All staff members must receive training on HIPAA Rules and Compliance, but when is the best time to provide training and promote HIPAA awareness? How regularly should HIPAA retraining take place?
HIPAA-covered entities, business associates and subcontractors must all comply with HIPAA Rules, and all employees must receive proper training on their responsibilities under HIPAA. If training is not provided, employees will not be aware of the precautions they must take when handling PHI and neither the allowable use and disclosures. If employees are not properly trained, HIPAA violations will be inevitable. To reduce the risk of a HIPAA violation to the lowest possible level, HIPAA training should ideally be provided before any member of staff is granted access to PHI, although the Privacy Rule only requires training to be provided to new employees “within a reasonable timeframe”.
Training should cover the allowable uses and disclosures of PHI, patient privacy, data security, job-specific information, internal policies covering, and HIPAA best practices. All employees should have a good working knowledge of HIPAA Rules that relate to their role. The organization’s sanction policy should be clearly explained along with the criminal penalties for HIPAA violations.
Extra training must also be given whenever there is a material change to HIPAA Rules or internal policies in relation to PHI, following the release of new guidance, or after the implementation of new technology.
Training on HIPAA Must Not be a One-Time Event
Providing training at the beginning of an employment contract is essential, but training cannot be a one-time occurrence. It is vital to ensure employees do not neglect their responsibilities under HIPAA. Without periodic retraining, employees may forget certain aspects of HIPAA.
HIPAA does not state how often retraining should occur, as this is left to the discretion of the covered entity. HIPAA only requires retraining to be completed ‘regularly.’ The industry best practice is for retraining to take place once per year.
The HIPAA Privacy Rule Administrative requirements, outlined in 45 CFR § 164.530, require all staff members to be given training on HIPAA Rules and policies and procedures with respect to PHI. Training should be provided, as appropriate, to allow employees to complete their work duties and functions within the covered entity in full compliance with HIPAA Rules.
That means that a one size fits all approach to HIPAA training is not ideal. HIPAA training for the IT department will need to cover different requirements of HIPAA Rules to the training required by administrative workers.
The HIPAA standard 45 CFR § 164.308(a)(5) includes two types of training – Job-specific training and security awareness training. While it is vital to provide training to ensure HIPAA compliance, given the extent to which healthcare organizations – and healthcare employees – are targeted by hackers and other cybercriminals, security awareness training is also essential.
Promoting HIPAA Awareness
There are many ways that healthcare organizations can promote HIPAA awareness. While formal training sessions can be run on an yearly basis, the use of newsletters, email bulletins, posters, and quizzes can all help promote and maintain awareness of HIPAA Rules.
In the case of security awareness training this is vitally important. Yearly training on HIPAA is a good best practice, but it is vital to promote HIPAA awareness with respect to security more often. It is a good best practice to provide security awareness training twice a year and issue cybersecurity updates on a monthly basis. Any specific threats to the workforce should be relayed as is necessary – new phishing threats for example. However, care should be taken not to bombard employees with too much threat information, to prevent employees suffering from alert fatigue.
What is the Requirement for HIPAA Retraining?
Along with annual refresher training sessions, retraining on HIPAA Rules is recommended following any privacy or security breach. This can help to make sure that the risk of repeat occurrences is kept to a minimum.
If an individual has been discovered to have violated HIPAA Rules, and the violation is not severe enough to warrant termination, the individual must be retrained on HIPAA requirements. A covered entity should also investigate to determine whether other individuals are also committing the same type of violation. It may be appropriate for retraining to be provided to others in the organization. If one member of staff makes a mistake with HIPAA, it is possible that others have failed to understand HIPAA requirements and are making similar errors.