The text of the HIPAA Privacy Rule and Security Rule related to training doesn´t help answer the question how often is HIPAA training required. However, by reviewing other areas of HIPAA, it is possible to establish that the frequency of HIPAA training should be as often as it is required.
Considering the importance of HIPAA and the severity of the penalties for noncompliance – fines of more than $1.9 million can be imposed per category of violation – it may be surprising to discover that very little text in the Privacy and Security Rules covers the frequency of HIPAA training. This lack of information can be a source of confusion for covered entities and business associates, especially vendors such as IT consultants and cloud service providers who have only recently started offering services to healthcare organizations. In this post we explain what is required in terms of HIPAA and security awareness training to ensure compliance.
What HIPAA Training Must be Provided?
The HIPAA Privacy Rule states that training should be provided to new members of the workforce “within a reasonable period of time after the person joins the covered entity’s workforce.” The content of HIPAA training should be on “the policies and procedures with respect to protected health information,” and training should be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
Unfortunately, these limited instructions are insufficient to ensure a HIPAA-compliant workforce considering that the definition of workforce in HIPAA is “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”
The Privacy Rule standard could be interpreted as Covered Entities only need to provide training to members of the workforce who would normally use or disclose PHI in their day-to-day routines. This means the scenario could exist in which other members of the workforce (i.e., environmental services, maintenance teams, security personnel, etc.) could inadvertently disclose PHI due to not knowing what it is or why the privacy of PHI should be maintained – for example, by sharing news on social media about a famous celebrity undergoing treatment at a healthcare facility. This would be a violation of HIPAA attributable to a lack of training for which the covered entity would be liable.
How Often is HIPAA Training Required?
As is the case with health and safety training, a one-time training session is insufficient. Over time, the requirements of HIPAA may be forgotten, shortcuts may get taken to “get the job done”, HIPAA may be updated with new requirements, and changes to working practices and technology could affect HIPAA compliance.
The HIPAA Privacy Rule states HIPAA training must be provided “within a reasonable period of time” after “functions are affected by a material change in the policies or procedures.” This could be when there is an update to HIPAA requirements, the introduction of new technology that interacts with protected health information, or working practices change.
Periodic refresher HIPAA training sessions should also be provided. How often HIPAA training is required will vary from organization to organization and for different categories of employee. The longest duration between HIPAA training sessions should be 2 years, although it is better to conduct more frequent training sessions. The industry best practice is for annual HIPAA training sessions to be provided to employees that have contact with PHI.
All HIPAA training must be documented. You must be able to prove that training has been provided, so you should create a training log and list who has received training, what it covered, and when it was provided.
Security Awareness Training
In addition to training on the requirements of the Privacy Rule, the HIPAA Security Rule requires “Security awareness training.” Covered entities and business associates must “Implement a security awareness and training program for all members of its workforce (including management).”
As with HIPAA Privacy Rule training, security awareness training must be provided when an employee joins the organization and periodically thereafter. The implementation specifications of the HIPAA Security Rule state that security awareness training must include password management, login-monitoring, protection against malicious software, and security reminders.
When the Security Rule was written, many of today’s threats were not an issue. There were no ransomware attacks and phishing attacks were less common. Security awareness training must reflect the current threat landscape, make members of the workforce aware of the threats they are likely to encounter, train them how to recognize and avoid those threats, and how to report a threat when it is encountered.
While it was once an industry best practice to provide security awareness training annually, this is now seen as too long a gap. The industry best practice is now to provide security awareness training at least twice a year and to issue regular security reminders throughout the year, with the frequency dictated by a risk analysis. You should also consider running phishing email simulations as part of your security awareness and training program.
How Often is HIPAA Training Required? FAQs
How can Covered Entities prevent members of the workforce disclosing PHI on social media?
It is impossible to prevent a determined member of the workforce posting anything on social media. However, providing training on permissible uses and disclosures and developing a sanctions policy that specifically prohibits unauthorized disclosures can mitigate the risk of PHI being shared on social media platforms due to a lack of knowledge.
What is the issue with shortcuts being taken “to get the job done”?
When members of the workforce start taking shortcuts with HIPAA compliance, the risk exists that a few, harmless shortcuts can deteriorate into a culture of non-compliance. While it may be necessary to take the occasional shortcut in emergency situations, non-compliant practices need to be nipped in the bud and members of the workforce reminded (via training) why compliance is important.
When “functions are affected by a material change”, does everybody need re-training?
This depends on the nature of the material change. If, for example, the change impacts Business Associate Agreements, only those with a responsibility for the Agreements would need retraining. However, if the Department of Health & Human Services prohibited previously permissible uses and disclosure of PHI, the whole workforce may need re-training – but only on uses and disclosures.
Does security and awareness training have to be all about HIPAA security and awareness?
While it is a good idea to explain why security and awareness training is necessary, it is not necessary to make the content of the training exclusively HIPAA-related. As the training must be provided to all members of the workforce, it is important that general security best practices are included in the training to avoid a scenario in which some workforce members do not pay attention because they do not believe the training is relevant to their roles.
Can security and awareness training be provided more than twice a year?
The frequency of security and awareness training should be determined by the combination of a risk analysis and individual security assessments. There is little benefit to “over-training” employees who demonstrate good security awareness, but it can help reduce an organization´s vulnerability to online threats if groups of susceptible employees are provided with more frequent security and awareness training.