The Health Insurance Portability and Accountability Act (HIPAA) requires training to be provided to new hires, but training cannot be a one-time event. Covered entities and business associates must also conduct HIPAA refresher training sessions to ensure employees do not forget their responsibilities under HIPAA. Regular security awareness training must also be provided to the workforce to keep employees up to date on threats and to reinforce security best practices.
While both the HIPAA Privacy and Security Rules call for training to be provided, the HIPAA text does not tell covered entities and business associates how often to provide refresher training sessions, only stating that training must be provided “periodically.” It is left to the discretion of each covered entity and business associate to determine how regularly to provide HIPAA refresher training to the workforce.
How Often Should HIPAA Refresher Training be Provided?
The purpose of refresher training is to reinforce the requirements of the HIPAA Rules to help ensure continued compliance. Any covered entity or business associate that fails to provide regular training sessions could be fined by the HHS’ Office for Civil Rights or state Attorneys General. While no financial penalty has been imposed by OCR solely for a training failure, there have been fines for covered entities that have suffered a data breach where a lack of training was a cited HIPAA violation and increased the financial penalty.
To avoid accidental HIPAA violations and fines, HIPAA refresher training should be provided to the workforce at least every two years. The industry best practice is to provide training on the HIPAA Rules annually. It is also a requirement to provide refresher security awareness training to the workforce, and these training sessions should also be provided annually.
Employee Training on the HIPAA Rules
HIPAA training for employees is a requirement of the HIPAA Privacy Rule, which states that employees must be provided with training “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.” In addition to providing training “within a reasonable period of time after the person joins the covered entity’s workforce,” training must be provided periodically and when “functions are affected by a material change in the policies or procedures.”
You should go back to basics with HIPAA refresher training. It is important to cover all aspects of HIPAA that were covered in your initial HIPAA training sessions to ensure that no requirements are forgotten. As with initial training, training courses should be tailored based on the role of each individual. You should also look at any changes that have been made to business practices and new technology that has been introduced since your past training session and ensure the training course is updated accordingly.
HIPAA Security Awareness Training Guidelines
Security awareness training is a requirement of the HIPAA Security Rule’s administrative safeguards. If employees are not made aware of the potential threats to the confidentiality, integrity, and availability of protected health information, they cannot be expected to recognize and avoid those threats. It is also important to teach security best practices to reduce the risk of a data breach. By providing regular security awareness training, common mistakes that often lead to data breaches can be avoided.
The threat landscape is constantly changing, so employees need to be kept up to date on new threats. Training should cover all threats that employees are likely to encounter, with particular emphasis on how to identify and avoid phishing emails, protection from malicious software, and password management. You should reemphasize cybersecurity best practices and explain again how to work securely with ePHI and how certain data practices place patient privacy at risk.
In addition to an annual refresher training session, security reminders should be sent to the workforce more frequently to keep security fresh in the mind and to reinforce training. The HIPAA Security Rule specifically mentions security reminders. If these are not issued, the reason for that decision must be documented.
Be Sure to Log Your HIPAA Refresher Training Sessions
You must be able to prove that you have provided HIPAA refresher training to the workforce. All training sessions must be recorded in a log that includes the names of all employees, the date training was provided, and what training was given. Your training log should be kept with all other HIPAA documentation. It is extremely likely for regulators to ask for evidence that training has been provided in the event of a data breach, audit, or compliance investigation.