All staff members must receive training on HIPAA Rules and Compliance, but when is the best time to provide training and promote HIPAA awareness? How regularly should HIPAA retraining take place?
HIPAA-covered entities, business associates and subcontractors must all comply with HIPAA Rules, and all employees must receive proper training on their responsibilities under HIPAA. If training is not provided, employees will not be aware of the precautions they must take when handling PHI and neither the allowable use and disclosures. If employees are not properly trained, HIPAA violations will be inevitable. To reduce the risk of a HIPAA violation to the lowest possible level, HIPAA training should ideally be provided before any member of staff is granted access to PHI, although the Privacy Rule only requires training to be provided to new employees “within a reasonable timeframe”.
Training should cover the allowable uses and disclosures of PHI, patient privacy, data security, job-specific information, internal policies covering, and HIPAA best practices. All employees should have a good working knowledge of HIPAA Rules that relate to their role. The organization’s sanction policy should be clearly explained along with the criminal penalties for HIPAA violations.
Extra training must also be given whenever there is a material change to HIPAA Rules or internal policies in relation to PHI, following the release of new guidance, or after the implementation of new technology.
Training on HIPAA Must Not be a One-Time Event
Providing training at the beginning of an employment contract is essential, but training cannot be a one-time occurrence. It is vital to ensure employees do not neglect their responsibilities under HIPAA. Without periodic retraining, employees may forget certain aspects of HIPAA.
HIPAA does not state how often retraining should occur, as this is left to the discretion of the covered entity. HIPAA only requires retraining to be completed ‘regularly.’ The industry best practice is for retraining to take place once per year.
The HIPAA Privacy Rule Administrative requirements, outlined in 45 CFR § 164.530, require all staff members to be given training on HIPAA Rules and policies and procedures with respect to PHI. Training should be provided, as appropriate, to allow employees to complete their work duties and functions within the covered entity in full compliance with HIPAA Rules.
That means that a one size fits all approach to HIPAA training is not ideal. HIPAA training for the IT department will need to cover different requirements of HIPAA Rules to the training required by administrative workers.
The HIPAA standard 45 CFR § 164.308(a)(5) includes two types of training – Job-specific training and security awareness training. While it is vital to provide training to ensure HIPAA compliance, given the extent to which healthcare organizations – and healthcare employees – are targeted by hackers and other cybercriminals, security awareness training is also essential.
Promoting HIPAA Awareness
There are many ways that healthcare organizations can promote HIPAA awareness. While formal training sessions can be run on an yearly basis, the use of newsletters, email bulletins, posters, and quizzes can all help promote and maintain awareness of HIPAA Rules.
In the case of security awareness training this is vitally important. Yearly training on HIPAA is a good best practice, but it is vital to promote HIPAA awareness with respect to security more often. It is a good best practice to provide security awareness training twice a year and issue cybersecurity updates on a monthly basis. Any specific threats to the workforce should be relayed as is necessary – new phishing threats for example. However, care should be taken not to bombard employees with too much threat information, to prevent employees suffering from alert fatigue.
What is the Requirement for HIPAA Retraining?
Along with annual refresher training sessions, retraining on HIPAA Rules is recommended following any privacy or security breach. This can help to make sure that the risk of repeat occurrences is kept to a minimum.
If an individual has been discovered to have violated HIPAA Rules, and the violation is not severe enough to warrant termination, the individual must be retrained on HIPAA requirements. A covered entity should also investigate to determine whether other individuals are also committing the same type of violation. It may be appropriate for retraining to be provided to others in the organization. If one member of staff makes a mistake with HIPAA, it is possible that others have failed to understand HIPAA requirements and are making similar errors.
Promoting HIPAA awareness: FAQ
What does HIPAA say about when training should take place?
HIPAA does not provide many guidelines on HIPAA training. Other than stipulating that employees should be trained within a reasonable timeframe of the beginning of their contract, and that all employees should receive “regular” training, HIPAA has no other requirements regarding the timing of training. Industry best practice defines “regularly” as “annually”. Additional training sessions should be provided if there are changes to HIPAA or to workplace protocols.
What should be covered in HIPAA training?
HIPAA is a broad act, covering many different aspects of patient privacy. Employees should be versed in HIPAA definitions (such as protected health information, business associate agreements), their duties under the HIPAA Privacy Rule and HIPAA Security Rule, what protocols are in place to protect patient privacy, what to do if a breach of PHI occurs, when PHI can be used and disclosed, and the major threats facing PHI. In some cases, job-specific training can be provided.
Aside from HIPAA training, how else can awareness be promoted?
Training can be an annual event, but there are other means of ensuring that employees remain constantly aware of their obligations under HIPAA. Posters can be placed around the workplace reminding employees of particular protocols. For example, posters reminding employees to lock filing cabinets may be placed at the exits of offices, or flyers highlighting the characteristics of a phishing email can be placed in offices. Other means of maintaining HIPAA awareness include regular newsletters or quizzes on protocols.
Who is responsible for providing HIPAA training?
Each covered entity must have a HIPAA Privacy Officer and a HIPAA Security Officer (though in smaller organizations these roles may be assigned to the same individual). This individual is responsible for training all employees in HIPAA compliance, including organizing regular “refresher” sessions and keeping employees up-to-date with any changes in protocol.