HIPAA Refresher Training

The term HIPAA refresher training can mean different things to different people. For some it may mean HIPAA-mandated Privacy Rule training after a material change to policies and procedures, the provision of training to mitigate a threat identified in a risk assessment, or part of a security and awareness training program as required by the Security Rule.

For others, HIPAA refresher training is a scheduled event, often conducted annually, that refreshes the knowledge of the workforce. While there is no requirement in HIPAA for Covered Entities and Business Associates to provide HIPAA refresher training of this nature, periodic reminders of the HIPAA Rules can have a positive effect on workforce compliance.

There is also a school of thought that periodic HIPAA refresher training can reduce the number of threats identified in risk assessments (because threats are identified and reported by well-trained members of the workforce as they manifest), and that integrating refresher training with security and awareness training can add context to a security and awareness training program.

The Different Types of Training in Greater Detail

When employees, students, volunteers, or any other workforce members start working for a Covered Entity, the HIPAA Privacy Rule requires training to be provided on the Covered Entity´s “policies and procedures with respect to PHI […] as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity” (45 CFR § 164.530).

Thereafter, further Privacy Rule training on the policies and procedures is only necessary if there is a material change in the policies and procedures, if a need for further training is identified in a risk assessment, or if further training is part of a corrective action plan issued by HHS´ Office for Civil Rights following an investigation, an audit, or an inspection.

In addition to Privacy Rule training, Covered Entities and Business Associates are required to implement a security and awareness training program for all members of the workforce (45 CFR § 164.308). Unlike the one-off nature of material change, risk assessment, or corrective action training, a security and awareness training program should be ongoing.

What Does HIPAA Refresher Training Consist Of?

There is no one-size-fits-all HIPAA refresher training course because the functions of Covered Entities and Business Associates (and their workforces) can vary significantly. Nonetheless, a course based on the Privacy Rule could include modules on allowable uses and disclosures, patients´ rights, the Minimum Necessary Standard, and procedures for reporting a violation of HIPAA.

If HIPAA refresher training is being integrated with security and awareness training, modules could be included in the course to refresh the knowledge of the workforce on topics such as computer safety rules and mobile device protection, how to protect ePHI from cyber threats, and the HITECH Act – the driver behind the digitalization of the healthcare industry.

Of course, refresher training does not have to be a choice between Privacy Rule training or Security Rule training. When Covered Entities and Business Associates take advantage of modular training courses, the modules can be mixed and matched to best suit the needs of the workforce or to ensure every training course is different from the last.

The Importance of Documenting All HIPAA Training

Under the Privacy Rule, Covered Entities are required to document initial training and any subsequent “material change” training. There are no requirements to document training provided as the result of a risk assessment or as part of a corrective action plan. There are also no requirements to document security and awareness training nor HIPAA refresher training.

However, it is important all HIPAA training is documented because – in the event of an investigation, audit, or inspection – organizations have a burden of proof to demonstrate they have taken steps to mitigate the likelihood of a foreseeable HIPAA violation from occurring. Documented training can be evidence that Covered Entities and Business Associates have met their compliance obligations.

In addition to documenting evidence of training, Covered Entities and Business Associates should also maintain a copy of the reason(s) that prompted training along with the training documentation. – for example, a change in policies and procedures, a risk assessment, or any threat identified and reported by a well-trained member of the workforce who has undergone HIPAA refresher training.