Is HIPAA Training Required by Law?
HIPAA training is required by law if an individual or organization qualifies as a covered entity or business associate as defined in the HIPAA Administrative Simplification Regulations (§160.103). However, the minimum HIPAA training required by law may not be adequate to prevent avoidable HIPAA violations due to a lack of knowledge or understanding.
There are two standards in the HIPAA Administrative Simplification Regulations that relate to HIPAA training. The first – §164.308 of the HIPAA Security Rule – states covered entities and business associates must “implement a security awareness and training program for all members of its workforce (including management)”.
The second standard – §164.530 of the HIPAA Privacy Rule – states covered entities must “train all members of its workforce on the policies and procedures with respect to Protected Health Information […] as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity”.
The Standards Can Sometimes be Misinterpreted
Taken in isolation from other HIPAA Administrative Simplification Regulations, the standards can sometimes be misinterpreted. For example, the HIPAA Security Rule training standard – by itself – does not require the HIPAA training required by law to be HIPAA-centric. However, this standard must be complied with “in accordance with §164.306”.
164.306 of the HIPAA Security Rule (the “General Rules”) requires covered entities and business associates to:
(1) Ensure the confidentiality, integrity, and availability of all electronic PHI the covered entity or business associate creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part (the HIPAA Privacy Rule).
(4) Ensure compliance with this subpart (the HIPAA Security Rule) by the workforce.
It is not a requirement of HIPAA that all members of the workforce are trained on what is considered PHI under HIPAA or when it can be permissibly used or disclosed. Therefore, it could be the case that some workforce members fail to comply with the HIPAA Security Rule due to a lack of knowledge or the failure to understand security policies in context.
This risk to the confidentiality, integrity, and availability of electronic PHI should be identified in a risk assessment and the risk “managed” by the provision of basic HIPAA Privacy Rule training for all members of the workforce. The provision of basic HIPAA Privacy Rule training will help prevent avoidable HIPAA violations due to a lack of knowledge.
HIPAA Privacy Rule Policy and Procedure Training
With regards to Privacy Rule HIPAA training required by law, the standard relating to HIPAA training (§164.530) states that the training requirements only apply to covered entities. However, the Applicability clause of the HIPAA General Provisions (§160.102) states that any standard can also apply to business associates “where provided”.
This means if a business associate has access to PHI in any format, the business associate must develop policies and procedures to ensure the privacy of PHI. The business associate must also train members of its workforce on applicable policies and procedures in order that they carry out their functions in compliance with HIPAA.
In many scenarios, limiting HIPAA Privacy Rule training to just policies and procedures can leave gaps in workforce knowledge – for both covered entities and business associates. For example, members of the catering team will not require training on the procedures for acquiring patient authorizations, but they will need training on why it is not permissible to disclose PHI to family or friends, or to a wider audience via social media.
It is also important to note that all members of the workforce can be sanctioned for violations of the HIPAA Privacy Rule and HIPAA Breach Notification Rule – even when HIPAA training has not been provided on the violated standard. Covered entities and business associates that do not apply and document sanctions following a violation of HIPAA by a member of the workforce are themselves in violation of HIPAA.
Training Beyond the HIPAA Training Required by Law
Because of the risks of avoidable HIPAA violations attributable to a lack of knowledge, it is advisable that HIPAA training consists of more than the minimum HIPAA training required by law. However, extending existing training programs to include basic HIPAA Privacy Rule training – and provide the training to all members of the workforce – can be challenging and result in cognitive overload for some members of the workforce.
For this reason, it is advisable to invest in an off-the-shelf HIPAA awareness training package that covers the basics of HIPAA so that policy and procedure training and/or security awareness training is better understood by members of the workforce. These packages can often be completed remotely and award a certificate when the training course is completed so organizations can monitor who has taken the training.
Individual workforce members can also benefit from investing in an off-the-shelf training package to improve their HIPAA knowledge and avoid sanctions. Ideally, the packages should be accredited by a recognized training assessor – i.e., the American Health Information Management Association (AHIMA) – and award a certificate for the successful completion of a test rather than for self-attestation.