How Often is HIPAA Training Required?

HIPAA training is required at least annually to ensure the privacy and security of Protected Health Information (PHI) and the confidentiality, integrity, and availability of electronic PHI – notwithstanding that internal and external factors can increase the need to provide HIPAA training more frequently. This implies it is necessary to provide HIPAA training more frequently that mandated in the HIPAA Privacy and Security Rules.

What Does the HIPAA Privacy Rule Say About HIPAA Training?

The HIPAA Privacy Rule states that covered entities must train workforce members on policies and procedures with respect to protected health information “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. It is important to remember that ‘workforce’ does not just mean paid employees. The definition of workforce is “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”

The requirement to provide training “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity” acknowledges that different categories of workforce members will require different training. Therefore, HIPAA training courses should be tailored to each type of role within the organization and the policies and procedures that impact functions within that role – taking care not to provide too much unnecessary training that might obscure the key purposes of the Privacy Rule (e.g. permissible uses and disclosures, and individuals´ rights).

How Often is HIPAA Training Required?

When a new member of the workforce joins a HIPAA-covered organization, training must be provided “within a reasonable period of time after the person joins the covered entity’s workforce.” It is not necessary to provide training before work duties are commenced, but training should certainly be provided within a few days to the first few weeks. Training must also be provided when “functions are affected by a material change in the policies or procedures,” again, with the training provided “within a reasonable period of time after the material change becomes effective.”

There is no requirement for refresher HIPAA training to be provided to ensure organizational policies and procedures are not forgotten. However, it is advisable to hold refresher training sessions periodically. The best practice adopted by many healthcare organizations is to provide annual refresher HIPAA training sessions as regular HIPAA training sessions will help prevent noncompliant practices developing “to get the job done” and accidental HIPAA violations.

What Are the HIPAA Security Rule Training Requirements?

The HIPAA Security Rule training requirements are intended to ensure the confidentiality, integrity, and availability of protected health information. The Security Rule standard on training is to “Implement a security awareness and training program for all members of its workforce (including management)” and this standard applies to both covered entities and business associates.

Security awareness training should also be provided within a reasonable period of time after the person joins the workforce, and periodically thereafter. While there are no implementation specifications in the HIPAA Privacy Rule concerning training course content, the HIPAA Security Rule has addressable specifications which are security reminders, password management, log-in monitoring, and protection from malicious software. While not stated, you should provide training to help employees avoid phishing emails and other threats workforce members are likely to encounter.

How Often Must Security Awareness Training be Provided?

A few years ago, providing an annual security awareness training session was sufficient, but cyberattacks on the healthcare industry have skyrocketed in recent years, as have data breaches.

The consensus among security professionals is that an annual training session is no longer sufficient. The best practice is now to provide ongoing security awareness training, given the rapidly changing threat landscape and the sheer number of attacks that are now attempted, especially on healthcare organizations. The accepted best practice is to provide security awareness training at least twice a year, with security reminders also sent to the workforce – via email for example – to reinforce training and highlight new threats that target members of the workforce.

Other Factors that Affect the Frequency of HIPAA Training

There are several internal and external factors that can affect the frequency of HIPAA training. Internally, a risk assessment might identify the need for further training, or refresher training may be used as a sanction for a minor violation of HIPAA by a member of the workforce. Additional training might also be an option if the perception exists that patients do not trust healthcare professionals to keep their sensitive information confidential.

External factors include responding to a data breach with additional training or having HIPAA training enforced by HHS’ Office for Civil Rights (OCR) as part of a corrective action plan. In the first instance “retrained workforce members” is an option on the OCR Breach Notification Form that – provided the training can be supported by documentation – could be sufficient to avoid a breach investigation or further penalties for violating HIPAA.

In the second instance, OCR can enforce a corrective action plan on a covered entity or business associate in lieu of issuing a civil monetary penalty. Because corrective action plans most often involve the revision of policies and procedures, members of the workforce whose roles are affected by the revised policies and procedures must undergo “material change” HIPAA training, while all members of the workforce will have to undergo security training.

Penalties for the Failure to Provide HIPAA Training

When OCR issues penalties for HIPAA violations, it is usually the “headline” violation that gets noticed (i.e., data breach due to unencrypted laptop). However, in many cases, an underlying reason for a data breach is the failure to provide HIPAA training. When this is the case, OCR can increase the amount of a penalty to account for the secondary HIPAA violation. Examples of penalties for the failure to provide HIPAA training include:

In September 2020, Athens Orthopedic Clinic agreed to pay $1.5 million to resolve alleged violations of HIPAA including the failure to provide any Privacy Rule training prior to 2018. As part of a corrective plan, the Clinic was required to retrain its workforce within 30 days.

In November 2023, St. Joseph’s Medical Center agreed to an $80,000 settlement for disclosing the PHI of three patients to news reporters. Although only a few workforce members were responsible for the impermissible disclosure, all members of the workforce had to undergo refresher training as part of the settlement.

In December 2019, West Georgia Ambulance Inc agreed to pay $65,000 and adopt a corrective action plan following the loss of an unencrypted laptop containing the PHI of 500 individuals. During the investigation into the breach, OCR found the organization did not have a security awareness training program as required by §164.308.

State Attorneys General can also issue fines for violations of HIPAA; and, in October 2023, the NY State Attorney General fined Personal Touch Holding Corp. $350,000 for multiple violations of HIPAA and state law, including inadequate HIPAA security training.

Previously, a 2022 settlement between Aveanna Healthcare and the Massachusetts Attorney General had unique training requirements attached inasmuch as members of the workforce that did not complete a mandatory training course where to have access to PHI removed.

How Often is HIPAA Training Required? FAQs