Without doubt, the best HIPAA training is training that goes beyond the requirements of the Privacy and Security Rules so that Covered Entities and Business Associates have fully HIPAA-aware workforces that can identify potential HIPAA violations and take a compliant course of action to prevent violations from occurring.
When you review the training requirements of Privacy and Security Rules, they leave plenty of gaps that could result in HIPAA violations. For example, the Administrative Requirements of the Privacy Rule (45 CFR § 164.530) only require a Covered Entity to train members of its workforce on policies and procedures “as necessary and appropriate for members of the workforce to carry out their functions within the Covered Entity”.
If a member of the workforce does not ordinarily have access to Protected Health Information (PHI), they may not receive training on how to protect the privacy of PHI if they are exposed to it unintentionally – i.e., by seeing a celebrity entering a healthcare facility, by overhearing medical staff discussing the celebrity´s treatment, or by finding paperwork relating to the celebrity. This could potentially result in the celebrity´s PHI being unwittingly shared on social media.
Similarly, the Administrative Safeguards of the Security Rule (45 CFR § 164.308) require Covered Entities and Business Associates to “implement a security and awareness program for all members of the workforce” with the objective of preventing, detecting, containing, and correcting security violations related to ePHI. This implies that if a Business Associate provides a non-electronic service to a Covered Entity, there are no guidelines to protect the privacy of PHI.
The Importance of Risk Assessments
Because of the gaps that could result in HIPAA violations (and we have only discussed two examples – there are hundreds more), it is important Covered Entities and Business Associates conduct regular risk assessments to identify threats to the confidentiality, integrity, and availability of all PHI. Although risk assessments are only a requirement of the Security Rule (and often interpreted to apply only to ePHI), it is vital that threats to oral, visual, and written PHI are also identified.
Consequently, risk assessments need to identify all potential threats and vulnerabilities. They should also identify how well existing policies, procedures, and security measures mitigate threats to PHI, and what changes need to be made to fill the gaps in the minimum HIPAA training requirements. The risk analyses that result from the risk assessments should identify the best HIPAA training to provide to members of the workforce to ensure unintentional violations are avoided.
While the Security Rule doesn´t specify the frequency of risk assessments, they – and security and awareness training programs – should be ongoing. Threats to PHI can evolve quickly, and it is necessary for Covered Entities and Business Associates to stay on top of evolving threats, react quickly when new threats are identified, and respond by training members of the workforce on the threats – and the policies, procedures, and security measures implemented to protect PHI.
Delivering the Best HIPAA Training Quickly
At the time the HIPAA Privacy Rule was drafted, threats to patient data did not evolve as quickly as they do now. Consequently, the instructions to Covered Entities for providing additional training is that it should be delivered “within a reasonable period of time after a material change [in policies and procedures] become effective”. In many cases, waiting a “reasonable period of time” may now be too late to prevent avoidable violations of HIPAA because of the speed at which threats evolve.
The speed at which threats evolve is primarily due to the wider adoption of the Internet and connected mobile devices. However, the wider adoption of the Internet can also help Covered Entities and Business Associates deliver the best HIPAA training quickly via training modules designed (or adjusted) to cover the threats and the strategies implemented to mitigate them. Once developed, the training modules can be sent directly to staff workstations and mobile devices.
Training modules covering one HIPAA-related topic at a time make it easier to monitor which members of the workforce have received HIPAA training, when they received it, and what it consisted of. Modules can be mixed and matched to accommodate different workforce “functions”, and they are straightforward to use for refresher training if a lack of workforce knowledge is identified during a risk assessment. In this respect modules enable Covered Entities and Business Associates to deliver the best HIPAA training.
Best HIPAA Training FAQs
Should modular training be used for new employee HIPAA training?
Modular training can be used to deliver HIPAA training effectively in all use cases. Although the article above focuses on additional training prompted by risk analyses and material changes, modules are one of the most effective ways to maximize knowledge retention and are therefore ideal for new employee HIPAA training.
What modules should be included in HIPAA security and awareness training?
The content of each modular training course should be determined by a risk assessment. However, to deliver training in context, it is recommended HIPAA security and awareness training includes content explaining the background to HIPAA and the main regulatory rules so trainees understand why policies, procedures, and security measures are implemented to protect PHI.
Should organizations always provide HIPAA refresher training after a risk assessment?
HIPAA refresher training and risk assessments do not have to go hand-in-hand. If a risk assessment does not identify a need for further training, and there are no materials changes to policies and procedures, it is still advisable to provide refresher training at least annually in order that workforce members are reminded to work in a HIPAA-compliant manner.
How can Covered Entities best organize HIPAA training to accommodate workflows?
One of the advantages of modular HIPAA Training is that it does not have to be delivered in a classroom environment. Trainees can be sent links to online training modules to complete them in their own time – thus eliminating the problem of having large groups of the workforce in training simultaneously with the potential for operational issues.
What are the rules for documenting HIPAA training?
The Administrative Requirements of the HIPAA Privacy Rule state the provision of training should be documented, but doesn´t elaborate of how training should be documented. Ideally, Covered Entities and Business Associates should note the date of each training session (or completion of a training module) along with the reason for training being provided (new employee, material change, risk assessment, etc.). The documentation should be retained for a minimum of six years.