It is easy to understand why Covered Entities and Business Associates might assume HIPAA training for IT professionals only needs to consist of the security and awareness training required by the HIPAA Security Rule. However, there are many circumstances in which the provision of security and awareness training alone might not prevent a foreseeable HIPAA violation.
Determining what elements of HIPAA IT professionals need to receive training on can be complicated. Naturally, as members of a Covered Entity´s or Business Associate´s workforce, all IT professionals – whether employees, contractors, or third party service providers – have to undergo security and awareness training, as security and awareness training is required by the Security Rule for all workforce members.
In addition, members of a Covered Entity´s workforce have to undergo training on policies and procedures developed by the Covered Entity to protect PHI against unauthorized uses and disclosures. The training should be relevant to each individual´s “functions” and the requirement to applies to all members of a Covered Entity´s workforce with access to PHI – whether it is electronic PHI (ePHI), physical PHI or oral PHI.
However, although IT professionals maintain systems on which ePHI is stored, it doesn´t necessarily mean they have access to PHI. Under the Privacy Rule, the only justifiable reason any workforce member would have for accessing PHI is to support treatment, payment, and health care operations, to respond to a patient access request, or fulfil a “public interest activity” (i.e., law enforcement, HHS audits, etc.). In many cases, these reasons do not fall within IT professionals´ “functions”.
Is Privacy Rule Training Required for IT Professionals?
Even when they have no access to PHI, IT professionals should still receive training on Privacy Rule basics. This is because it is important for all members of a Covered Entities workforce to have a knowledge of standards relating to the HIPAA disclosure rules, patients´ rights, physical computer safety rules, and what to do if they witness a HIPAA violation. If – for example – an IT professional is not aware of the HIPAA disclosure rules, how can they comply with them?
Consequently, the content of Privacy Rule training for IT professionals should be governed by a risk assessment. The risk assessment should cover not only what PHI an IT professional might inadvertently encounter when performing their functions (i.e., physical PHI left by workstations, oral PHI overheard in a canteen, etc.), but also the reasons why policies and procedures have been developed to protect PHI against unauthorized uses and disclosures.
Explaining topics such as the background to HIPAA, the consequences of HIPAA violations, and protecting ePHI from cybersecurity threats can help IT professionals better understand HIPAA and put policies and procedures into context. It will also make them more conscious of potential IT failings that could expose healthcare and payment data to the outside world (i.e., unencrypted cloud storage volumes, disabled 2FA and automatic logoff, etc.).
How Best to Provide HIPAA Training for IT Professionals
Because there will cases in which some IT professionals have access to PHI and other do not, there is no one-size-fits-all HIPAA training for IT professionals. To overcome this issue, Covered Entities should provide training via modules covering various topics as determined by a risk assessment. This will enable every IT professional to have a grounding in Privacy Rule and Security Rule basics, while further modules can be provided for those who require training on specific topics.
Modular HIPAA training for IT professionals not only suits Privacy Rule training, but also security and awareness training in cases where some IT professionals have enhanced permissions to systems maintaining ePHI. Modules are also easier to adopt to regulatory changes and material changes in a Covered Entity´s policies and procedures (in which cases refresher training is required by the HIPAA Privacy Rule), or when state laws pre-empt HIPAA.
A further advantage of modular HIPAA training for IT professionals is that it can be provided online in order to train IT professionals individually. This means it will not be necessary to disrupt the operations of an entire IT team to provide HIPAA training for IT professionals simultaneously. Instead, each member of the Covered Entity´s IT workforce (and Business Associate´s IT workforce if necessary) can complete the training requirements when time allows.
HIPAA Training for IT Professionals FAQs
Why might an IT professional with no access to ePHI require HIPAA training?
Although an IT professional might have no access to ePHI in their day-to-day functions for a Covered Entity, there may be occasions when they see or hear information about a patient they subsequently disclose (i.e., orally or via social media). The unauthorized disclosure of PHI is a violation of HIPAA even if the IT professional did not know they were not supposed to share patient information. HIPAA training for IT professionals – even those with no access to ePHI – can prevent this type of violation.
If an IT professional has received HIPAA training in a role for a previous employer, is it necessary to provide it again?
Yes. The training an IT professional would have received in their previous position is unlikely to be the same as they would receive in their new position. This is because training has to be provided on the policies and procedures developed by each Covered Entity or Business Associate, and – because the content of training can also be determined by a risk assessment – policies and procedures vary considerably among Covered Entity´s and Business Associates.
Is it necessary to document HIPAA security and awareness training?
Although the requirement to document training in 45 CFR § 164.530 implies it is only necessary to document HIPAA Privacy Rule training, it is a good idea to document all training. This is because if the HHS conducts an inspection, audit, or investigation, it may be necessary to show that a Covered Entity or Business Associate identified a risk to the security of ePHI and took steps to mitigate it.
Should HIPAA Privacy Rule training be limited to policies and procedures?
No. While training IT professionals on policies and procedures ticks the box for delivering training, it can be beneficial to provide context to the training, such as why the policies and procedures exist and what their objectives are. Furthermore, because the content of training can also be determined by a risk assessment, it can be helpful to provide an overview of HIPAA with information about the main regulatory rules and the threats to ePHI IT users will encounter.
How often should refresher training be provided?
HIPAA states that refresher training needs to be provided when “functions are affected by a material change in policies and procedures” and then only to members of the workforce whose functions are affected by the material change. However, the frequency of Privacy Rule refresher training should be determined by periodic risk assessments (i.e., at least annually), while the security and awareness training required by the Security Rule should be an ongoing program.
Whose responsibility is it to provide HIPAA training for IT Professionals?
Covered Entities are required to appoint a Privacy Officer and a Security Officer who are responsible for developing HIPAA-compliant policies and procedures and conducting risk assessments (Business Associates are only required to appoint a Security Officer). Although these officials do not have to personally deliver HIPAA training, it is their responsibility to ensure the HIPAA training requirements are met.