Although Title II of the Health Insurance Portability and Accountability Act (HIPAA) stipulates HIPAA training is mandatory “for all members of the workforce”, the text of the Act provides few details about specific training requirements.
The reason the Act is limited with regards to specific HIPAA training requirements is because HIPAA applies to many different types of Covered Entities. Each Covered Entity is required under 45 CFR § 164.530 to implement policies and procedures “taking into account the size and the type of activities that relate to protected health information undertaken by a Covered Entity”. The clause also requires Covered Entities to train all members of its workforce on the policies and procedures.
Consequently, a healthcare insurer will have different policies and procedures than a healthcare provider, and the training provided to an employee of a healthcare insurer would be different than the training provided to an employee of a healthcare provider. It may also be the case the nature of the training varies according to the function of the employee. This is because training must be tailored “for the members of the workforce to carry out their functions within the Covered Entity”.
Nonetheless, while specific elements of HIPAA that members of the workforce need to be trained on will be determined by a risk assessment, there are some elements of HIPAA that all members of the workforce must be trained on. These are included in the Administrative Safeguards of the HIPAA Security Rule (45 CFR § 164.308) which state “a Covered Entity must implement a security awareness and training program for all members of its workforce (including management)”.
HIPAA Compliance and Training Requirements
The provision of training to employees of Covered Entities is a requirement of HIPAA and therefore training must be provided in order for a Covered Entity to be in compliance with HIPAA. Should a violation of HIPAA occur due to the failure of an employee to comply with a HIPAA policy or procedure, and it is found the employee was not adequately trained on the Covered Entity´s policies and procedures, the Covered Entity can be fined by the HHS´ Office for Civil Rights (OCR).
Employees of Business Associates who will encounter Protected Health Information (PHI) or electronic Protected Health Information (ePHI) in the course of providing a service for a Covered Entity should also be trained on HIPAA compliant policies and procedures. Although the training of Business Associates´ employees is not a requirement of HIPAA, Business Associates can also be fined for avoidable violations of HIPAA and unauthorized disclosures of PHI and ePHI.
Objectives of HIPAA Training
The objectives of HIPAA training should go beyond “ticking a checkbox”. Employees should understand the rules relating to (for example) patients´ rights, allowable uses of PHI/ePHI, and data security in order to support the Covered Entity´s operations. If a Covered Entity is subject to multiple complaints from patients, OCR investigations, and IT security events, it is not going to be able to operate efficiently – notwithstanding the resources required to resolve these issues.
Consequently, the objectives of HIPAA training should be to empower employees to perform their functions as efficiently as possible in compliance with the Covered Entity´s policies and procedures. Not only will achieving this objective result in less likelihood of HIPAA violations, but it should also increase employee awareness of patient well-being, which will contribute to a culture of patient safety and a greater satisfaction score from patients and their families.
HIPAA Employee Training Requirements
The HIPAA employee training requirements are mentioned three times in the text of HIPAA. The first two – training members of the workforce on policies and procedures and implementing a security awareness and training program – have already been mentioned. The third HIPAA employee training requirement concerns when “functions are affected by a material change in policies or procedures” – a standard in the Administrative Requirements of the HIPAA Privacy Rule (45 CFR § 164.530).
The Department of Health and Human Services (HHS) has issued guidance on what constitutes a “material change” – suggesting that periodic retraining should be given whenever environmental or operational changes occur. According to the HHS, this can include new or updated policies, new or upgraded software or hardware, new security technology, or changes to procedures that could impact how PHI is managed – such as CMS´ changes to the Promoting Interoperability program.
HIPAA Training for Healthcare Workers
HIPAA training for healthcare workers will naturally need to be more comprehensive than HIPAA training for other employees. Healthcare workers have more contact with patients and their families, create and collect PHI/ePHI more frequently than other employees, and use PHI/ePHI constantly throughout the working day. Consequently, there will be many more scenarios in which inadvertent and unauthorized disclosures of PHI/ePHI can occur.
There will also likely be more occasions when material changes to environments and operations occur. Therefore, it is important Covered Entities schedule frequent HIPAA training to keep healthcare workers advised of the most recent changes or – if no relevant material changes have occurred since training was last provided – to provide refresher training on one or more element of HIPAA from the list of “HIPAA Training Modules to Consider” provided later in this article.
HIPAA Training for Employees Other than Healthcare Workers
While HIPAA training for employees other than healthcare workers does not need to be as comprehensive as HIPAA training for healthcare workers, it has to be provided in the context of employees´ functions. Furthermore, it may be necessary to train employees who would not ordinarily encounter PHI in their usual functions (i.e., cleaning and maintenance teams), just in case they do encounter PHI that has inadvertently been left unsecured.
Consequently, HIPAA training for employees other than healthcare employees needs to cover elements of HIPAA such as “HIPAA Disclosure Rules” and “Preventing HIPAA Violations” Employees need to be aware of who their “HIPAA Officer” is so they can report inadvertent and unauthorized disclosures of PHI, while HIPAA training for employees that have access to PHI databases needs to focus more on “Computer Safety Rules” and “Cybersecurity Dangers for Healthcare Employees”.
HIPAA Training Modules to Consider
Because there is no “one-size-fits-all” program to fulfill the HIPAA training requirements, training is best done from a selection of mix and match training modules. We have suggested some HIPAA training modules below – most of which will suit most training requirements. These have categorized into “basic” and “advanced”, with additional modules included for student training.
Suggested Basic HIPAA Training Modules
The suggested basic HIPAA training modules contain areas of HIPAA that will be common to all roles. A selection of these modules could be used as a foundation course for new employees – provided they are supplemented with role-relevant HIPAA training – or as refresher training.
An overview of HIPAA is an ideal way to start any HIPAA training session as it ensures employees have an understanding of the Act, its purpose, what its objectives are, and who it applies to in the context of preventing unauthorized access to PHI.
HIPAA Definition and Lexicon
The text of HIPAA uses terminology that many employees may be unfamiliar with. This may result in policies and procedures being misinterpreted. Therefore, before further HIPAA training is undertaken, it is a good idea to explain some of the more common terms used in HIPAA.
The HITECH Act
The HITECH Act drove the adoption of technology in the healthcare industry via the Meaningful Use initiative program, which subsequently evolved into the Promoting Interoperability program. This could be a useful module for employees working in IT or with frequent access to IT systems.
The Main HIPAA Regulatory Rules
There are five main HIPAA regulatory rules, and although most employees will not need to have an understanding of the Enforcement Rule and Breach Notification Rule, it is important they are familiar with the content of the HIPAA Omnibus Final Rule, the Privacy Rule, and the Security Rule.
HIPAA Omnibus Final Rule
The HIPAA Omnibus Final Rule implemented provisions of the HITECH Act to strengthen existing privacy and security protections. It also extended the reach of HIPAA to include business associates and subcontractors with whom PHI is shared.
HIPAA Privacy Rule Basics
The Privacy Rule defines PHI and the measures Covered Entities need to take in order to protect it from loss, theft, and unauthorized disclosure. It is especially important healthcare workers are aware of Privacy Rule basics such as patients´ rights and the Minimum Necessary Standard.
HIPAA Security Rule Basics
The technical, administrative, and physical safeguards of the Security Rule will likely impact every employee´s day-to-day routines and this module of HIPAA training should be used as an introduction to more advanced modules in the suggested advanced HIPAA training modules.
HIPAA Patient Rights
Although patients´ rights are covered in the Privacy Rule module, it may be necessary for healthcare workers and administrators to undergo specific training on providing patients with Privacy Notices, handling patient requests for access to PHI, and obtaining consent from patients.
HIPAA Disclosure Rules
The HIPAA disclosure rules apply to all employees regardless of the function they perform. Ideally, this module should be provided alongside the Privacy and Security Rule modules to enforce employee understanding of allowable disclosures and the Minimum Necessary Standard.
HIPAA Violation Consequences
HIPAA violations can have consequences for patients, organizations, and employees. To make this module more relevant for trainees, this is a good opportunity to introduce and explain the organization´s sanction policy and how employees may be impacted by violations of HIPAA.
Preventing HIPAA Violations
As part of a basic HIPAA training course or refresher course, this module should be used as an overview of compliance best practices. Ideally, the module on preventing HIPAA violations should be tailored to be relevant to different groups of employees and their functions.
Being a HIPAA Compliant Employee
Training on being a HIPAA compliant employee can be used in a foundation or refresher course. It can include general do´s and don´ts, focus on specific roles, or explain the procedures for reporting HIPAA violations or when encountering PHI that has inadvertently been left unsecured.
Suggested Advanced HIPAA Training Modules
The basic HIPAA training models provides employees with the fundamentals of HIPAA, but more advanced training is often necessary. The following suggested advanced HIPAA training modules should be used whenever “functions are affected by a material change”.
This module can help employees better understand the objectives of HIPAA by providing a timeline of HIPAA and the main HIPAA regulatory rules. This module should be updated at least annually to reflect changes to HIPAA, the Promoting Interoperability program, and emerging compliance challenges.
Threats to Patient Data
This advanced module should expand on both the online threats to patient data and the physical threats to authorized disclosures. Physical threats can include leaving mobile devices unattended, failing to safeguard hard copies of patient data, and positioning workstation screens in public view.
Computer Safety Rules
Regardless of HIPAA, Covered Entities and Business Associates will likely have policies in place to govern how computers should be used safely. Employees need to be made aware of these policies to mitigate the threats of malware, ransomware, and phishing.
HIPAA and Social Media
Healthcare professionals have to be particularly careful about what they share on social media platforms because it is very easy to disclose PHI unintentionally. Consequently, employees should be trained on how best practices for managing social media accounts safely.
HIPAA and Emergency Situations
During emergency situations, disclosures of PHI beyond what is normally allowed under HIPAA may be permitted for public health reasons. It may also be the case OCR waives certain elements of HIPAA in order to remove obstacles to the flow of healthcare information during these events.
HIPAA Officers are the individuals responsible for HIPAA compliance within a Covered Entity´s workforce. Therefore, it is a good idea to explain the HIPAA Officer´s roles and have a HIPAA Officer present at the time so employees can put a face to a name.
HIPAA Compliance Checklist
Although this module would be most relevant to HIPAA Officers and IT managers, a HIPAA compliance checklist can also be used towards the end of a HIPAA Training course to measure how well employees have understood and absorbed the information.
Recent HIPAA Updates
HIPAA is constantly evolving, and it is important employees are made aware of recent HIPAA updates and other events that materially change the way in which PHI is managed to ensure ongoing compliance. It is especially important this module is included in refresher training.
Texas Medical Privacy Act and HB 300
The Texas Medical Privacy Act and HB 300 applies to all organizations that create, use, maintain, or transmit the health information of Texas residents – regardless of where the organization is located. Therefore, this advanced HIPAA training module may apply to Covered Entities outside of Texas.
Cybersecurity Dangers for Healthcare Employees
Healthcare data is highly valued by cybercriminals, and it is vital healthcare employees are aware of cybersecurity dangers and best practices for mitigating the risk of a data breach. Topics covered in this module should be tailored to match employees´ access to IT systems and workstations.
How to Protect PHI from Cyber Threats
This module can be used to educate employees on the dangers of password sharing to encourage good password best practices. The module should also address the threat from phishing, and how it can be mitigated using multi-factor authentication, access controls, and network monitoring.
Suggested HIPAA Training for Healthcare Students
Healthcare students should be provided with HIPAA training before they start working with patients and accessing EHRs. Because it is not always known during their education which functions they will perform once they have graduated, our suggested HIPAA Training for healthcare students should include modules from both the basic and advanced HIPAA training courses – plus additional modules specifically designed to be relevant to a student population. For example:
- HIPAA Timeline
- HIPAA Overview
- Definitions and Lexicon
- The HITECH Act
- The Main HIPAA Regulatory Rules
- HIPAA Omnibus Final Rule
- HIPAA Privacy Rule
- HIPAA Security Rule
- Patients´ Rights
- PHI Disclosure Guidelines
- HIPAA and Social Media
- Threats to Patient Data
- Computer Safety Rules
- HIPAA Violation Consequences
- Preventing HIPAA Violations
- HIPAA in an Emergency
- The HIPAA Officer
- Recent HIPAA Updates
Electronic Health Record Access by Healthcare Students
During training, students are often permitted to access EHRs under supervision. This module should explain what students can and cannot do with the PHI they have access to.
PHI & Student Reports and Projects
Students need to be aware that, when writing reports, giving presentations, or preparing case studies, they are unable to use PHI unless the subject of the PHI has given informed consent.
Being a HIPAA Compliant Student
It is important students understand the Covered Entities policies and procedures apply to them in the same way as if they were already healthcare professionals.
Advice for HIPAA Compliance Training
To help HIPAA compliance officers further with their HIPAA training and security awareness courses, we have listed some best practices to consider when compiling “necessary and appropriate” training programs. Our best practices for HIPAA compliance training are not mandatory but should help.
- Do keep training short and focused. It is recommended that training sessions last no longer than forty minutes and are regular events rather than the annual refresher sessions that are recommended by the Department of Health and Human Services.
- Don’t dwell for too long on the background to HIPAA. Employees may need to know the history of HIPAA’s development and passage, but it is more important they understand their role in protecting PHI and ePHI.
- Do include the consequences of a HIPAA breach in the training – not just the financial implications, but the implications for other employees, other operations, and – of course – the person(s) whose privacy may be violated.
- Don’t quote passages of text from HIPAA. Use multimedia presentations to make the training memorable and relevant. HIPAA compliance training not only has to be absorbed, but it must also be understood and followed in day-to-day roles.
- Do include senior management in the training. Even if senior managers have no contact with PHI, it is essential they are seen to be involved with HIPAA compliance training. Knowing training is being taken seriously at the top will encourage others to take it seriously.
- Don’t forget to document HIPAA training. In the event of an OCR investigation or audit, it is important to be able to produce the content of the training as well as when it was administered, to whom it was provided, and how frequently.
More Information on HIPAA Training
The consequences of inadequate training can be substantial – not only in financial terms, but also in human terms. Many HIPAA breaches can be avoided with adequate HIPAA compliance training. The only HIPAA training requirements are that there must be training, but it is important that Covered Entities and Business Associates tailor their training to be relevant to the operations of their business – seeking help where necessary to ensure their HIPAA compliance training covers each applicable area of HIPAA.
When should initial HIPAA training be provided to new employees?
This depends on what HIPAA training the employee has had prior to being hired. If they have had none, initial HIPAA training should take place before they have access to PHI. If the employee is familiar with HIPAA, you should aim to provide training on your policies and procedures in the first few days or weeks after the new employee joins the organization.
How much detail should be provided in HIPAA training sessions?
HIPAA training is not about ensuring employees have an encyclopedic knowledge of the HIPAA regulations, but employees must be able to identify PHI, be aware of the allowable uses and disclosures, understand the minimum necessary rule, patient rights, and the consequences of HIPAA violations. Therefore, as much detail as necessary for the employee to perform their functions in compliance with HIPAA.
What should HIPAA security awareness training involve?
The purpose of security awareness training is to teach employees security best practices and eliminate risky behaviors that could place PHI at risk. Training sessions should explain the most common threats, teach employees how to recognize phishing emails, how to access PHI securely, set strong passwords, and the safe use of computers, hardware, software, and the Internet.
Is it permissible to only provide computer-based HIPAA training?
HIPAA does not state how training should be provided, only that employees must be trained on HIPAA and receive security awareness training. Computer-based training is a good choice. It is easy to administer, track employees’ progress, and document that training has been provided. Computer-based HIPAA training can also be completed at employees’ workstations and is easy to fit into their workflows.
Can fines be imposed for inadequate HIPAA training?
In 2020, the HHS’ Office for Civil Rights fined two healthcare providers for multiple HIPAA violations including the failure to provide training for employees. One fine of $1.5 million was imposed on a provider that had not provided any HIPAA Privacy Rule training and a fine of $25,000 was imposed on another that had not provided any security awareness training.
What is HIPAA training?
HIPAA training is the instruction of employees, contractors, and other third-party personnel (i.e., volunteers) with regards to the policies and procedures put in place by a Covered Entity to be HIPAA compliant. Because each Covered Entity develops their own policies and procedures, there is no “one-size-fits-all” HIPAA training.
How often do you need HIPAA training?
After initial training, further HIPAA training should be provided whenever there is a material change in policies or procedures that affects employees´ functions, or when a need for further training is identified in a risk analysis. There is no set period for when HIPAA training should be provided.
Is HIPAA training required annually?
The is no legal requirement to provide or attend HIPAA training annually. However, if a need for annual training is identified in a risk analysis, the Covered Entity will need to provide the training and document why annual training is considered necessary.
Is HIPAA training required by law?
Yes, the HIPAA training requirements are codified under 45 CFR § 164.308 and 45 CFR § 164.530. If a violation of HIPAA occurs due to a lack of training, the Covered Entity can be issued with a significant fine depending on the scale of the violation and the degree of culpability.