Who Needs HIPAA Training?

Who Needs HIPAA Training? HIPAAGuide.net

Anybody who works for a covered entity or business associate needs HIPAA training regardless of whether they are employed by, volunteer for, or study under the direct control of the covered entity or business associate. However, due to the flexibility of the HIPAA Rules, there is no one-size-fits-all standardized HIPAA training program.

The HIPAA training requirements are that covered entities (and business associates when applicable) must train all members of the workforce on the policies and procedures the covered entity has developed with respect to Protected Health Information (PHI) in order that the members of the workforce can carry out their functions in compliance with HIPAA (ยง164.530).

In addition, covered entities and business associates must implement a security awareness and training program for all members of the workforce regardless of their access to PHI (ยง164.308). The security awareness and training program must be designed in accordance with the HIPAA Security Ruleโ€™s General Rules (ยง164.306) to limit the risk of avoidable HIPAA violations due to a lack of knowledge or understanding.

There are issues with the HIPAA training requirements inasmuch as some covered entities may select who needs HIPAA training according to their access to PHI โ€“ ignoring the possibility that any member of the workforce could identify a celebrity patient and share their news on social media. Additionally, there are no requirements for the frequency of HIPAA training โ€“ potentially leaving gaps in workforce knowledge.

Who Qualifies as a Workforce Member?

Workforce members are defined in ยง160.103 of the HIPAA Administrative Simplification Regulations as โ€œemployees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associateโ€.

There are exceptions to this definition of who needs HIPAA training. Temporary members of a covered entityโ€™s workforce who are supplied by a healthcare staffing agency remain agents of the healthcare staffing agency. Temporary members of the workforce still need HIPAA training but, other than for facility-specific procedures, the healthcare staffing agency is responsible for providing HIPAA training.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

The situation regarding who needs HIPAA training is more complicated when covered entities subcontract maintenance tasks to third parties. In some cases (i.e., gardeners working at a hospital), there is a possibility that a patientโ€™s identity could be impermissibly disclosed, while in other cases (i.e., electricians working in an insurance office) there is less chance of subcontractors having access to PHI. In such borderline cases, the decision about who needs HIPAA training โ€“ and who should provide it โ€“ must be determined by a risk assessment.

What Does HIPAA Training Consist Of?

The HIPAA training required by ยง164.530 consists of training on the policies and procedures implemented by the covered entity (or business associate when applicable) to comply with the HIPAA Privacy Rule. Because each covered entity must implement policies and procedures that take into account the size and type of activities that the covered entity engages in, there is no one-size-fits-all standardized HIPAA training program.

The content of the security awareness and training program required by ยง164.308 must be based on a risk analysis that takes into account threats to the confidentiality, integrity, and availability of electronic PHI and reasonably anticipated uses and disclosures of electronic PHI that are not permitted by the HIPAA Privacy Rule. For this reason, it should be explained why software is configured in the way that it is to prevent workforce members attempting to circumnavigate access controls or download unsanctioned apps โ€œto get the job doneโ€.

Because HIPAA training must be based on policies and procedures, risk assessments, and periodic technical and nontechnical evaluations, different types of covered entities and business associates can have widely different types of HIPAA training programs. The two examples below illustrate who one type of covered entity may have far more training obligations than one type of business associate.

Example 1 – Who Needs HIPAA Training in a Hospital?

As all members of a hospitalโ€™s workforce has access to PHI โ€“ whether visual, audible, or electronic โ€“ all members of a hospitalโ€™s workforce require HIPAA awareness training. HIPAA awareness training consists of topics such as what is considered PHI under HIPAA, why it needs protecting, and what the sanctions are for impermissibly disclosing PHI or knowingly causing PHI to be impermissibly disclosed.

Beyond HIPAA awareness training, public facing members of the workforce must receive policy and procedure training on topics such as the minimum necessary standard, obtaining patient consent and authorizations, and the verification requirements. The verification requirements are necessary to prevent the wrongful use of PHI and to verify the identities of individuals seeking information about hospitalized patients.

Example 2 โ€“ Why โ€œNo Viewโ€ CSPs Need HIPAA Training

No view CSPs are cloud service providers who provide a service for a covered entity as a business associate, but who cannot view the PHI shared with them because it is encrypted by the covered entity who also holds the decryption key. Examples of no view CSPs include some data storage providers and password manager vendors; and, in such cases, user access to PHI is managed and controlled by the covered entity.

Nonetheless, members of the workforce should still receive HIPAA awareness training so that they understand what the protected information consists of and why it is highly sought by cybercriminals. Workforce members must also participate in a security awareness and training program to mitigate the risk of a cybercriminal accessing databases containing PHI and encrypting it with ransomware โ€“ thus making it unavailable.

Workforce Self-Responsibility for HIPAA Training

So far, the discussion about who needs HIPAA training has focused on covered entitiesโ€™ and business associatesโ€™ responsibilities. However, workforces have self-responsibility for HIPAA awareness training. This is because, under ยง164.530(e) of the HIPAA Privacy Rule, workforce members can be sanctioned for any violation of the HIPAA Privacy and Breach Notification Rules, even when the violated standard has not been covered in HIPAA training.

Due to the risk of being sanctioned due to a lack of training, workforce members who are not confident about the HIPAA knowledge should invest in an accredited HIPAA awareness training course. Typically courses of this nature cover all the basics of HIPAA compliance โ€“ helping workforce members better put policy and procedure training and security awareness training into context and further reducing the likelihood of a HIPAA sanction.

Who Else Needs HIPAA Training?

In addition to the requirements of the HIPAA Privacy Rule and HIPAA Security Rule for workforce members, there are thousands of jobs advertised on the Internet for which a knowledge of HIPAA is a requirement. In some cases, prospective employers specifically request candidates have a certificate or other documentation proving they have completed a HIPAA training course.

Jobseekers who have not previously been employed in the healthcare or health insurance industries โ€“ or who have not previously been trained by a business associate โ€“ can acquire proof of HIPAA training by investing in an accredited HIPAA awareness training course the same as those available to workforce members. The investment will be worth it if it helps the candidate acquire a better paid position.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/