Is HIPAA Training Required Annually?

Is HIPAA Training Required Annually? HIPAAGuide.net

HIPAA Privacy Rule training should be provided at least annually if the requirements for refresher training are not triggered by another event. In addition, HIPAA security awareness training should be an ongoing program that consists of multiple scheduled training sessions per year plus regular security awareness reminders.

When discussing the question is HIPAA training required annually it is best to start by acknowledging there are no standards in the HIPAA Privacy Rule nor the HIPAA Security Rule that require annual HIPAA training. Nonetheless, there are multiple standards throughout both HIPAA Rules that could trigger additional training requirements if certain events occur.

These events include, but are not limited to, material changes to policies and procedures, technical and nontechnical evaluations, risk assessments, and workforce sanctions/corrective action plans. It is also the case that other regulations in the healthcare and health insurance industries have annual training requirements into which HIPAA training may be integrated.

Material Changes to Policies and Procedures

The HIPAA Privacy Rule training standard (ยง164.530(b)) requires covered entities to provide โ€œpolicy and procedure trainingโ€ for all members of the workforce โ€œas necessary and appropriate for the members of the workforce to carry out their functions within the covered entityโ€. This standard also applies to business associates โ€œwhere providedโ€ (see ยง160.102(b)).

Thereafter, further HIPAA training must be provided when โ€œfunctions are affected by a material change in the policies and procedures required by this subpart (the HIPAA Privacy Rule) or subpart D of this part (the HIPAA Breach Notification Rule)โ€. However, only workforce members whose functions are affected by the material change are required to receive further training.

For example, when the standards relating to attestations were introduced in April 2024 (ยง164.509), all members of the workforce should have received โ€œmaterial change trainingโ€. But, if the language of an organizationโ€™s breach notification letters changes, only members of the workforce who receive enquiries from breach victims need to receive material change training.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

HIPAA Evaluations and Risk Assessments

Although the standards relating to periodic โ€œtechnical and nontechnical evaluationsโ€ and โ€œrisk assessmentsโ€ appear in the HIPAA Security Rule (ยง160.308(a)), it is important to remember when conducting evaluations and assessments that electronic Protected Health Information (ePHI) is a subset of Protected Health Information (PHI). They are not two separate items.

Therefore, if a periodic nontechnical evaluation identifies that a member of the workforce with access to ePHI does not understand what is considered PHI under HIPAA or when the minimum necessary standard applies, there is a reasonably anticipated threat to the security, integrity, and availability of ePHI due to the workforce memberโ€™s lack of HIPAA Privacy Rule knowledge.

In such circumstances, it is necessary to provide the workforce member with refresher HIPAA training even though there has been no material change to policies and procedures and no violation of the HIPAA Privacy Rule. The failure to provide refresher HIPAA training when a threat attributable to a lack of knowledge has been identified is itself a violation of HIPAA.

Workforce Sanctions and Corrective Action Plans

Covered entities and business associates are required to impose sanctions on members of the workforce for any violation of the HIPAA Privacy Rule (ยง164.530(e)) or for any failure to comply with policies and procedures developed to comply with the HIPAA Security Rule (ยง164.308(a)). This requirement applies even when a member of the workforce has not received training on the Privacy Rule standard or Security Rule policy/procedure they have violated.

Most HIPAA sanction policies consist of three or four tiers with varying levels of sanctions depending on the nature of the HIPAA violation. Level 1 sanctions for minor violations (i.e., failing to log off of a workstation with access to ePHI) most often consist of a verbal or written warning and retraining of the workforce member. Refresher HIPAA training may be provided to a whole team or department if a culture of non-compliance with HIPAA is identified.

Corrective action plans are remedial actions imposed on a covered entity or business associate in lieu of a civil monetary penalty for non-compliance with HIPAA by HHSโ€™ Office for Civil Rights. Most corrective action plans involve workforce retraining. According to the agencyโ€™s most recent report to Congress, HHSโ€™ Office for Civil Rights resolved 674 HIPAA complaints and breach notifications with corrective action plans during calendar year 2022.

Other Annual Training Requirements

Although HIPAA training is not required annually there are many other laws and regulations with annual training requirements into which HIPAA training may be integrated. Examples include OSHAโ€™s Bloodborne Pathogens standard (ยง1910.130(g)(2)) and CMSโ€™ Emergency Planning requirements (81 FR 63860). Most states also have Continuing Medical Education (CME) requirements, which โ€“ in some circumstances โ€“ can include HIPAA training.

When including HIPAA training among the CME requirements, it is important the HIPAA training is accredited by a recognized training assessor โ€“ i.e., the American Health Information Management Association (AHIMA) โ€“ and that the training awards Continuing Education Units (CEUs). By taking advantage of HIPAA awareness training courses of this nature, members of the workforce can refresh their HIPAA knowledge and receive a HIPAA certification at the completion of training.

Is HIPAA Training Required Annually? Summary

There are many circumstances in which HIPAA training will be provided to some or all of a workforce at least annually. These circumstances include when there is a change in the HIPAA Rules which forces a change in policies and procedures, when a need for training is identified during an evaluation or risk assessment, and when HIPAA training is used as a sanction by a covered entity or business associate, or by HHSโ€™ Office for Civil Rights in lieu of a financial penalty.

If none of the events mentioned above occur, or if HIPAA training is not integrated into other annual training requirements, it is a best practice to provide HIPAA Privacy Rule training at least annually. It is also advisable to more closely align security awareness training with the HIPAA Privacy Rule in order to make workforce members with non-public facing roles more aware of the cybersecurity threats to PHI and the reasons why avoidable HIPAA violations occur.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/