Many covered entities have criticised the HIPAA training requirement guidelines as being vague. This is because HIPAA applies to many different types of Covered Entity (CE) and Business Associate (BA, and therefore must be flexible enough to suit a variety of circumstances. It is clear from the rules that training employees in HIPAA compliance is mandatory. It is an Administrative Requirement of the HIPAA Privacy Rule (45 CFR §164.530) and an Administrative Safeguard of the HIPAA Security Rule (45 CFR §164.308).
However, other than stipulating that training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule) and that CEs and BAs should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule), there are no specific HIPAA training requirements.
HIPAA Compliance and Training Requirements
One of the primary complaints made by covered entities about the vague training requirements is that they complicate HIPAA compliance. Certainly, if a breach of PHI was to occur, and a subsequent investigation found that no training had been provided, the CE or BA responsible could expect a substantial fine from the HHS´ Office for Civil Rights.
To overcome the vagueness of the HIPAA training requirements, CEs and BAs are recommended to refer to the risk assessments that they have performed. The risk assessments should have defined the function of everyone who may have contact with PHI or ePHI and, from this data, it should be possible to compile a “necessary and appropriate” security awareness and training program for everyone´s function or role.
Objectives of HIPAA Training
The content of the security awareness and training program will depend on the functions or role of each individual employee, manager, volunteer, trainee or contractor who may have contact with PHI or ePHI. In many cases, it will be necessary to compile multiple security awareness and training programs to ensure the content is focused and relevant to trainees in question. As a result, the training of employees in HIPAA compliance may be time-consuming for the employer, and expensive to run.
That said, it is often much better in the long-term for such small-group, focused training events to occur. The HIPAA Privacy and Security Rules are complex, and if all this information is presented in a six-hour training session, trainees will have too much information to absorb what is relevant to their function and the objectives of the HIPAA training will be unsuccessful.
Advice for HIPAA Compliance Training
With there being no specific HIPAA training requirements, we have put together a handful of best practises HIPAA compliance managers may want to consider when compiling “necessary and appropriate” security awareness and training programs. Our best practises for HIPAA compliance training are not set in stone and can be selected from at will.
- Do keep training short and focused. It is recommended that training sessions last no longer than forty minutes and are regular events rather than the annual refreshers mandated by the Department of Health and Human Services.
- Don’t waste time on the background to HIPAA. Employees do not need to know the history of HIPAA’s development and passage. Only discuss what they are supposed to do to protect PHI and ePHI in their specific roles.
- Do include the consequences of a HIPAA breach in the training – not just the financial implications for the CE or BA, but the implications for trainees and their colleagues, and – of course – the person(s) whose PHI has been exposed.
- Don’t quote passages of text out of the HIPAA guidebook. Use multimedia presentations to make the training memorable. HIPAA compliance training not only has to be absorbed, it must be understood and followed in day-to-day life.
- Do include senior management in the training. Even if senior managers have no contact with PHI, it is essential they are seen to be involved with HIPAA compliance training. Knowing that the training is being taken seriously at the top will encourage others to take it seriously.
- Don’t forget to document your training. In the event of an OCR investigation or audit, it is important to be able to produce the content of the training as well as when it was administered, to whom, and how frequently.
More Information on HIPAA Training Requirements
The consequences of inadequate training can be substantial – not only in financial terms, but also in human terms. Yet many HIPAA breaches can be avoided with adequate HIPAA compliance training. The only HIPAA training requirements appear to be that there must be training, and in this respect it is important that Covered Entities and Business Associates tailor their training to be relevant to the operations of the business – seeking help where necessary to ensure their HIPAA compliance training covers each applicable area of HIPAA.