The Health Insurance Portability and Accountability Act (HIPAA) is an important law affecting the healthcare industry with many data privacy and security provisions. All individuals at HIPAA-covered entities and their business associates must comply with its provisions and employees must receive HIPAA training, but what training must be provided and how often is HIPAA training required?
Considering the importance of the Act and the severity of the penalties for noncompliance – fines of up to $1.5 million can be imposed per category of violation – it may be surprising to discover that very little text in the Act covers HIPAA training for employees. The text of HIPAA contains scant information on what must be covered in HIPAA training, there is no set date for providing training for employees when they join an organization, and the frequency of HIPAA training is only stated as ‘periodic’.
This lack of information can be a source of confusion for covered entities and business associates, especially vendors such as IT consultants and cloud service providers who have only recently started offering their services to healthcare organizations. In this post we explain what is required in terms of HIPAA and security awareness training to ensure compliance.
What HIPAA Training Must be Provided to Employees?
The HIPAA Privacy Rule only states that training should be provided to new recruits “within a reasonable period of time after the person joins the covered entity’s workforce.” The content of HIPAA training sessions is not specified, other than stating, “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and that training should be given “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
It may be appropriate for a single training course to be developed and used by a business associate if all employees have similar responsibilities, but HIPAA-covered entities will need to develop modular training courses, with different categories of employee required to complete different modules related to their role and responsibilities.
The time frame – within a reasonable period of time – means as soon as possible, so ideally within the first few days of commencing employment and certainly within the first month.
How Often is HIPAA Training Required?
As is the case with health and safety training, a one-time training session is insufficient. Overtime, the requirements of HIPAA may be forgotten, HIPAA may be updated with new requirements, and changes to working practices and technology could affect HIPAA compliance.
The HIPAA Privacy Rule states that HIPAA training must be provided “within a reasonable period of time” after “functions are affected by a material change in the policies or procedures.” This could be when there is an update to HIPAA requirements, introduction of new technology that interacts with protected health information, or working practices change.
Periodic refresher HIPAA training sessions also need to be provided. How often HIPAA training is required will vary from organization to organization and for different categories of employee. The longest duration between HIPAA training sessions should be 2 years, although it is better to conduct more frequent training sessions. The industry best practice is for annual HIPAA training sessions to be provided to employees that have contact with PHI.
All HIPAA training must be documented. You must be able to prove that training has been provided, so you should create a training log and list who has received training, what it covered, and when it was provided.
All Employees Must Be Provided with Security Awareness Training
In addition to training on the requirements of HIPAA, the HIPAA Security Rule requires “Security awareness and training.” Covered entities and business associates must “Implement a security awareness and training program for all members of its workforce (including management).”
As with HIPAA training, security awareness training must be provided when an employee joins the organization and periodically thereafter. The implementation specifications of the HIPAA Security Rule state that security awareness training must include password management, login-monitoring, protection against malicious software, and security reminders.
When the Security Rule was written, many of today’s threats were not an issue. There were no ransomware attacks and phishing attacks were not very common. Security awareness training must reflect the current threat landscape, make employees aware of the threats they are likely to encounter, and train them how to recognize and avoid those threats and to report them when a threat is encountered.
While it was once an industry best practice to provide security awareness training annually, this is now seen as too long a gap. The industry best practice is now to provide security awareness training at least twice a year and to issue regular security reminders to employees throughout the year. You should also consider running phishing email simulations as part of your security awareness and training program.