There are two standards in the Health Insurance Portability and Accountability Act that directly relate to HIPAA training for employees – the training standard of the Privacy Rule´s Administrative Requirements (45 CFR § 164.530) and the security awareness and training standard of the Security Rule´s Administrative Safeguards (45 CFR § 164.308).
Strictly speaking, the training standard of the Privacy Rule´s Administrative Requirements only relates to employees of Covered Entities. The standard stipulates: “A Covered Entity must train all members of its workforce on the policies and procedures with respect to Protected Health Information […] as necessary and appropriate for members of the workforce to carry out their functions within the Covered Entity”.
Nonetheless, it can be beneficial for Business Associates to also provide HIPAA training for employees when employees are involved in the provision of a service to a Covered Entity. Privacy Rule training will give these employees a better understanding of why Protected Health Information (PHI) has to be safeguarded against unauthorized uses and disclosures and mitigate the risk of HIPAA violations attributable to employee negligence.
With regards to the security awareness and training standard of the Security Rule´s Administrative Safeguards, this applies to all employees of Covered Entities and Business Associates regardless of their interaction with electronic PHI. This standard states: “[Covered Entities and Business Associates must] implement a security awareness and training program for all members of its workforce (including management)”.
How Frequently should Training be Provided?
The Administrative Requirements of the Privacy Rule state HIPAA training should be provided “within a reasonable period of time after the person joins the Covered Entities workforce” and whenever a “functions are affected by a material change in policies and procedures”. HIPAA training for employees should also be provided whenever a risk analysis identifies a need for training to prevent unauthorized uses and disclosures of PHI.
In terms of Privacy Rule HIPAA training for employees, the risk analysis requirement can sometimes be overlooked by Covered Entities because the standard requiring Covered Entities to conduct risk analyses appears in the Security Rule and appears to relate to only electronic PHI. However, Covered Entities that fail to exercise due diligence in respect of Privacy Rule compliance could be found guilty of willful neglect in subsequent HIPAA violation investigations.
With regards to the security and awareness training standard of the Security Rule, the term “program” implies security and awareness training should be ongoing. Consequently, all employees of Covered Entities and Business Associates should receive regular training on elements of HIPAA such as cyber-threats to patient data and computer safety rules – notwithstanding that many elements of the Security Rule overlap with those of the Privacy Rule.
What Should HIPAA Training Consist Of?
There is no one-size-fits-all HIPAA training because the nature of operations at each Covered Entity will likely be different – which will affect the consistency of policies and procedures with respect to PHI – and analyses of risk assessments will likely provide different results. In addition, some Covered Entity´s and Business Associates will have implemented better cybersecurity mechanisms than others – affecting the content of security and awareness training.
One further point of relevance is that HIPAA training does not just have to be provided for employees. Under HIPAA, the term “workforce” is defined as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate”.
This definition means that every member of the workforce needs to undergo some degree of HIPAA training regardless of their access to PHI. It also means Covered Entities and Business Associates may have to develop multiple training courses to account for those who require basic HIPAA training (i.e., maintenance teams, environmental services personnel, etc.) and those who require more advanced HIPAA training (i.e., public-facing employees, IT professionals, etc.).
How Best to Deliver HIPAA Training for Employees?
Because of the difficulty in developing multiple training courses to meet the HIPAA training requirements for each member of the workforce, it can be beneficial to deliver HIPAA training in modules. Modular training not only enables Covered Entities and Business Associates to mix and match modules to more conveniently meet the training requirements, but updating individual training modules after a material change is easier than updating complete training courses.
In addition, it is easier to keep track on which elements of HIPAA an employee has been trained if – for example – they apply for a role with more exposure to PHI or more responsibility for its safekeeping. Similarly, if a material change to policies and procedures is only relevant to employees previously trained on specific modules, it is easier to determine who requires refresher training – rather than providing refresher training to all members of the workforce unnecessarily.
Finally, because of the shorter length of a training module compared to a full training course, training modules can often be delivered online. This enables busy healthcare professionals to take the modules when time allows rather than removing large groups of the workforce “from the floor” for a classroom-based training session. Effectively, modular training enables Covered Entities and Business Associates to provide the training required by HIPAA with minimum expense and maximum efficiency.
The Importance of Documenting HIPAA Training
Under the Administrative Requirements of the HIPAA Privacy Rule, Covered Entities are required to document that training has been provided. The training standard does not stipulate that the nature of training has to be documented nor who the training was provided to. However, the documentation standard of the Administrative Requirements states that “documentation must be sufficient to meet its burden of proof under 45 CFR § 164.414”.
The burden of proof requirement is important because since the publication of the Final Omnibus Rule in 2013, Covered Entities and Business Associates are presumed to be responsible for HIPAA violations unless it can be shown reasonable and appropriate efforts have been made to mitigate the likelihood of a violation. HIPAA training for employees is a key factor in mitigating the likelihood of a violation and should therefore be scrupulously documented.
Documenting HIPAA training according to the nature of training and who it was provided to makes it easier to determine which members of a Covered Entity´s workforce require refresher training when there is a material change to policies and procedures or when a risk analysis identifies a need for training to prevent unauthorized uses and disclosures of PHI. As with all HIPAA documentation, records of HIPAA training have to be retained for six years.
HIPAA Training for Employees FAQs
Should HIPAA Privacy Rule training be limited to policies and procedures?
While training employees on policies and procedures ticks the box for delivering training, it can be beneficial to provide context to the training – such as why the policies and procedures exist and what their objectives are. In this respect, it can be useful to provide a HIPAA overview, a little information about the main regulatory rules, and advice on being a HIPAA compliant employee.
How often should HIPAA refresher training be provided?
Although the Privacy Rule only requires refresher training when “functions are affected by a material change in policies and procedures”, Covered Entities and Business Associates should be guided by periodic risk assessments. Other than that, the accepted best practice is to provide Privacy Rule refresher training annually. As mentioned above, security and awareness training should be ongoing.
If a new employee has received HIPAA training in a previous position, is it necessary to provide training again?
The training a new employee would have received in their previous position would not have been on the policies and procedures of the new employer they are now working for. Therefore, it is essential new employees receive HIPAA training regardless of their knowledge of HIPAA to ensure they carry out their functions in compliance with their new employer´s policies and procedures.
Whose responsibility is it to provide HIPAA training for employees?
Covered Entities are required to appoint a Privacy Officer and a Security Officer” who are responsible for developing HIPAA-compliant policies and procedures (Business Associates are only required to appoint a Security Officer). Although these officials do not have to personally deliver HIPAA training, it is their responsibility to ensure the HIPAA training requirements are met.
Why might an employee with no access to PHI require HIPAA training?
Although an employee may have no authorized access to PHI, there might be occasions when they see or hear information about a patient that they subsequently disclose (i.e., via social media). The unauthorized disclosure of PHI is a violation of HIPAA even if the employee did not know it was wrong. HIPAA training for all members of the workforce can prevent this type of HIPAA violation.