HIPAA Training for Students


Because the HIPAA Privacy Rule defines students as members of a Covered Entity´s workforce, HIPAA training for students should be the same as that for employees. However, in many cases, students may require additional HIPAA training in order to avoid unintentional violations of HIPAA attributable to a lack of knowledge and experience.

When medical students start on the path to becoming healthcare professionals, their knowledge of the Healthcare Insurance Portability and Accountability Act is likely to be minimal – if they have heard of HIPAA at all! Consequently, it is important medical students are trained on what HIPAA is, what its objectives are, and how it is enforced before they encounter patients and their PHI.

However, the training requirements of the Privacy Rule (45 CFR § 164.530) and Security Rule (45 CFR § 164.308) make no mention of providing a background of HIPAA to medical students. The Rules only require Covered Entities to train members of the workforce on policies and procedures with respect to PHI and to implement a security and awareness training program to protect ePHI.

Students who have not been trained on what HIPAA is, what its objectives, are how it is enforced may find it difficult to comply with policies and procedures if they don´t know the context under which the policies and procedures have been developed. Similarly, students may not use technology securely because they do not understand what uses and disclosures of ePHI are permissible.

To overcome unintentional violations of HIPAA attributable to a lack of knowledge, Covered Entities should include basic HIPAA training in the early stages of the curriculum. Refresher HIPAA training should also be provided at least annually throughout the duration of the students´ education, as there is so much else for students to absorb, and some elements of HIPAA could easily be forgotten.

What to Include in Refresher HIPAA Training for Students

In addition to the training requirements of the Privacy Rule and the Security Rule, Covered Entities are required to provide HIPAA training whenever there is a material change to their policies and procedures that affects the functions of healthcare workers, whenever a risk analysis identifies a need for further training, and whenever training is a requirement of an OCR corrective action plan.

The above events would take precedence over any other refresher HIPAA training. However, in the absence of an event that triggers mandated training, refresher HIPAA training for students should cover the most frequent causes of unintentional HIPAA violations such as unauthorized uses and disclosures of PHI, the denial of patients´ rights, and disclosing more than the minimum necessary.

Refresher HIPAA training for students can also be integrated with Covered Entities´ security and awareness training programs. This allows Covered Entities to train students on more advanced topics such as computer safety rules, cybersecurity dangers, and how to protect ePHI from cybercriminals in the context of safeguarding the confidentiality, integrity, and availability of ePHI.

What it is important not to do is to make refresher HIPAA training for students an informal event led by a preceptor or other healthcare professional. All HIPAA training has to be documented – even training provided during clinical rotations and other work experience. Therefore, it can be a good idea to adopt a training program that monitors students´ progress through online modules.

Providing Refresher Training to All Members of the Workforce

Online HIPAA training modules have multiple advantages over classroom-style HIPAA training for students. They are typically short in length, can be completed whenever time allows between other training commitments, and can be referred back to whenever necessary. As mentioned above, it is also possible to monitor and document students´ progress via a Learning Management System.

While off-the-shelf online HIPAA training modules can never replace policy and procedure training (because each Covered Entity´s policies and procedures are unique), they are ideal for providing the background information students need to better understand policy and procedure training, and for providing refresher HIPAA training for students throughout their education.

It can also be a good idea to test the knowledge of other members of the workforce using online HIPAA training modules. Unless an event has occurred that has triggered mandated training, it might be many years since experienced members of the workforce have had any HIPAA training; and asking experienced members of the workforce to complete a couple of refresher modules could identify where standards have slipped or where shortcuts have been taken with compliance.

Ultimately, the goal of any HIPAA training for students and non-students should be to cultivate a HIPAA-compliant workforce. Online HIPAA training modules makes it easier for Covered Entities to reach and maintain that goal while complying with the HIPAA training requirements and mitigating the risk of unintentional HIPAA violations attributable to a lack of knowledge and experience.