Every HIPAA-covered entity is required to implement policies and procedures to ensure compliance with the HIPAA Rules. They must also provide training to the workforce on those policies and procedures and ensure that they are followed, but how often is HIPAA training required on those policies? In this post we will explain when HIPAA training needs to be provided and how often refresher HIPAA training sessions needs to conducted to help you comply with the HIPAA training regulations.
What Does the HIPAA Privacy Rule Say About HIPAA Training?
The HIPAA Privacy Rule states that “A covered entity must train all members of its workforce on policies and procedures with respect to protected health information.” It is important to remember that ‘workforce’ does not just mean paid employees. The definition of workforce is “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”
The Privacy Rule says training must be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.” That means that different categories of workforce members will require different training. Training courses should be tailored to each position.
How Often is HIPAA Training Required?
When a new employee joins the organization, training must be provided “within a reasonable period of time after the person joins the covered entity’s workforce.” It is not necessary to provide training before work duties are commenced, but training should certainly be provided within a few days to the first few weeks.
Training must also be provided when “functions are affected by a material change in the policies or procedures,” again, with the training provided “within a reasonable period of time after the material change becomes effective.”
There is also a requirement for refresher HIPAA training to be provided to ensure that the requirements of HIPAA are not forgotten. These training sessions should be “periodic,” which is accepted to be at least every two years, although the best practice adopted by many healthcare organizations is to provide annual refresher HIPAA training sessions. These regular HIPAA training sessions will help to prevent accidental HIPAA violations and will ensure the requirements of HIPAA are kept fresh in employees’ minds.
What Are the HIPAA Security Rule Training Requirements?
The HIPAA Security Rule training requirements are concerned with ensuring the confidentiality, integrity, and availability of protected health information. The Security Rule standard on training is to “Implement a security awareness and training program for all members of its workforce (including management).”
Security awareness training should also be provided within a reasonable period of time after the person joins the workforce, and periodically thereafter. While there are no implementation specifications in the HIPAA Privacy Rule concerning training course content, the HIPAA Security Rule has addressable specifications which are security reminders, password management, log-in monitoring, and protection from malicious software. While not stated, you must provide training to help employees avoid phishing emails and coverall threats that workforce members are likely to encounter.
How Often Must Security Awareness Training be Provided?
A few years ago, providing an annual security awareness training session was sufficient, but cyberattacks on the healthcare industry have skyrocketed in recent years, as have data breaches.
The consensus among security professionals is that an annual training session is no longer sufficient. The best practice is now to provide ongoing security awareness training, given the rapidly changing threat landscape and the sheer number of attacks that are now attempted, especially on healthcare organizations. The accepted best practice is to provide security awareness training at least twice a year, with security reminders also sent to the workforce – via email for example – to reinforce training and highlight new threats that target employees.