The issue of HIPAA training for managers is complex because, although the Security Rule states management must be included in security awareness training (45 CFR § 164.308), there is no guidance provided on what other areas of HIPAA managers should be trained on. However, there are many circumstances when a manager´s knowledge of HIPAA is essential for other members of the workforce to carry out their functions in compliance with HIPAA.
Managers are generally responsible for the actions of those they manage. Consequently, it is important managers are aware of what HIPAA training is being provided for members of the workforce under their control, and that they themselves are trained on the areas of HIPAA which their teams are required to comply with to carry out their functions. This should be the case whether managers are directly involved in the workforces´ functions or not.
HIPAA Training for Managers Should Cover More
Consequently, HIPAA training for managers may need to go beyond security awareness training and cover areas of the Privacy Rule and Breach Notification Rule in addition to other areas of the Security Rule. Furthermore, as managers may be required to provide answers to questions from workforce members outside their teams, it is recommended management HIPAA training covers more than the functions of the teams they manage when appropriate.
For example, one of the implementation specifications for the Workforce Security Standard states Covered Entities and Business Associates must implement procedures for the authorization and supervision of workforce members who work with ePHI or in locations where it might be accessed. Consequently, the manager of a location in which ePHI is accessed may need to be aware of the functions of workforce members from other locations where ePHI is not accessible.
Sometimes Why Can be More Important than What
The requirement for management to be included in security awareness training falls within the Administrative Safeguards of the Security Rule. Within the same Safeguards, Covered Entities and Business Associates are required to implement policies and procedures for authorizing access to ePHI that are consistent with the requirements of the Privacy Rule. This means there will be times when access to ePHI is denied to workforce members – or limited – due to the Privacy Rule.
For workforce members to fully understand and comply with the policies and procedures, it is important to know why they have been implemented. If a member of the workforce asks a manager why access to parts of the IT system have been denied or limited, it is better to answer with an accurate explanation of allowable uses and disclosures rather than just reply “HIPAA”. For this reason, management HIPAA training should always include the basics of the Privacy Rule.
Other Areas to Include in Management HIPAA Training
Other areas to include in HIPAA management training may depend on the nature of the work done within a manager´s team and the seniority of the manager themselves. Nonetheless, in addition to allowable uses and disclosures and the basics of the Privacy Rule, HIPAA training for managers should include a timeline of HIPAA and the main regulatory rules so policies and procedures can be explained to members of the workforce in context.
With regards to refresher HIPAA training for managers, policies and procedures relating to the Breach Notification Rule should always be included. There may be times when workforce members forget or overlook their training on Breach Notification policies and procedures; and, in these circumstances, managers may be required to step up and lead the containment and mitigation efforts before handing over to a compliance manager for post-event analysis.
How to Design HIPAA Training for Managers
The complexity of HIPAA training for managers not only relates to determining what areas of HIPAA should be covered in management HIPAA training, but also how training courses should be designed. While a security awareness training program will be equally relevant to all workforce members and managers, some managers may need to know more about the HIPAA Privacy Rule and Breach Notification Rule than others, who may require a deeper knowledge of the Security Rule.
It is impractical to design a “one-size-fits-all” HIPAA training course for managers because some of the content will be irrelevant to some managers, while over parts of the training course may not go into required areas of knowledge sufficiently deeply for managers to organize and lead their teams. Consequently, the effectiveness of the training will be mitigated, while the length of time managers spend away from their roles unnecessarily may impact the performance of their teams.
The solution to these issues is to design HIPAA training for managers in a modular format so that only those modules which are relevant to specific managers need to be included in specific training sessions. Using training modules reduces the cost of training and the time it takes to train managers – or provide refresher training – to ensure managers have the knowledge they need to enable other members of the workforce to carry out their functions in compliance with HIPAA.
HIPAA Training for Managers FAQs
Wouldn´t it be easier for managers to just sit in on training provided to other members of the workforce?
While that is an option, if your organization runs different training courses for different departments on different days (i.e., nursing on Monday, IT on Tuesday, administration on Wednesday, etc.), managers could be in training every day and only part of each day´s training might be relevant to managing their teams (which they would have less time to do because they are always in training).
Why might a manager working for a Business Associate need to know about the Privacy Rule?
The Privacy Rule includes several standards that Business Associates may have to comply with. For example, Business Associates processing patient data on behalf of a Covered Entity may be subject to rules relating to patients´ rights and allowable disclosures, and – if the Business Associate subcontracts work to third parties – the Minimum Necessary Standard.
Do all members of a Business Associate´s workforce have to undergo security awareness training if they have no interaction with ePHI?
Yes. The Security Rule states “[Covered Entities and Business Associates must] implement a security awareness and training program for all members of its workforce including management.” (“All” italicized for emphasis). The reason that all members of the workforce have to be included in a security awareness training program is that cybercriminals may be able to infiltrate a network via a member of the workforce who has no interaction with ePHI, and then move laterally through the network until they can access databases storing ePHI.
How does modular training save time and money when you might need to organize multiple training sessions to accommodate each manager´s circumstances?
Modular HIPAA training for managers does not have to be conducted in a classroom setting. It can be conducted online or via a hybrid of classroom and online. If it suits the organization better, all the necessary training can be conducted online. However, it may be beneficial to managers if some common modules are presented in a classroom setting – for example the basics of the Privacy Rule.
Who keeps track of what HIPAA training managers have received?
As the documentation of training is a requirement of HIPAA, the HIPAA Privacy Officer has the ultimate responsibility to keep track of what HIPAA training managers have received. However, if a Covered Entity or Business Associate has a large workforce, the documentation of training may be a function of the training or HR team.
Can HIPAA training for managers be incorporated into other types of training?
Absolutely. If – for example – you are training managers on a new piece of software, it can be beneficial to explain how the software supports HIPAA compliance or why HIPAA doesn´t apply (if the software is not going to be used for creating, storing, processing, or transmitting ePHI). Similarly, it is easy to incorporate HIPAA training into other compliance training (i.e., HB 300 training) or online security training (i.e., password management training).
