What are the HIPAA Training Requirements?
As HIPAA applies to many different sorts of Covered Entity (CE) and Business Associate (BA), the HIPAA training requirements are best referred to as “flexible”. Training is undoubtedly obligatory. It is an Administrative Requirement of the HIPAA Privacy Rule (45 CFR §164.530) and an Administrative Safeguard of the HIPAA Security Rule (45 CFR §164.308).
However, other than saying that training should be conducted “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule) and that CEs and BAs should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule), there are no specific HIPAA training obligations.
Doesn’t This Make HIPAA Compliance Difficult?
Knowing that you have to conduct training, but not knowing what sort of training you have to supply, does complicate HIPAA compliance. Certainly, if a breach of PHI was to occur, and a subsequent investigation found that no training had been supplied, the CE or BA responsible could expect a large fine from the HHS´ Office for Civil Rights.
To get around the Flexibility of the HIPAA training requirements, CEs and BAs should refer back to their risk assessments. The risk assessments should have stated the function of each individual who may have contact with PHI or ePHI and, from these data, it should be possible to put together a “necessary and appropriate” security awareness and training program for each peron’s function or role.
Think About the Objectives of HIPAA Training
What should be incorporated in the security awareness and training program will depend on the functions or role of each individual staff member, manager, volunteer, trainee or contractor who may have contact with PHI or ePHI. In many instances it will be necessary to compile multiple security awareness and training programs to ensure their content is important to trainees.
This may be time-consuming and resource intensive; but, in order for training to be time-worthy, it has to be focused. If efforts are made to cram every element of the HIPAA Privacy and Security Rules into a six-hour training session, trainees will have too much data to absorb the relevance of HIPAA to their roles and the aims of the HIPAA training will be unsuccessful.
How Often is HIPAA Training Necessary?
In relation to the question of how often is HIPAA training necessary, the Privacy Rule and Security Rule both offer suggestions without mandating specific periods of time. According to the Privacy Rule, HIPAA training is necessary for “each new member of the workforce within a reasonable length of time after the person joins the Covered Entity´s workforce” and also when “functions are affected by a material change in polies or procedures” – again within a reasonable length of time.
According to Security Rule, HIPAA training is required “periodically”. Many companies interpret “periodically” as yearly, which is not necessarily accurate or effective. HIPAA training should be provided whenever there is a change in working practices or technology, or whenever new regulations or guidelines are issued by the Department for Health and Human Services. In order to estimate whether HIPAA training is required, Privacy and Security Officers must:
- Review HHS and state publications for advance notice of rule changes. Ideally this should involve subscribing to a news feed or other official communication accounts.
- When new rules or guidelines are released, conduct a risk assessment to determine how they will affect the organizations operations and if HIPAA training is necessary.
- Collaborate with HR and Practice Managers to receive advance notice of proposed changes in order to determine their affect on compliance with the HIPAA Privacy Rule.
- Liaise with IT managers to receive advance notice of hardware or software upgrades that may have an impact on compliance with the HIPAA Security Rule.
- Carry out ongoing risk assessments to identify how material changes in policies or procedures may increase or decrease the risk of HIPAA breaches.
- Put together a training program that addresses how any amendments will affect employees´ compliance with HIPAA – not only the changes themselves.
Should there be changes in working practices and technology, HIPAA training only needs to be conducted for employees whose roles will be affected by the changes. As mentioned in our “Best practices” section below, it is also important to include at least one member of senior management in the training sessions – even if they are not affected by the new policies or processes – as it shows the whole group is taking its HIPAA training requirements seriously.
What should a HIPAA Training Course be?
Even though every HIPAA training course should be tailored towards the roles of employees attending the course, there are some important elements that should be included. The table below is an example of what a basic HIPAA training course should look like, although Covered Entities may need to focus on some areas more than others. However, none of these areas should be outright omitted.
|Areas to Include in a HIPAA Training Course|
|What is HIPAA?||HIPAA Privacy Rule||HIPAA Security Rule|
|Why HIPAA is Important||Disclosures of PHI||Safeguarding ePHI|
|HIPAA Definitions||Breach Notifications||Potential Violations|
|Patients´ Rights||BA Agreements||Employee Sanctions|
Best HIPAA Compliance Training Practices
With there being no exact HIPAA training requirements, we have put together a short series of best practices HIPAA compliance managers may want to think about when creating “necessary and appropriate” security awareness and training programs. Our best practices for HIPAA compliance training are not set in stone and can be picked from at will.
- Do keep training short and to the point. It is recommended that training sessions last no longer than one hour and are ongoing events rather than the “periodic” refreshers suggested by the HIPAA Security Rule.
- Do mention the consequences of a HIPAA breach in the training – not just the financial implications for the CE or BA, but the implications for trainees and their colleagues, and – of course – the person(s) whose PHI has been exposed.
- Don’t just refer to long passages of text out of the HIPAA guidebook. Use multimedia presentations to make the training memorable. HIPAA compliance training not only has to be absorbed, it has to be understood and adhered in day-to-day life.
- Do ensure that senior management partake in the training. Even if senior managers do not work with PHI, it is vital they are seen to be involved with HIPAA compliance training. Knowing that the training is being taken seriously by upper management will encourage others to take it seriously.
- Don’t forget to record your training. In the event of an OCR investigation or audit, it is vital that you can produce the content of the training as well as when it was administered, to whom, and how often.
Discover More about the HIPAA Training Requirements
The consequences of poor training can be substantial – not only in financial terms, but also on a human level. Yet many HIPAA breaches can be avoided with proper HIPAA compliance training. Although the only HIPAA training requirements seem to be that there must be training, you can discover more about what should be included in HIPAA compliance training by downloading our free HIPAA Compliance Guide.