In order to be compliant with the Health Insurance and Portability Act (HIPAA), Covered Entities (CEs) must provide HIPAA compliance training. This requirement is codified under 45 CFR § 164.530 (the Privacy Rule Administrative Requirements) which states:
“A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information […] as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
In addition, CEs and Business Associates (BAs) must “implement a security awareness and training program for all members of its workforce including management” under 45 CFR § 164.308 (the Security Rule Administrative Safeguards).
These requirements can be fulfilled with a well-designed HIPAA training course that is sufficiently flexible to be relevant to each member of the workforce. Furthermore, frequent refresher training can help mitigate human error – one of the foremost threats to the security of patient data.
However, despite the clear need to provide HIPAA training “to each new member of the workforce” and when “functions are affected by a material change in policies or procedures”, the guidelines provided by HIPAA are limited.
How can you be compliant without adequate information?
The lack of information in the HIPAA text leads to frustration amongst many CEs and BAs. How can they ensure employees are being HIPAA compliant if there are few instructions on how to comply? Though annoying, there is a deliberate purpose for this. Developments in technology are so rapid it is likely that instructions on security practices will become outdated quickly.
Additionally, the Office for Civil Rights – part of the Department of Health and Human Services – does not offer a training course. Instead, it instructs each CE and BA to train employees on their HIPAA policies and procedures. Should any CE or BA fail to comply, the HHS can impose penalties for non-compliance even if no data breach occurs as a result of non-compliance.
To decide what the “necessary” amount of training should be, it is advisable for CEs and BAs to conduct risk assessments and audits of compliance policies throughout the year. These will help establish the role of each employee, how they interact with patient data, and to what extent training should be provided to mitigate threats to patient data.
A one-size-fits-all HIPAA Training program covering every policy and procedure is impractical because it will be too long and parts of it irrelevant to many. Instead, it is best to organize different courses and get staff to complete training modules throughout the year. A modular training course will also allow training to be tailored for each employee and their role within the organization.
Training and HIPAA Compliance: Top Tips
Here, we outline some of our top training tips designed to maximize knowledge retention, minimize cost and give the best likelihood of HIPAA compliance.
|Keep training sessions short and sweet. Your employees will thank you for it. Additionally, shorter sessions will improve retention of information.||Include an excess of information – Do employees in accounts really need an in-depth history of privacy regulation in the US?|
|Provide regular training throughout the year. This will help keep employees up-to-date, as well as keep HIPAA at the forefront of their minds.||Crowd too many different topics into one session. Focus each training class on one or two aspects of HIPAA.|
|Tailor training courses for different employee roles. Healthcare professionals do not need the same training as actuaries.||Forget to ensure BAs are training their workforces. CEs may be liable if vendors are discovered to be noncompliant.|
|Seek help. There is no need to reinvent the wheel. Many companies offer HIPAA training courses that can be tailored to meet the needs of a healthcare organization or vendor.||Forget to assess the effectiveness of training to ensure that knowledge has been retained by employees.|
HIPAA Training for Employees
To meet the requirements for HIPAA training for employees referenced in both the HIPAA Privacy and Security Rules, training must be provided on HIPAA policies and cybersecurity. HIPAA training must be provided promptly when an employee joints the company or organization – ideally as part of the onboarding process or within days or weeks of commencing employment. An example of the elements that should be included in initial training are outlined in the next section.
In addition to initial HIPAA training, training must also be provided following any material change in policies or procedures, such as when HIPAA Rules are updated, changes are made to working practices, or new IT systems are introduced. In addition to initial training, HIPAA refresher training should be provided “periodically.” The best practice is to provide refresher training annually to ensure the requirements of HIPAA are not forgotten and to reduce the risk of HIPAA violations and privacy breaches.
HIPAA training for employees must include security awareness training, which should be provided soon after an employee joins the company and periodically thereafter. Healthcare employees must be taught good cyber hygiene, and be informed about threats to patient data and how to avoid them. It is especially important to train employees how to recognize phishing emails and other email threats and instructed what to do if a suspicious email is encountered. For Security Rule compliance, refresher training should be provided annually, although more frequent, shorter training sessions every quarter or 6 months will help to reduce the risk of data breaches.
Try to break up HIPAA training for employees into smaller chunks to improve knowledge retention. It is also wise to split security awareness and HIPAA training into separate sessions.
HIPAA Compliance – Sample Training Curriculum
To help Covered Entities with the task of designing a training curriculum, we have provided a sample set of HIPAA Compliance Training modules below. These can form the basis of a wide range of training courses and be tailored as needed for different employee roles.
Basic and Refresher HIPAA Training Modules
The first sample set of HIPAA training modules consist of modules that containing information appropriate to most roles. A selection could be provided to new employees as initial HIPAA training provided they are accompanied by modules tailored to their specific functions.
An overview of HIPAA is a good start to any HIPAA training course as it provides trainees with an explanation of what HIPAA is and why it is important.
HIPAA Definition and Lexicon
Many CEs and Bas will likely use terms in their policies and procedures that copy the language of HIPAA. Therefore, it may be beneficial to explain what certain terms mean.
The HITECH Act
It is important for trainees to understand that HIPAA Is always evolving, and the inclusion of a module relating to the HITECH Act can reinforce that understanding.
The Main HIPAA Regulatory Rules
The main HIPAA regulatory rules will be the basis of most CEs and BAs´ HIPAA Policies and procedures, and a grounding in these rules can support compliance.
HIPAA Omnibus Final Rule
The HIPAA Omnibus Final Rule enacted many of the provisions of the HITECH Act and also extended the reach of HIPAA to Bas and subcontractors.
HIPAA Privacy Rule
It will be important for all employees – but particularly patient-facing employees to understand the provisions of the HIPAA Privacy Rule.
HIPAA Security Rule
Any employee who uses technology in their roles will need to understand how the administrative, physical, and technical safeguards of the Security Rule apply in their day-to-day activities.
HIPAA Patient Rights
Although patients´ rights are covered in the Privacy Rule module, it may be necessary for patient-facing employees to have further training on patient rights.
HIPAA Disclosure Rules
The HIPAA disclosure rules apply to all employees regardless of the function they perform, and all should be aware of allowable disclosures and the Minimum Necessary Standard.
HIPAA Violation Consequences
Violations of HIPAA can have consequences for patients, employers, and individuals who violate HIPAA. It is important for trainees to be aware what these consequences are.
Preventing HIPAA Violations
While the module on HIPAA Violation Consequences will be valuable to all trainees, this module should be tailored to preventing HIPAA violations in specific roles.
Being a HIPAA Compliant Employee
Training on being a HIPAA compliant employee can include general do´s and don´ts, focus on specific roles, or explain the procedures for reporting HIPAA violations.
HIPAA Training Modules for Beyond Basic Training
The basic and refresher HIPAA training models provide trainees with the fundamentals of HIPAA, but more advanced HIPAA training is often necessary. The following HIPAA training modules go beyond basic training and are appropriate for whenever “functions are affected by a material change”.
This module is suitable for updating annually to reflect changes to the HIPAA Rules, the Promoting Interoperability program, and emerging compliance challenges.
Threats to Patient Data
Like HIPAA, threats to patient data are also constantly evolving. This module can be used to explain new technologies or reinforce advice about mobile device and workstation security.
Computer Safety Rules
A module on computer safety rules will satisfy the requirement to provide security awareness and training and should cover issues such as malware, ransomware, and phishing.
HIPAA and Social Media
CEs´ workforces have to be particularly conscious of what they share on social media as a post that seems innocuous could be an unauthorized disclosure of PHI.
HIPAA and Emergency Situations
There are scenarios in which it is okay to disclosure PHI beyond what would normally be permitted by a HIPAA Policy. Employees need to be aware what these scenarios are.
Every CE and BA is required to appoint a HIPAA Privacy Officer and HIPAA Security Officer. Trainees should know who these people are and what their roles consist of.
HIPAA Compliance Checklist
A HIPAA compliance checklist is a good way to determine which trainees have absorbed the HIPAA Training provided to them, and which trainees require further HIPAA Training.
Recent HIPAA Updates
Although the HIPAA Timeline module can be used to reflect changes to the HIPAA Rules, more wide-reaching updates should be included in a more comprehensive module.
Texas Medical Privacy Act and HB 300
The reach of the Texas Medical privacy Act extends beyond the boundaries of Texas and it may be appropriate for CEs around the country to be aware of its regulations.
Cybersecurity Dangers for Healthcare Employees
Healthcare data is highly valued by cybercriminals, and it is vital the CEs´ and BAs´ workforces are aware of best practices for mitigating the risk of a data breach.
How to Protect PHI from Cyber Threats
Rather than focus on individual best practices to mitigate the risk of a data breach, this module focuses on preventative technologies such as password managers, 2FA, and access controls.
HIPAA Training for Healthcare Students
HIPAA training should be provided to students before they start encountering PHI in real life scenarios. The modules presented to students may be more general compared to those presented to healthcare workers and administrators. Nonetheless they should include a selection from the above basic, refresher, and advanced modules. For example:
- HIPAA Timeline
- HIPAA Overview
- Definitions and Lexicon
- The HITECH Act
- The Main HIPAA Regulatory Rules
- HIPAA Omnibus Final Rule
- HIPAA Privacy Rule
- HIPAA Security Rule
- Patients´ Rights
- PHI Disclosure Guidelines
- HIPAA and Social Media
- Threats to Patient Data
- Computer Safety Rules
- HIPAA Violation Consequences
- Preventing HIPAA Violations
- HIPAA in an Emergency
- The HIPAA Officer
- Recent HIPAA Updates
Electronic Health Record Access by Healthcare Students
In addition to the above modules, students should receive HIPAA training on allowable disclosures of PHI when they are first provided with access to EHRs – even supervised access.
PHI & Student Reports and Projects
Students also need to be aware that the use of any PHI used in reports, projects, and presentations requires the authorization of the subject of the PHI unless it is deidentified.
Being a HIPAA Compliant Student
It is important students understand Covered Entities´ policies and procedures, and that they apply to them in the same way as if they were already healthcare professionals.
HIPAA Training – Conclusion
HIPAA has far-reaching consequences within the healthcare industry, governing how employees in hospitals, insurance companies, and other healthcare entities interact with patient data. However, employees that mishandle data can leave employers at risk of fraud and patients at risk of identity theft. It is imperative, then, that all employees are properly trained. HIPAA and the OCR put the onus on CEs to train their employees – a tough task, given the extensive nature of the legislation and the consequences for non-compliance. Here we outlined some best-practice guidelines to ensure HIPAA compliance, as well as providing a training curriculum that can be altered to the needs of CEs and their employees to reduce the risk of HIPAA violations.
How soon should HIPAA training be provided to employees?
HIPAA does not specify how soon training must be provided after starting employment. You do not need to provide training before work duties are commenced, but you should try to ensure training is provided within the first 10 days of an employee commencing employment and no later than a month after a new hire.
What is the maximum penalty for a HIPAA training failure?
Fines of up to $1.5 million can be imposed by the HHS’ Office for Civil Rights for the failure to provide HIPAA and security awareness training. State Attorneys General can also impose fines of up to $25,000 for HIPAA violations in addition to any fines by the HHS’ Office for Civil Rights. The fines can then be multiplied by the number of years an organization is in violation of HIPAA.
Are there privacy training requirements other than HIPAA?
Yes. HIPAA covered entities and their business associates are also required to comply with state privacy and security laws, which may be stricter than HIPAA. In Texas for instance, training must be provided on Texas HB 300 within 60 days of commencing employment with refresher training provided at least every 2 years.
Do students need HIPAA training?
Yes. All individuals who may encounter PHI are required to be provided with HIPAA training. That includes students, interns, volunteers, admin and accounting staff, nurses, physicians, and even the cleaning staff. Training should be appropriate to each role. Training for students will be different to training for back office staff.
What HIPAA training documentation is required?
You must maintain an accurate training log that includes the names and job titles of all employees, the date when training was provided, what training was given, and the names of the trainers/training courses. The training log should be stored with your HIPAA documentation and a training record should be maintained in each employee’s HR file.
How long does HIPAA training last?
In terms of individual training sessions, the length of each session will be determined by the volume of content. In terms of how long HIPAA training is valid, HIPAA training has no expiry date unless there is a material change to policies and procedures which invalidates previous training, or a risk assessment identifies the need for further training.
How often do you need HIPAA training?
As an employee of a Covered Entity (or a student or volunteer), you undergo HIPAA training when you first start working for the Covered Entity, whenever there is a change in policies and procedures, whenever the Office for Civil Rights imposes a corrective action plan on your employer, or when a risk assessment identifies that you need further training to mitigate the risk of a HIPAA violation.
Why is HIPAA patient privacy training necessary?
If you work in a public-facing role for a healthcare organization, HIPAA patient privacy training is necessary to ensure you understand the requirements of the HIPAA Privacy Rule in relation to patients´ rights, unauthorized uses and disclosures of patient data, and the minimum necessary standard which states you should limit unnecessary disclosures of Protected Health Information.
Who must take HIPAA training?
Every member of a Covered Entity´s or Business Associate´s workforce must take HIPAA training – including students, volunteers, and contractors. The nature of the training will vary according to individuals´ functions, but it is necessary for everyone to understand what Protected Health Information is, why it should be protected, and how it is protected.
How long is HIPAA training good for?
HIPAA training is “good” until there is a material change in policies and procedures, until a risk assessment identifies a need for additional training, or the organization is required to provide refresher training by an OCR corrective action plan. However, because HIPAA training covers an organization´s policies and procedures, an individual leaving one organization to work for another, will have to undergo HIPAA training on the new organization´s policies and procedures.
What are the HIPAA training requirements for new hires?
The HIPAA training requirements for new hires vary according to whether the employer is a Covered Entity or a Business Associate. Covered Entities have to train new hires on Privacy Rule policies and procedures with respect to PHI and provide security and awareness training. Business Associates are only required to provide security and awareness training – although Privacy Rule training can help new hires better understand the content of security and awareness training.
How long should HIPAA training documents be kept?
HIPAA training documents need to be kept for six years from the date the policies and procedures they relate to were last in force. This means that if training on patients´ rights was provided in 2017, but the same policies remained in force until 2021, the HIPAA training documents relating to the original training have to be retained until 2027. You will also need to keep a record of the training provided to employees when the policy relating to patients´ rights changed in 2021.
What should HIPAA training cover?
This depends on the purpose of the HIPAA training. If it is to comply with the HIPAA training requirements, the training should cover a Covered Entities policies and procedures in respect of PHI and security and awareness training (Covered Entities and Business Associates). If training is provided to mitigate the threat of a HIPAA violation identified in a risk assessment, the training will cover the threat and the policies implemented to mitigate it.
How is mental health HIPAA training different than medical HIPAA training?
Mental health HIPAA training has a few additional rules to be aware of. The additional rules most often relate to the nondisclosure of psychotherapy notes, disclosures when a patient might harm themselves or others, and student mental health in circumstances where HIPAA applies rather than FERPA. Federal alcohol and drug abuse confidentiality regulations or state laws may also apply when they provide more stringent protections than HIPAA.
Who is liable for a HIPAA violation if no training has been provided?
Although a Covered Entity or Business Associate will most often be liable for a HIPAA violation when there has been a failure to provide “necessary and appropriate” training or identify the need for training in a risk assessment, there can be occasions when the individual will be considered liable. These include events when a reasonable person exercising due diligence should have known that a specific course of action (or inaction) would have resulted in a HIPAA violation.