How Regularly Should HIPAA Training Take Place?


When it come to HIPAA training and how often it should be scheduled both the HIPAA Privacy Rule and HIPAA Security Rule have training provisions included in relation to this. Despite this the amount of, and regularity of, HIPAA training required remains slightly is a little vague.

The HIPAA Privacy Rule states that “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and training should be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”

In addition to this the HIPAA Security Rule training states “Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).”

As you can seen neither the Privacy Rule nor the Security Rule outright states what needs to be included in the content of training courses. This is primarily to ensure that the HIPAA text does not have to be continuously updated to address new advances in technology or cyberattacks.

Document All Employee Training

There have been many enforcement actions by OCR where covered entities and business associates have not been able to provide documentation to prove that they are in compliance with the requirements of the HIPAA Privacy and Security Rules. If documentation cannot be provided to prove that all members of the workforce have been trained, any accidental HIPAA violations by employees are likely to be viewed as training failures.

The HIPAA Privacy Rule only states that “A covered entity must document that the training as described [in the HIPAA Text] has been provided.” You should therefore ensure that you create a training log that includes all employee names and record the date training was provided, the type of training, and the course that was completed.

Inadequate Training HIPAA Penalties

The financial sanctions for insufficient HIPAA training failures can be significant. Any breach of the HIPAA Rules can incur a penalty of up to $1.5 million, with the level of culpability taken into account when calculating the appropriate penalty. OCR has never, at the time of publication, sanctioned a penalty solely for training failures but there have been enforcement measures where the lack of either Privacy Rule training or security awareness training was a stated HIPAA violation that contributed to the financial sanction.

How Often Should HIPAA Training be Scheduled?

Employee HIPAA training must be conducted as soon as an employee joins the organization.  The training should be given to “each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce.” Following this, additional training is required when “functions are affected by a material change in the policies or procedures”, with the training supplied “within a reasonable period of time after the material change becomes effective.”

It is also crucial to re-train the workforce on an ongoing basis to strengthen the initial HIPAA training and ensure that no part of compliance is forgotten. The timing of HIPAA training is at the discretion of each covered entity, with HIPAA only stating that retraining should be “periodic.” That should be taken to mean at least every two years, although the sector best practice – which should be followed – is to conduct refresher HIPAA training for the workforce once per year.

The duration of HIPAA training courses is not referred to in the HIPAA text. Training sessions do not need to include all aspects of the HIPAA Rules, they just need to include all of the essential aspects to allow individuals to work in a HIPAA compliant way. A training session that’s 40 minutes to 1 hour in length would be adequate, once all appropriate points are included.

How Often Should Security Awareness Training be Conducted in Healthcare?

Ongoing security awareness training is also necessary, along with conducting security awareness training within a reasonable period of time after a person joins the covered entity’s staff. In the case of security awareness training, an annual training session is no longer regarded as adequate, considering the extent to which employees are receiving spam email from hackers.

Here, the best practice is to provide ongoing security awareness training to ensure that employees understand proper cyber hygiene and are well informed on current threats they are likely to encounter when using the web and email. Training is best provided frequently in small parts to match employee workflows. A biannual training session could be provided, with ongoing security reminders sent such as monthly or quarterly cybersecurity newsletters.

It is crucial for security awareness training to include the threats employees are likely to come across, especially malware and phishing campaigns. Staff must be trained how to spot phishing emails as part of their security awareness training given the range to which healthcare staff are focused on and the massive amount of phishing-related data breaches now being experienced.