “backroom” employees who never deal with the public. Those with public-facing roles may need more training on policies relating to the Minimum Necessary standard, while those who never deal with the public may need more training on the Administrative Requirements.
How could a covered entity provide unnecessary training?
Topics such as the background to HIPAA and the evolution of HIPAA may be interesting to trainers; but, for those who have to apply the HIPAA Rules in their day-to-day roles, such topics can be a distraction. While it can be helpful to include some background information to put the rest of the training in context, focusing too much on who signed HIPAA, or the effective date of each Rule, can obscure the purpose of HIPAA training.
Do Business Associates only have to comply with the Security Rule training requirements?
Although the only reference to HIPAA training for Business Associates appears in the Security Rule, it may be important for Business Associates to train members of the workforce on the Administrative Requirements, the Privacy Rule, and the Breach Notification Rule depending on the service they are providing for a Covered Entity. In most cases, a general understanding of these Rules – rather than an in-depth knowledge – is all that is necessary to satisfy due diligence requirements.
Why must all workforce members receive security and awareness training?
This is because anybody who has access to a network-connected device could be a target for a cybercriminal whether they have access to PHI or not. Cybercriminals that infiltrate a network-connected device could move laterally through the network to access systems containing PHI even though the point of entry does not have access to these systems.
What should be included in HIPAA security and awareness training?
The contents of a security and awareness training program should be determined by a risk analysis. The risk analysis will help Security Officers identify vulnerabilities that could result in a data breach and should help identify the best solutions to fix the vulnerabilities. Importantly, security and awareness training should be an ongoing program rather than a one-off event, giving Security Officers the opportunity to revise the content of training as new vulnerabilities are identified.