All staff member must receive training on HIPAA Rules and Compliance, but when is the best time to promote HIPAA awareness? How regularly should HIPAA retraining happen?
HIPAA-covered bodies, business associates and subcontractors must all comply with HIPAA Rules, and all employees must receive proper training on HIPAA. HIPAA training should ideally be provided before any member of staff is granted access to PHI.
Training should be on topics including: the allowable uses and disclosures of PHI, patient privacy, data security, job-specific details, internal policies covering privacy & security, and HIPAA best practices.
The penalties for HIPAA breaches, and the consequences for people found to have violated HIPAA Rules, must also be outlined. If workers do not receive training, they will not be aware of their duties and privacy violations are likely to happen.
Extra training must also be given whenever there is a material change to HIPAA Rules or internal policies in relation to PHI, following the release of new guidance, or implementation of new technology.
Training on HIPAA Must Not be a One-Time Event
Providing training at the beginning of an employment contract is essential, but training cannot be a one-time only occurrence. It is vital to ensure employees do not neglect their responsibilities, so retraining is necessary and a requirement for continued HIPAA compliance.
HIPAA does not state how often retraining should occur, as this is left to the discretion of the covered body. HIPAA only requires retraining to be completed ‘regularly.’ The industry best practice is for retraining to take place once per year.
The HIPAA Privacy Rule Administrative requirements, outlined in 45 CFR § 164.530, require all staff member to be given training on HIPAA Rules and policies and procedures with respect to PHI. Training should be provided, as is proper, to allow employees to complete their work duties and functions within the covered body.
Due to this one training program will be the correct fit for all members of staff. HIPAA training for the IT department will most likely to be different to training given to administrative workers. The Privacy Rule requires training to be given to all new employees “within a reasonable timeframe”.
The HIPAA standard 45 CFR § 164.308(a)(5) includes two types of training – Job-specific training and security awareness training, neither of which can be a one-time occurence.
While it is vital to provide training for HIPAA compliance and security awareness, it is also important to make sure that training has been understood, that it is remembered and to ensure HIPAA Rules are adhered to a day to day basis. It therefore recommended that you promote HIPAA awareness during the year.
Promoting HIPAA Awareness Methods
There is no uniform rule for HIPAA retraining and there are many ways that healthcare bodies can promote HIPAA awareness. While formal training sessions can be run on an yearly basis, the use of newsletters, email bulletins, posters, and quizzes can all help promote and maintain awareness of HIPAA Rules.
In the case of security awareness training this is vitally important. Yearly training on HIPAA is a good best practice, but it is vital to promote HIPAA awareness with respect to security more often. It is a good best practice to provide security awareness training twice a year and issue cybersecurity updates on a monthly basis. Any specific threats to the workforce should be relayed as is necessary – new phishing threats for example. However, care should be taken not to bombard employees with too much threat information, to prevent employees suffering from alert fatigue.
When What is the Requirement for HIPAA Retraining?
Along with annual refresher training sessions, retraining on HIPAA Rules is recommended following any privacy or security breach and after a data violation has been happened.
While the people concerned should be retrained, it is a good best practice to take these incidents as a chance to train all staff to ensure similar breaches do not happen going forward. If one member of staff makes a mistake with HIPAA, it is likely that others have failed to understand HIPAA requirements or are making similar errors.