HIPAA privacy training is sometimes confused with HIPAA Privacy Rule training which requires Covered Entities to train members of its workforce on policies and procedures “with respect to PHI […] as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity.” (45 CFR § 164.530)
The problem with confusing HIPAA privacy training with HIPAA Privacy Rule training is that Privacy Rule training can be limited in its content and scope. Privacy Rule training might only consist of what policies and procedures exist rather than why they exist; and, because some of the workforce might not ordinarily use or disclose PHI while carrying out their functions, they could be excluded from HIPAA Privacy Rule training and at risk of committing HIPAA violations due a lack of knowledge.
Examples of how HIPAA violations can occur due to a lack of knowledge include:
- Admin staff using public-facing workstations that reveal the identities of patients and what their appointments or treatments are for.
- Support staff (security, volunteers, environmental services personnel, etc.) posting the identities of patients on social media.
- Students discussing patient cases in earshot of other patients or outside the healthcare facility in earshot of members of the public.
Unauthorized uses and disclosures are not limited to Covered Entities´ workforces. The workforces of Business Associates – who are only mandated by HIPAA to undergo security awareness training – also need to be aware of the allowable uses and disclosures of PHI, the Breach Notification Rule, and the potential consequences of HIPAA violations. They may also need to be aware of the Standards relating to patients´ rights if an individual requests access to health data held by a Business Associate.
What is HIPAA Privacy Training?
In contrast to HIPAA Privacy Rule training, HIPAA privacy training provides context to the measures put in place to prevent unauthorized uses and disclosures, so that all members of the workforce – whether a Covered Entity´s workforce or a Business Associate´s workforce – understand their responsibilities under HIPAA and are better equipped to carry out their functions in a HIPAA-compliant manner – thus mitigating the risk of a HIPAA violation due to a lack of knowledge.
Typical HIPAA privacy training courses could include a timeline which explains why HIPAA and the HITECH Act were introduced, what the objectives of the Privacy and Security Rules are, and best practices for preventing HIPAA violations. As mentioned above, all members of the workforce should also understand what uses and disclosures of PHI are allowed, what the Breach Notification Rule consists of, and the consequences of HIPAA violations to patients, staff, and employers.
Thereafter, further HIPAA privacy training should be provided to those who may encounter situations in which HIPAA Rules apply. This will likely cover most members of a Covered Entity´s workforce and possibly a large proportion of a Business Associate´s workforce depending on the nature of the service provided for the Covered Entity by the Business Associate. The way to determine if further HIPAA privacy training is required is via a risk analysis.
Balancing Different Privacy Training Requirements
Providing general privacy training for some members of the workforce and specific privacy training for others can create organizational and operational issues – notwithstanding that different members of the workforce may require periodic refresher training when “functions are affected by a material change in policies or procedures”. Furthermore, the implication of the Standard relating to security awareness training (45 CFR § 164.308) is that it should be an ongoing program.
To balance different HIPAA privacy training requirements, Covered Entities and Business Associates should design modular training courses so that modules can be mixed and matched to meet the requirements of different workforce groups. Modular training courses can be easier to update when material or legislative changes occur; and, while there are benefits of providing training in a classroom environment, modules can also be delivered online when necessary.
Online modular training also resolves issues with getting members of the workforce together at the same time. Modules can be completed when each individual member of the workforce has a gap in their schedule; and provided Covered Entities and Business Associates monitor the completion of each module, they will be in compliance with the HIPAA training requirements in addition to best equipping members of the workforce to carry out their functions in a HIPAA-compliant manner.
HIPAA Privacy Training FAQs
Does HIPAA require refresher training?
HIPAA does not require refresher training per se. However, Covered Entities and Business Associates are required to conduct periodic risk analyses; and, if a risk analysis identifies a threat to the confidentiality, integrity, or availability of PHI that could be mitigated with refresher training, it will be necessary to provide refresher training.
In addition, refresher training should be part of an ongoing security awareness training program and any training provided following a “material change in policies and procedures”. For example, refresher training on the objectives of the Privacy and Security Rules would have been appropriate when CMS published the Emergency Preparedness Rule in 2016.
Why is it important that Covered Entities and Business Associates monitor the completion of each HIPAA training module?
Under the Privacy Rule training standard, Covered Entities are required to document all training and retain the documentation for a minimum of six years. While the same requirement does not apply to Business Associates, it is recommended they too document all training to establish the burden of proof in the event of an inspection, audit, or investigation.
Why would a Covered Entity need to provide HIPAA privacy training on the HITECH Act?
Subtitle D of the HITECH Act introduced several provisions that address privacy and security concerns when PHI is created, stored, or transmitted electronically. It also strengthened the civil and criminal enforcement of the Privacy, Security, and Breach Enforcement Rules, and paved the way for the Meaningful Use program and subsequent Promoting Interoperability program.
Can a Covered Entity apply sanctions on a member of the workforce who avoids training?
This depends on the content of the Covered Entity´s sanctions policy. Covered Entities can apply sanctions for non-compliance with a training policy that states attendance is mandatory. Similarly, Covered Entities and Businesses Associates can apply sanctions for non-compliance with security policies that stipulate training is mandatory.
Is it necessary to provide HIPAA privacy training to Business Associates´ subcontractors?
It is not necessary, but it is recommended in certain cases. For example, while a Business Associate should not need to train Amazon´s workforce on HIPAA privacy before deploying ePHI in the AWS Cloud, Business Associates are required to conduct due diligence before sharing ePHI outside their organization and, a need for HIPAA privacy training is identified, it should be provided.
Are students and volunteers considered to be part of the workforce under HIPAA?
According to the General Administrative Requirements of HIPAA (45 CFR § 160.103), a “workforce” is defined as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate”.
