HIPAA Training for Healthcare Administrators

The nature of HIPAA training for healthcare administrators can vary considerably depending on factors such as an organization´s size, the responsibilities assigned to healthcare administrators, and individuals´ existing knowledge of HIPAA. It can also be the case HIPAA training for healthcare administrators needs to be provided more frequently than for other employees.

Healthcare administrators play an important role in the operation of healthcare facilities. Most often they are responsible for budgeting, stock-keeping, record-keeping, and coordinating healthcare professionals They can also be responsible for handling patient access requests, developing policies and procedures, and ensuring the workforce complies with healthcare regulations.

In larger organizations, a team of healthcare administrators share the responsibilities between them; but, in smaller organizations, a single healthcare administrator may have total responsibility for HIPAA compliance. This means as well as carrying out their administrative duties, they also have to fulfill the roles of the HIPAA Privacy Officer and the HIPAA Security Officer.

Because of the wide range of duties and responsibilities, many healthcare administrators start their careers in “Administrator in Training” positions under the supervision of an experienced healthcare administrator. However, it is often before this point in their careers that Administrators in Training first encounter HIPAA training for healthcare administrators.

Degree Courses Teach HIPAA, but Further Training is Necessary

Most Administrator in Training positions require applicants to have a degree in healthcare administration; and although many degree courses explain what HIPAA is and what it consists of, further training is necessary when a new employee joins a Covered Entity´s workforce.

This is because Covered Entities are required by 45 CFR § 164.530 to train new members of the workforce on “policies and procedures with respect to PHI […] as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity”.

Therefore, even though a new employee may be familiar with HIPAA because of their education, they will not be aware of the policies and procedures developed by the Covered Entity in order to protect the privacy of PHI and ensure the confidentiality, integrity, and availability of ePHI.

In addition, when a new employee has not learned about HIPAA during their degree course, it may be necessary to provide HIPAA training for healthcare administrators beyond policies and procedures to include topics such as patients´ rights, disclosure rules, and computer safety rules.

The Frequency of HIPAA Training for Healthcare Administrators

HIPAA stipulates that training must be provided when a new employee joins a Covered Entity´s workforce and when there is a material change to policies and procedures. In addition, Covered Entities are required by 45 CFR § 164.308 to implement a security and awareness training program.

While the security awareness training should be ongoing, the only other times HIPAA training for healthcare administrators is necessary is when a risk assessment identifies a threat that could be mitigated by further training or when further training is a requirement of a corrective action plan.

Considering the roles and responsibilities of healthcare administrators, the level of mandated HIPAA training would appear to be insufficient for administrators to carry out the functions in compliance with HIPAA – increasing the risk of HIPAA violations, patient complaints, and OCR investigations.

Therefore, most compliance experts believe larger organizations should provide refresher training at least annually to help healthcare administrators work within the HIPAA regulations. In smaller organizations, refresher training may need to be outsourced and provided on a more frequent basis.

Addressing the Challenges of Providing Frequent Refresher Training

The provision of frequent refresher training alongside ongoing security awareness training can create logistical challenges for Covered Entities inasmuch as it is not practical to remove healthcare administrators from their roles for long periods of time – especially in smaller organizations where there may be no cover for an employee attending training.

These challenges can be overcome by providing refresher training in a modular format and delivering it online instead of in a classroom environment. While there can be advantages to classroom learning, modular online HIPAA training enables healthcare administrators to take modules as and when they have time in their busy schedules.

Modular training can also be used to overcome the challenge of new employees having different levels of HIPAA knowledge. Those whose degree courses did not include HIPAA studies can quickly raise their level of knowledge by taking the online modules in their spare time – thus providing context to policy and procedure training, which will help with retention and compliance.

HIPAA Training for Healthcare Administrators FAQs

If a healthcare administrator switches jobs to a new employer, do they have to undergo “new employee” training again?

Yes. In the same way as a new applicant may know about HIPAA, but not the Covered Entity´s policies and procedures, a new employee with previous experience will also have to receive training on their new employer´s policies and procedures.

Why might the nature of HIPAA training for healthcare administrators vary according to an organization´s size?

This is because new employee training has to be provided “as necessary and appropriate for members of the workforce to carry out their functions within the Covered Entity”. In a large organization in which responsibilities are shared, a healthcare administrator may not have as many “functions” as an employee of a small organization.

What is the importance of Administrators in Training learning about computer safety rules?

Most Covered Entities implement technical measures such as access controls and automatic log-off to prevent unauthorized access to ePHI, but new employees also need to be conscious of what is on their computer screens and who can see it. Teaching Administrators in Training to ensure screens are not visible to the public is an important measure in preventing unauthorized access to ePHI.

How might further training be a requirement of a corrective action plan?

Each year, the HHS´ Office for Civil Rights (OCR) receives in excess of 20,000 complaints – many of which are attributable to the failure to comply with patient access requests and unauthorized uses and disclosures of PHI. The complaints are most often resolve with technical assistance and a corrective action plan – which may involve the provision of further training.

When a healthcare administrator in a small organization fulfills the role of the HIPAA Privacy Officer, who trains the HIPAA Privacy Officer?

Covered Entities are required to appoint a Privacy Officer and Security Officer or assign the roles to an existing member of staff. In a small organization, it is quite possible a sole healthcare administrator may be assigned the role of Privacy Officer, in which case it may be necessary to outsource HIPAA training to a third-party company.