When you consider the risk analysis requirements of HIPAA, the potential for corrective action orders, and the inferences of the Security Rule training requirements, the provision of additional HIPAA refresher training training is practically unavoidable.
Most Covered Entities are familiar with the requirement that HIPAA refresher training is required when a “material change in policies and procedures” affects the functions of employees, volunteers, students, and other members of a Covered Entity´s workforce. However, there are a few other circumstances in which additional training on elements of the HIPAA Privacy Rule may be required.
When Additional Privacy Rule Training May be Required
The first of these circumstances is when a risk analysis identifies a need for HIPAA refresher training. Covered Entities are required to conduct periodic risk analyses under the Security Rule; and, if a risk analysis identifies a threat to Privacy Rule compliance that could be addressed with refresher training, the organization is required to provide the training as “necessary and appropriate”.
Another scenario in which additional training on the Privacy Rule may be required is when a complaint is received from a patient relating to HIPAA-mandated rights such as a patient´s right to access and correct healthcare data. If the complaint is dealt with in-house by the Covered Entity, the HIPAA Privacy Officer may opt to provide refresher training to mitigate future patient complaints.
However, if the complaint is escalated to HHS´ Office for Civil Rights (OCR) – or if OCR investigates a data breach – additional HIPAA refresher training can be a requirement of a corrective action order. In 2020, more than two thousand corrective action orders were issued by OCR following patient complaints, breach compliance reviews, and other compliance investigations.
Consequently, the best way to mitigate patient complaints and data breaches is to provide regular HIPAA refresher training on the Privacy Rule. Industry experts suggest general refresher training should be provided annually to all members of the workforce in addition to any specific training provided in response to a material change, a threat identified in a risk analysis, or patient complaint.
What Should HIPAA Refresher Training Consist Of?
When Privacy Rule refresher training is attributable to a material change, a threat identified in a risk analysis, or a patient complaint, the content of the refresher training course will be tailored to the event that triggered it. OCR-mandated training via a corrective action order will also be tailored to specific areas of the Privacy and Security Rules that require attention.
General refresher training can consist of any areas of the Privacy Rule that are appropriate to maintain a compliant workforce. Naturally, if there have been any updates to HIPAA or guidance issued by the Department of Health and Human Services, these should be included in refresher training, but it doesn´t hurt to revisit previous training sessions to refresh trainees´ memories.
When revisiting previous training sessions, it can be helpful to include the background to HIPAA in order to give the training context. Telling members of the workforce they have to follow “Policy A” and “Procedure B” without explaining why can lead to confusion and misunderstandings. By giving refresher training context, the content of the training is more likely to be absorbed and retained.
Finally, it is important all HIPAA refresher training – whether provided formally or informally – is documented. Covered Entities are accustomed to documenting policies in compliance with the Administrative Requirements of the Privacy Rule, yet many do not document refresher training according to an audit conducted by the Centers for Medicare and Medicaid Services (CMS).
HIPAA Refresher Training and Security and Awareness Training Programs
Under the Administrative Safeguards of the Security Rule, Covered Entities and Business Associates are required to implement a Security and Awareness Training Program that supports compliance with the General Rules of the Security Standard. The General Rules stipulate Covered Entities and Business Associates must:
- Ensure the confidentiality, integrity, and availability of ePHI.
- Protect against threats to the security and integrity of ePHI.
- Protect against uses and disclosures that are not permitted by the Privacy Rule.
- Ensure compliance by the workforce.
Although the text of the Security Rule relating to security and awareness training is limited, the inference is that security and awareness training is not a one-off event, but rather an ongoing program. This inference is supported by the implementation specifications of the Training Program Standard which require:
- Periodic security updates,
- Procedures for guarding against, detecting, and reporting malware,
- Procedures for monitoring log-in attempts and reporting discrepancies, and
- Procedures for creating, changing, and safeguarding passwords.
Because security and awareness training is an ongoing program, HIPAA refresher training on the Security Rule should be more frequent that the once-a-year recommendation of industry experts. Indeed, whenever any new threat is detected or technology is implemented to mitigate the threat, training should be provided so members of the workforce know how to identify and report it.
While this approach may sound impractical for a large organization, a risk analysis can determine who among the workforce is most likely to encounter the threat so HIPAA refresher training can be prioritized for that group. Furthermore, other than the most widespread types of threat (i.e., phishing emails), most threats are limited to IT teams rather than the general workforce.
One final consideration with regards to HIPAA refresher training and security and awareness training programs is that, although some refresher training will be on policies and procedures (i.e., password management policies and procedures for reporting malware), most Security Rule refresher training will be relevant to keeping all systems and databases secure – whether they contain ePHI or not.
Refresher Training on State Medical Privacy Regulations
Most states have regulations controlling how personal health information is collected, used, and disclosed; and although some regulations only apply in specific circumstances inasmuch as they may relate to genetic data or biobanks, some go much further than HIPAA with regards to patients´ rights and the responsibilities of Covered Entities to protect data from unauthorized use or disclosure.
One such state is Texas, where the Medical Records Privacy Act applies to most organizations that “assemble, collect, analyze, use, evaluate, store, or transmit PHI [of a resident of Texas]”, regardless of where the organization is located and irrespective of whether the PHI subject was in Texas at the time PHI was collected. This considerably extends who qualifies as a Covered Entity.
The Medical Records Privacy Act requires all Covered Entities to train members of their workforces on the Medical Privacy Regulations within ninety days of an employee, volunteer, student, or other member of the workforce starting work with the Covered Entity. Importantly, Business Associates under HIPAA are regarded as Covered Entities by the Texas Medical Records Privacy Act.
Thereafter, in addition to refresher training whenever a material change, risk assessment, or corrective action order from the Texas Attorney General prompts additional training, all members of a qualifying Covered Entity´s workforce must undergo HB 300 refresher training every two years. In Texas, the failure to provide refresher training is a violation of the Medical Records Privacy Act.
HIPAA Refresher Training FAQs
Under HIPAA, are all members of a Covered Entity´s workforce required to have refresher training?
Under HIPAA, no member of the workforce is required to have refresher training on the Privacy Rule. However, voluntary refresher training on the Privacy Rule can mitigate the likelihood of refresher training being forced upon a Covered Entity, while ongoing refresher training on the Security Rule should be part of an ongoing security and awareness training program.
Do you have to document HIPAA refresher training as well as initial HIPAA training?
Yes. The standard relating to HIPAA training states “a Covered Entity must document that the training as described in [this] paragraph has been provided”. As the paragraph relates to both initial HIPAA training and HIPAA refresher training, a record should be kept of all training, who it was provided to, and what it consisted of. Each record has to be retained for a minimum of six years.
When is a change in policies and procedures “material”?
The text of the Training Standard requires Covered Entities to provide HIPAA refresher training when a material change to policies and procedures affects the functions of the Covered Entity´s workforce. This implies HIPAA refresher training is necessary when any change to policies and procedures occurs because it affects the functions of the Covered Entity´s workforce.
However, it is only necessary to provide refresher training to members of the workforce whose functions are affected by the material change. If, for example, there is a change to a policy specifying how funeral directors are notified of a patient´s death, only members of the workforce whose roles include notifying funeral directors of a patient´s death would have to receive refresher training.
How can a Security Rule risk analysis identify the need for Privacy Rule training?
Although the Standard relating to risk analyses implies Covered Entities and Business Associates only need to identify potential risks to ePHI, the third General Rule of the Security Standard (CFR 45 § 164.306) requires Covered Entities and Business Associates to protect [ePHI] against uses and disclosures that are not permitted by the Privacy Rule (“Subpart E”).
If members of the workforce are unfamiliar with uses and disclosures that are not permitted by the Security Rule, it will be impossible for Covered Entities and Business Associates to comply with the fourth General Rule of the Security Standards – “Ensure compliance by the workforce”. Therefore, a Security Rule risk analysis needs to consider whether Privacy Rule refresher training is required.
Are Business Associates required to provide training on the HIPAA Privacy Rule?
Business Associates that do not qualify as Covered Entities under HB 300 or any other state medical privacy regulation are not required to provide training on the HIPAA Privacy Rule unless a risk analysis identifies the need for Privacy Rule training (see FAQ above). However, Covered Entities are required to conduct due diligence on a Business Associate prior to signing a Business Associate Agreement and sharing PHI with the Business Associate.
If a Business Associate´s workforce has not been trained on the basics of the HIPAA Privacy Rule, it would be negligent of a Covered Entity to proceed with a Business Associate Agreement. If a data breach occurs that could have been reasonably foreseen and prevented with necessary and appropriate training, both the Covered Entity and the Business Associate will be considered liable – the Business Associate for not providing training when a risk analysis should have indicated it was necessary, and the Covered Entity for failing to conduct adequate due diligence.
Other than Texas, Which States have Medical Privacy Regulations?
Nearly all states have medical privacy regulations, but HIPAA preempts them unless the regulations require greater privacy protections, provide more patients´ rights, and/or assign more responsibilities to Covered Entities (and Business Associates where applicable). At present, the Texas Medical Records Privacy Act and New York´s SHIELD Act are the only state laws that apply across state lines.