Is HIPAA Training Required Annually?
HIPAA Privacy Rule training should be provided at least annually if the requirements for refresher training are not triggered by another event. In addition, HIPAA security awareness training should be an ongoing program that consists of multiple scheduled training sessions per year plus regular security awareness reminders.
When discussing the question is HIPAA training required annually it is best to start by acknowledging there are no standards in the HIPAA Privacy Rule nor the HIPAA Security Rule that require annual HIPAA training. Nonetheless, there are multiple standards throughout both HIPAA Rules that could trigger additional training requirements if certain events occur.
These events include, but are not limited to, material changes to policies and procedures, technical and nontechnical evaluations, risk assessments, and workforce sanctions/corrective action plans. It is also the case that other regulations in the healthcare and health insurance industries have annual training requirements into which HIPAA training may be integrated.
Material Changes to Policies and Procedures
The HIPAA Privacy Rule training standard (ยง164.530(b)) requires covered entities to provide โpolicy and procedure trainingโ for all members of the workforce โas necessary and appropriate for the members of the workforce to carry out their functions within the covered entityโ. This standard also applies to business associates โwhere providedโ (see ยง160.102(b)).
Thereafter, further HIPAA training must be provided when โfunctions are affected by a material change in the policies and procedures required by this subpart (the HIPAA Privacy Rule) or subpart D of this part (the HIPAA Breach Notification Rule)โ. However, only workforce members whose functions are affected by the material change are required to receive further training.
For example, when the standards relating to attestations were introduced in April 2024 (ยง164.509), all members of the workforce should have received โmaterial change trainingโ. But, if the language of an organizationโs breach notification letters changes, only members of the workforce who receive enquiries from breach victims need to receive material change training.
HIPAA Evaluations and Risk Assessments
Although the standards relating to periodic โtechnical and nontechnical evaluationsโ and โrisk assessmentsโ appear in the HIPAA Security Rule (ยง160.308(a)), it is important to remember when conducting evaluations and assessments that electronic Protected Health Information (ePHI) is a subset of Protected Health Information (PHI). They are not two separate items.
Therefore, if a periodic nontechnical evaluation identifies that a member of the workforce with access to ePHI does not understand what is considered PHI under HIPAA or when the minimum necessary standard applies, there is a reasonably anticipated threat to the security, integrity, and availability of ePHI due to the workforce memberโs lack of HIPAA Privacy Rule knowledge.
In such circumstances, it is necessary to provide the workforce member with refresher HIPAA training even though there has been no material change to policies and procedures and no violation of the HIPAA Privacy Rule. The failure to provide refresher HIPAA training when a threat attributable to a lack of knowledge has been identified is itself a violation of HIPAA.
Workforce Sanctions and Corrective Action Plans
Covered entities and business associates are required to impose sanctions on members of the workforce for any violation of the HIPAA Privacy Rule (ยง164.530(e)) or for any failure to comply with policies and procedures developed to comply with the HIPAA Security Rule (ยง164.308(a)). This requirement applies even when a member of the workforce has not received training on the Privacy Rule standard or Security Rule policy/procedure they have violated.
Most HIPAA sanction policies consist of three or four tiers with varying levels of sanctions depending on the nature of the HIPAA violation. Level 1 sanctions for minor violations (i.e., failing to log off of a workstation with access to ePHI) most often consist of a verbal or written warning and retraining of the workforce member. Refresher HIPAA training may be provided to a whole team or department if a culture of non-compliance with HIPAA is identified.
Corrective action plans are remedial actions imposed on a covered entity or business associate in lieu of a civil monetary penalty for non-compliance with HIPAA by HHSโ Office for Civil Rights. Most corrective action plans involve workforce retraining. According to the agencyโs most recent report to Congress, HHSโ Office for Civil Rights resolved 674 HIPAA complaints and breach notifications with corrective action plans during calendar year 2022.
Other Annual Training Requirements
Although HIPAA training is not required annually there are many other laws and regulations with annual training requirements into which HIPAA training may be integrated. Examples include OSHAโs Bloodborne Pathogens standard (ยง1910.130(g)(2)) and CMSโ Emergency Planning requirements (81 FR 63860). Most states also have Continuing Medical Education (CME) requirements, which โ in some circumstances โ can include HIPAA training.
When including HIPAA training among the CME requirements, it is important the HIPAA training is accredited by a recognized training assessor โ i.e., the American Health Information Management Association (AHIMA) โ and that the training awards Continuing Education Units (CEUs). By taking advantage of HIPAA awareness training courses of this nature, members of the workforce can refresh their HIPAA knowledge and receive a HIPAA certification at the completion of training.
Is HIPAA Training Required Annually? Summary
There are many circumstances in which HIPAA training will be provided to some or all of a workforce at least annually. These circumstances include when there is a change in the HIPAA Rules which forces a change in policies and procedures, when a need for training is identified during an evaluation or risk assessment, and when HIPAA training is used as a sanction by a covered entity or business associate, or by HHSโ Office for Civil Rights in lieu of a financial penalty.
If none of the events mentioned above occur, or if HIPAA training is not integrated into other annual training requirements, it is a best practice to provide HIPAA Privacy Rule training at least annually. It is also advisable to more closely align security awareness training with the HIPAA Privacy Rule in order to make workforce members with non-public facing roles more aware of the cybersecurity threats to PHI and the reasons why avoidable HIPAA violations occur.