Because of some confusion about the HIPAA training requirements, many Covered Entities and Business Associates provide basic HIPAA training to all members of their workforces. While this is a good idea because it ensures everyone is familiar with what HIPAA is, what its objectives are, and why certain policies and procedures exist, basic HIPAA training doesn´t necessarily fulfill the Administrative Requirements of the Privacy Rule or the Administrative Safeguards of the Security Rule.
The Administrative Requirements and HIPAA Training
The Administrative Requirements of the Privacy Rule (45 CFR § 164.530) state Covered Entities must train “all members of its workforce on the policies and procedures with respect to PHI […] as necessary and appropriate for the members of the workforce to carry out their function within the Covered Entity”. There are several ways in which this requirement can be interpreted:
- Only employees of Covered Entities with access to PHI require training.
- HIPAA training only needs to be relevant to employees´ roles.
- HIPAA training only needs to be on policies and procedures.
Strictly speaking, only the first of these interpretations is incorrect because HIPAA defines a workforce as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate”.
This implies that volunteers, students, contractors, and agency personnel under the direct control of a Covered Entity or Business Associate require training. But, what on? Should HIPAA training be limited to policies and procedures that are relevant to trainees´ roles? How about members of the workforce who would not ordinarily access PHI, but who might disclose that a famous patient is receiving treatment at a medical facility? Should they also receive HIPAA training?
The Administrative Safeguards and HIPAA Training
The Administrative Safeguards of the Security Rule (45 CFR § 164.308) helps answer one of these questions by stipulating that “[Covered Entities and Business Associates must] implement a security awareness and training program for all members of its workforce (including management).” Once you are aware that “members of its workforce” relates to everyone under the direct control of the Covered Entity or Business Associate, it clarifies who HIPAA training applies to.
Unfortunately, the Standard doesn´t expand on what the training should consist of and whether it needs to be relevant to specific roles. Furthermore, there is no clarification about whether a security awareness and training program should exclusively relate to electronic PHI or all forms of PHI. HIPAA training that exclusively focuses on ePHI would not mitigate the threat of a member of the workforce revealing the identity of a famous patient they had seen at a medical facility.
To resolve these issues, Covered Entities and Business Associates need to conduct a risk analysis in order to identify threats to the security, integrity, and availability of PHI, and then develop policies and procedures that mitigate the threats to a reasonable and acceptable level. Naturally, while there will be some general policies that apply to everyone (i.e., “don´t reveal the identities of patients”), there will also be many that are role or event specific that require different levels of training.
Addressing the Training Maze of Multiple Policies and Multiple Roles
The outcome of a risk analysis will be the realization that there is no “one-size-fits-all” HIPAA training program. Some members of the workforce will only require basic HIPAA training, while others will require more advanced HIPAA training. Furthermore, the nature of the advanced HIPAA training may vary according to the threats that have been identified, the area of operations in which the threats exist, and the responsibilities of individuals to safeguard PHI from unauthorized uses and disclosures.
This can lead to a training maze in which multiple training courses have to be developed to address every type of threat per role. Indeed, it could be the case – depending on the size of the organization – that hundreds of different training courses have to be developed for members of the workforce to carry out their functions with the Covered Entity or Business Associate in compliance with HIPAA and prevent avoidable HIPAA violations attributable to a lack of knowledge.
To address the potential complexity of the training maze, Covered Entities and Business Associates should consider modular training. Modular training enables Covered Entities and Business Associates to mix and match modules to meet the training requirements of each member of the workforce (as identified in a risk analysis) and can be divided into basic HIPAA training modules to be delivered together in all cases and advanced HIPAA training modules that can be selected as necessary.
A further advantage of training via modules is that when a material change occurs that affects policies and procedures and results in the need for refresher training (as required by the Privacy Rule), only the modules that are affected need to be revised and retaught. This form of training – whether provided in the classroom or online – can save Covered Entities and Business Associates time and money, as well as mitigating administrative and organizational overheads.
Basic HIPAA Training FAQs
What topics should be included in basic HIPAA training?
The topics to include in basic HIPAA training will vary according to the nature of the organization´s operations. For example, healthcare facilities with large public-facing workforces may find it necessary to include more content related to physical threats to patient data than a Business Associate with a small office-based workforce.
The way to determine which topics should be included in basic HIPAA training is to conduct a risk assessment and analyze the results to identify where potential HIPAA violations may originate – bearing in mind that the objectives of basic HIPAA training should be to mitigate the risk of HIPAA violations, rather than to check the boxes on a HIPAA compliance checklist.
Should Privacy Rule and Security Rule training be delivered separately?
Not necessarily. There are many cases where the two Rules overlap, and it can be beneficial to deliver the Privacy Rule and Security Rule elements together in the same module to support better understanding and compliance. Even when there is no overlap, it can be beneficial to include Standards from one Rule to provide context to the one being taught.
An example of where the two Rules overlap is how to compliantly use workstations. There are several physical and technical safeguards in the Security Rule governing how workstations should be used, but it is also important the privacy of PHI is protected by (for example) ensuring workstation screens are positioned away from public view.
How does employee HIPAA training differ from volunteer or student HIPAA training?
Any differences between employee HIPAA training and volunteer or student HIPAA training are likely to be subtle because the nature of training should be determined by a risk assessment rather than an individual´s employment status. Nonetheless, there are a couple of potential issues Covered Entities and Business Associates should be aware of.
Using a sanctions policy to deter volunteers from unauthorized disclosures of PHI is likely to be ineffective, so the focus needs to be on the potential consequences to patients and colleagues. Similarly, students need to be advised that they are not allowed to use PHI in reports and presentations unless they have consent, or the PHI has been de-identified.
Do you need to provide basic HIPAA training again if a new member of the workforce has received basic HIPAA training in a previous position?
Although it may seem to be a waste of resources to retrain a new member of the workforce on content they may already be familiar with, there are three good reasons for providing basic HIPAA training again:
- The Privacy Rule says you must – therefore the failure to provide basic HIPAA training to a new member of the workforce is a violation of HIPAA regardless of the individual´s existing knowledge.
- The training you provide to a new member of the workforce must include training on the policies and procedures your organization has developed to ensure the confidentiality, integrity, and availability of PHI. Your organization´s policies may be a lot different from the policies developed by the individual´s previous employer.
- Providing basic HIPAA training to a new member of the workforce who already has a knowledge of HIPAA demonstrates to the individual that your organization is serious about HIPAA compliance. This can reflect in the individual also taking HIPAA compliance more seriously.
With potentially “hundreds of different training courses”, is it necessary to document every HIPAA training session?
The HIPAA training regulations state Covered Entities must document that training has been provided rather than what training has been provided. However, it is recommended that both Covered Entities and Business Associates document every training session so they can produce documentation sufficient to meet the “burden of proof” in the event of an HHS inspection, audit, or investigation.
How can you prevent an individual disclosing a famous patient is receiving treatment at a medical facility?
Realistically, in this scenario it is virtually impossible to prevent an individual violating HIPAA by disclosing PHI without authorization. However, basic HIPAA training can help reduce inadvertent disclosures, while a sanctions policy can deter individuals who might otherwise disclose PHI for profit or malicious reasons.