If you study the text of the Health Insurance Portability and Accountability Act, the only mention of HIPAA compliance training for Business Associates appears within the Administrative Safeguards of the Security Rule. However, there are multiple reasons why Business Associates´ workforces should undergo additional HIPAA compliance training.
The HIPAA training requirements are covered by two standards in the Privacy and Security Rules. The Privacy Rule standard (45 CFR § 164.530 (b)(1)) requires Covered Entities to train members of the workforce on the policies and procedures the Covered Entity has implemented to comply with the standards, implementation specifications, and other requirements of the Privacy Rule and Breach Notification Rule. The training should be “necessary and appropriate for the members of the workforce to carry out their functions with the Covered Entity”.
The Security Rule standard (45 CFR § 164.308 (a)(5)) requires both Covered Entities and Business Associates to “implement a security awareness and training program for all members of its workforce (including management)”. Although this standard provides no further information about the content of a security awareness and training program, the Security Rule also requires Covered Entities and Business Associates to conduct risk assessments to identify potential risks and vulnerabilities to ePHI.
The results of these risk assessments should guide Covered Entities and Business Associates on the content of a security and awareness training program; and it is important to be aware that both the risk assessments and the security and awareness training program should be ongoing. Neither should be a one-off or periodic exercise due to the evolving nature of threats to the confidentiality, integrity, and availability of ePHI. Unfortunately, too few organizations invest sufficient time into this key area of HIPAA compliance training.
Beyond Security and Awareness Training
Beyond the requirement to implement a security and awareness training program, there are no requirements to provide HIPAA compliance training for Business Associates. Nonetheless, there are multiple reasons why Business Associates should consider additional training. For example, Covered Entities are required to conduct due diligence on Business Associates and other Covered Entities before entering into a Business Associate Agreement and sharing PHI.
If the Covered Entity conducting due diligence determines the Business Associate does not have adequate security measures in place to mitigate threats to the confidentiality, integrity, and availability of ePHI – and this includes a compliant workforce – the Covered Entity should decline to do business with the Business Associate. This wouldn´t be a decision based on the Covered Entity´s concerns about data protection, but rather its own liability for non-compliance.
From the Covered Entity´s perspective, if it entered into an Agreement knowing the Business Associate´s workforce was not trained on HIPAA compliance, the Covered Entity rather than the Business Associate would be liable if a HIPAA violation subsequently occurred due to the known lack of knowledge. Consequently, it is in a Business Associate´s best interests to provide HIPAA compliance training for its workforce.
What Should HIPAA Compliance Training for Business Associates Consist Of?
This will largely depend on the nature of the service a Business Associate is providing for a Covered Entity. For example, if a Business Associate is providing a service which includes the storage of ePHI while it is being processed, its workforce may need to be aware of patients´ rights of access and the HIPAA disclosure rules. If any of the workforce is public-facing, they may also need training on computer safety rules and physical treats to patient data.
In addition, all members of a Business Associate´s workforce should have a basic understanding of the Privacy and Security Rules, a knowledge of the sanctions for HIPAA violations, and awareness of the procedures for complying with the Breach Notification Rule. Importantly, workforce members should know how to identify a HIPAA violation, who to report it to, and how to prevent being guilty of HIPAA violations themselves.
Again, depending on the nature of the service and whether any of the workforce is public-facing, it may not be necessary to provide HIPAA compliance training for Business Associates to the entire workforce. While all will have to undergo security and awareness training – even those with no access to ePHI – it may be possible to provide training on some elements of HIPAA to some of the workforce using HIPAA training modules.
How HIPAA Training Modules Make Training More Efficient
HIPAA training modules allow Business Associates to mix and match modules according to the roles of workforce members. This means – for example – training on patient access requests is only provided to members of the workforce likely to deal with patient access requests. Similarly, it may not be necessary to provide every member of the workforce with an in-depth knowledge of the Breach Notification Rule – most employees will only need to know the procedures for reporting breaches.
Modular HIPAA compliance training for Business Associates makes it easier to update specific areas of training when new regulations are introduced, when policies and procedures are amended, or when a risk assessment identifies a knowledge gap. It also facilitates more efficient refresher training due to modules being available as online training as well as classroom training. With online training, members of the workforce can complete each training module as time allows.
Finally, modular HIPAA compliance training for Business Associates makes it easier to document what training has been provided to each member of the workforce in the event of an HHS inspection, audit, or investigation into a patient complaint. Subsequently, Business Associates will be able to demonstrate they have taken their training compliance obligations seriously when asked to produce documentation sufficient to meet its “burden of proof”.
HIPAA Compliance Training for Business Associates FAQs
What risks to ePHI can be mitigated by HIPAA Privacy Rule training?
According to the Department of Health and Human Services, one of the most common HIPAA violations occurs when employees snoop on the healthcare records of co-workers, neighbors, and celebrities, and share the patient´s PHI with friends, family members, other co-workers, and on social media. Effective HIPAA Privacy Rule training can mitigate the likelihood of this HIPAA violation.
Why would employees with no access to ePHI require HIPAA security and awareness training?
Even though an employee has no access to ePHI, it is important they are trained on online security best practices. Cybercriminals are constantly on the lookout for the weakest link in an organization in order to obtain system login credentials and move laterally through a Business Associate´s network until they find a vulnerability they can exploit to extract ePHI.
If a Business Associate subcontracts work to a third party, does the third party have to undergo HIPAA compliance training for Business Associates?
The relationship between Business Associates and subcontractors is the same as between Covered Entities and Business Associates. A Business Associate has to conduct due diligence on the subcontractor before sharing PHI with them. If a HIPAA violation occurred due to a known lack of subcontractor knowledge, the Business Associate would be liable for the violation.
What is the burden of proof under HIPAA?
The burden of proof most often refers to breach notifications inasmuch as a Covered Entity or Business Associate has a burden of proof to show an unauthorized use or disclosure of unsecured PHI did not constitute a breach if – for example – there is a low probability the PHI was compromised by the unauthorized use or disclosure.
In the context of HIPAA compliance training for Business Associates, the burden of proof refers to documentation that workforce members have received training to comply with the Administrative Safeguards of the Security Rule and to mitigate threats to ePHI identified in a risk assessment. Consequently, a copy of the risk assessment should be included in the training documentation.
If an employee of a Business Associate isn´t aware of what ePHI is, can they be blamed for disclosing it without authorization?
If an employee is not aware of what ePHI because they have not received HIPAA compliance training, and the risk of an unauthorized disclosure was identified as a foreseeable risk in a risk assessment, the Business Associate is liable for the HIPAA violation. The Business Associate may also be liable if the risk of an unauthorized disclosure was not identified in a risk assessment.
However, if the employee has received HIPAA compliance training that includes a definition of ePHI – and the training is documented – the employee is liable. The consequences of the unauthorized disclosure will depend on several factors (i.e., the degree of harm resulting from the disclosure), the Business Associate´s sanctions policy, and any civil action arising from the unauthorized disclosure.
