Many covered entities have criticized the HIPAA training requirements as being very light on detail, and unclear as to exactly what training must be provided to employees.
There are, of course, reasons for this. HIPAA applies to many different types of Covered Entity (CE) and Business Associate (BA), and therefore the legislation must be flexible enough to apply to each and to different employee roles within each CE and BA. The lack of specifics also helps to keep the legislation timeless, so frequent updates are not required when best practices change.
What is clear from the HIPAA text is HIPAA compliance is mandatory and so is training. HIPAA training is an Administrative Requirement of the HIPAA Privacy Rule (45 CFR §164.530) and an Administrative Safeguard of the HIPAA Security Rule (45 CFR §164.308).
Other than stipulating that training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule), that CEs and BAs should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule), and further training is required when “functions are affected by a material change in policies or procedures,” training is not mentioned in the HIPAA Rules.
HIPAA Compliance and Training Requirements
This lack of specificity can make HIPAA compliance complicated. Each CE and BA is responsible for developing and implementing a training course, and the penalties for getting things wrong can be considerable. If a data breach were to occur, or a complaint is filed against a covered entity by a patient, the HHS´ Office for Civil Rights may launch an investigation and training may come under scrutiny. The CE or BA could face a substantial fine if training is not found to have been sufficient.
To overcome the vagueness of the HIPAA training requirements, CEs and BAs are recommended to refer to the risk assessments they have performed. The risk assessments should have defined the function of everyone who may have contact with PHI or ePHI and, from this information, it should be possible to compile a “necessary and appropriate” HIPAA training and security awareness training program to suit everyone´s function or role.
Objectives of HIPAA Training
The main objectives of HIPAA training are to ensure that every employee knows enough about HIPAA to be able to perform their roles and responsibilities in a HIPAA-compliant way and for all employees to be made aware of security risks and how to avoid them.
The content of the HIPAA training and security awareness training program will depend on the functions or role of each individual employee, manager, volunteer, trainee, or contractor who may have contact with PHI or ePHI.
Training courses can be developed that cover the essential elements of HIPAA to meet the requirements of the HIPAA Privacy and Security Rules, with further training modules developed for specific individuals, functions, and roles.
This can take a considerable amount of time, money, and resources, and while expensive it is important for compliance. The time taken to develop a HIPAA training course for all employees will help to ensure HIPAA violations are avoided. Many CEs and Bas choose a shortcut and use a third-party training course on HIPAA compliance and security awareness and then tailor that course to suit their needs.
Whether developing a HIPAA training course from scratch or choosing a third-party HIPAA training course you should consider that there is a lot of information to take on board, so training sessions should be split into relatively short sessions. If all the training is provided in a six-hour training session, trainees will have too much information to absorb. That means employees will likely get bored, will not remember important parts of the training, and you will be unlikely to achieve the objectives of HIPAA training. It is far better to provide employees with short training sessions to ensure they remain attentive and retain the new information they have been given.
HIPAA Training for Healthcare Workers
To meet the requirements of the HIPAA Privacy and Security Rules, CEs and BAs need to provide initial HIPAA training for healthcare workers and explain all appropriate aspects of the HIPAA Rules, the reasons why those Rules exist, and how those Rules apply to the role of the employee. The initial HIPAA training for healthcare workers should cover the situations the employee is likely to encounter and the employee should be told who to speak to if they have any questions about compliance.
Refresher HIPAA training for healthcare workers must also be provided. The training course will not need to be as comprehensive as the initial training course, as the aim is to remind employees of the need for compliance than retrain them from scratch. A separate training course is therefore recommended. Providing regular refresher HIPAA training sessions can greatly reduce the chance of accidental HIPAA violations.
Security awareness training must also be provided regularly, in addition to when an employee commences employment. These training sessions should cover new threats to patient data and reinforce training on how to identify threats such as phishing and cybersecurity best practices. While HIPAA training for healthcare workers should be provided annually at least, consider more frequent security awareness training sessions. Threats are likely to be encountered frequently and their form often changes. Regular training will help employees recognize these threats and act appropriately.
HIPAA Training Modules to Consider
Creating a training course from scratch can be difficult. To help get you on the right path, consider the following topics for your training course, and pick and choose the elements that are most appropriate for each employee. For example, providing an overview of HIPAA and why it was introduced can help to convey why the legislation is important, but it is perhaps not necessary to go through this again in a HIPAA refresher training course.
Core Training Modules
|HIPAA Overview||HIPAA Omnibus Final Rule||HIPAA Disclosure Rules|
|HIPAA Definitions & Lexicon||HIPAA Privacy Rule Basics||HIPAA Violation Consequences|
|The HITECH Act||HIPAA Security Rule Basics||Preventing HIPAA Violations|
|Main HIPAA Regulatory Rules||Patient Rights||Being a HIPAA Compliant Employee|
Additional Training Modules
|HIPAA Timeline||HIPAA and Emergency Situations|
|Threats to Patient Data||The HIPAA Officer|
|Computer Safety Rules||HIPAA Compliance Checklist|
|HIPAA and Social Media||Recent HIPAA Updates|
Security Awareness Training Modules
|Importance of Security Awareness||Unauthorized Hardware, Software and Apps||How to Identify and Avoid Phishing Emails||Password Security|
|Main Cybersecurity Threats||Insider Threats||Internet Security||Personal Devices and removable Media|
|Physical Security||Protecting PHI from Cyber Threats||Risks of Public Wi-Fi Networks||Secure File Sharing|
Advice for HIPAA Compliance Training
To help HIPAA compliance officers further with their HIPAA training and security awareness courses, we have listed some best practices to consider when compiling “necessary and appropriate” training programs. Our best practices for HIPAA compliance training are not mandatory but should help.
- Do keep training short and focused. It is recommended that training sessions last no longer than forty minutes and are regular events rather than the annual refresher sessions that are recommended by the Department of Health and Human Services.
- Don’t waste time on the background to HIPAA. Employees do not need to know the history of HIPAA’s development and passage. Only discuss what they are supposed to do to protect PHI and ePHI in their specific roles.
- Do include the consequences of a HIPAA breach in the training – not just the financial implications for the CE or BA, but the implications for trainees and their colleagues, and – of course – the person(s) whose privacy may be violated.
- Don’t quote passages of text from HIPAA. Use multimedia presentations to make the training memorable and relevant. HIPAA compliance training not only has to be absorbed, but it must also be understood and followed in day-to-day life.
- Do include senior management in the training. Even if senior managers have no contact with PHI, it is essential they are seen to be involved with HIPAA compliance training. Knowing that the training is being taken seriously at the top will encourage others to take it seriously.
- Don’t forget to document your training. In the event of an OCR investigation or audit, it is important to be able to produce the content of the training as well as when it was administered, to whom it was provided, and how frequently.
More Information on HIPAA Training Requirements
The consequences of inadequate training can be substantial – not only in financial terms, but also in human terms. Many HIPAA breaches can be avoided with adequate HIPAA compliance training. The only HIPAA training requirements are that there must be training, but it is important that Covered Entities and Business Associates tailor their training to be relevant to the operations of their business – seeking help where necessary to ensure their HIPAA compliance training covers each applicable area of HIPAA.
When should initial HIPAA training be provided to new hires?
You should provide HIPAA training to new hires as soon as possible and should be guided by the results of your risk analysis. The greater the risk to PHI, the more quickly HIPAA training should be provided. You should aim to provide training in the first few days or weeks after a new employee joins the company.
How much detail should be provided in HIPAA training sessions?
HIPAA training is not about ensuring employees have an encyclopedic knowledge of the HIPAA regulations. Training should provide a broad overview of HIPAA and its importance and cover the aspects of regulations that are appropriate to employees’ work duties. Employees must be able to identify PHI, be aware of the allowable uses and disclosures, understand the minimum necessary rule, patient rights, and the consequences of HIPAA violations.
What should HIPAA security awareness training involve?
The purpose of security awareness training is to teach employees security best practices and eliminate risky behaviors that could place PHI at risk. Training sessions should explain the most common threats, teach employees how to recognize phishing emails, how to access PHI securely, set strong passwords, and the safe use of computers, hardware, software, and the Internet
Is it permissible to only provide computer-based HIPAA training?
HIPAA does not state how training should be provided, only that employees must be trained on HIPAA and receive security awareness training. Computer-based training is a good choice. It is easy to administer, track employees’ progress, and document that training has been provided. Computer-based HIPAA training can also be completed at employees’ workstations and is easy to fit into their workflows.
Can fines be imposed for inadequate HIPAA training?
In 2020, the HHS’ Office for Civil Rights fined two healthcare providers for multiple HIPAA violations including the failure to provide training for employees. One fine of $1.5 million was imposed on a provider that had not provided any HIPAA Privacy Rule training and a fine of $25,000 was imposed on another that had not provided any security awareness training.