Most Covered Entities are aware that HIPAA training for new staff is a requirement of the Privacy Rule. However, there can be gaps in a Covered Entity´s understanding of which new staff require training, how much training should be provided to meet the training requirements, and whether an employee who has undergone training in a previous job needs to be trained again.
It is no surprise some Covered Entities may have gaps in their understanding about HIPAA training for new staff due to the “flexible language” of the HIPAA Privacy Rule. For example, with regards to the Privacy Rule Training Standard, the implementation specification relating to HIPAA training for new staff states: “A Covered Entity must provide training […] to each new member of the workforce within a reasonable period of time after the person joins the Covered Entity´s workforce”.
While this implementation specification appears straightforward and suggests HIPAA training for all new staff is mandatory, that´s not the case when you put the implementation specification in the context of paragraph (b)(1) of the Administrative Requirements. This paragraph states:
“A Covered Entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity.”
In the context of paragraph (b)(1) of the Administrative Requirements, it could be argued that HIPAA training for new staff only needs to be provided to new members of the workforce who access PHI “to carry out their functions”. Furthermore, it could also be argued that training only has to be on the policies and procedures developed by the Covered Entity to comply with the Administrative Safeguards (“this subpart”) and the Breach Notification Rule (“subpart D”).
Strictly speaking these interpretations are correct. However, following them to the letter will not result in a HIPAA compliant workforce. This is because, although a Covered Entity providing the minimum level of HIPAA training for new staff who meet the qualification criteria “ticks the box”, there are multiple scenarios in which unauthorized uses and disclosures of PHI could still occur. For this reason, it is recommended “necessary and appropriate” training is provided for all new staff.
Why All New Staff Should Have HIPAA Training
Under HIPAA, a member of a Covered Entity´s workforce is any employee, volunteer, student, contractor, or other person whose work for a Covered Entity is under the control of the Covered Entity. This means all new staff – whether they are paid or not by the Covered Entity – qualify as a member of the Covered Entity´s workforce. But does this mean every new employee, volunteer, student, contractor, or other person has to undergo HIPAA training for new staff?
If you follow the literal interpretation of the Privacy Rule Administrative Requirements provided above, the answer is “no” – you only have to provide HIPAA training for new staff on the policies and procedures that relate to their access to PHI. However, the Administrative Safeguards of the Security Rule (45 CFR § 164.308) require Covered Entities to conduct “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI”.
Although this requirement applies to electronic PHI (ePHI), the same process should be applied when assessing the potential risks to non-electronic PHI. If, for example, a new member of the workforce whose functions do not require access to PHI (so who doesn´t qualify for training under the literal interpretation of the Administrative Requirements) posted on social media that sports star “A” was a patient at the medical facility in which they worked, that would be a violation of HIPAA.
Violations of this nature are considered to be “reasonably anticipated threats”, and when they occur due to a lack of knowledge attributable to a lack of training, the Covered Entity is considered liable for the violation of HIPAA rather than the new member of the workforce. Consequently, all new members of a Covered Entity´s workforce should be provided with some HIPAA training for new staff, while those with authorized access to PHI/ePHI will require more comprehensive training.
How Much Training is Enough to Meet the Training Requirements?
While it may be sufficient to train some members of the workforce on the basics of the Privacy Rule to prevent inadvertent disclosures, other members of the workforce – particularly public-facing employees, volunteers, and students – require more comprehensive training so they understand concepts such as patients´ rights, allowable disclosures, and the Minimum Necessary Standard. All members of the workforce should also understand the Covered Entity´s HIPAA sanctions policy.
Thereafter, rather than looking for answers to how much training is enough to meet the training requirements, Covered Entities should be looking to see what potential risks and vulnerabilities exist to the confidentiality, integrity, and availability of all types of PHI, and how much training is enough to mitigate the risks and vulnerabilities to an acceptable level. The answer to this question can only be determined by ongoing risk assessments and risk analyses.
In the context of HIPAA training for new staff, it is important new members of the workforce have a basic understanding of HIPAA at the earliest possible opportunity. Although the Privacy Rule Training Standard requires HIPAA training for new staff “within a reasonable period of time”, it would be negligent of a Covered Entity to provide a new member of the workforce with access to PHI without explaining what PHI is and the circumstances when it can be disclosed without prior patient consent.
Even if a new member of the workforce has undergone training in a previous job, it is important they are trained on the Covered Entity´s policies and procedures in respect of PHI, as one Covered Entity´s policies and procedures will likely differ from those of another Covered Entity. Although the new staff member will more likely understand the importance of safeguarding PHI, there may be considerable differences in the mechanisms put in place to support HIPAA compliance.
Security and Awareness HIPAA Training for New Staff
Compared to the “flexible language” of the Privacy Rule, the Administrative Safeguards of the Security Rule are quite clear in stipulating that Covered Entities AND Business Associates must “implement a security awareness training program for all members of the workforce”. The Security and Awareness Training Standard does not elaborate on what the training should consist of, but under the General Standards of the Security Rule, Covered Entities and Business Associates must:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part (the Privacy Rule).
(4) Ensure compliance with this subpart by its workforce.
Unlike the “within a reasonable period of time” stipulation of the Privacy Rule Training Standard, the Security and Awareness Training Standard does not require security and awareness HIPAA training for staff to be provided within any timeframe. Nonetheless, as mentioned previously, it would be negligent to provide a new member of the workforce with access to PHI/ePHI without explaining what PHI is and demonstrating the mechanisms put in place to support HIPAA compliance.
Consequently, it may be necessary to provide HIPAA training for new staff that simultaneously covers both the Privacy Rule Training Standard and the Security and Awareness Training Standard. This can be a lot of information for new members of the workforce to absorb, so it is important training is provided in such a manner that trainees find it easier to take in and retain – not only for their benefit, but also for the benefit of the Covered Entity or Business Associate providing training.
HB 300 and HIPAA Training for New Staff
HIPAA provides a “federal floor of privacy protections for individuals´ individually identifiable health information” and preempts state laws unless state laws are “more stringent” and increase either the duties of Covered Entities or the rights of patients. One example of a state law having more stringent requirements than HIPAA is in Texas – where the Texas Medical Records Privacy Act and subsequent amendments in HB 300 expand the definition of a Covered Entity beyond that of HIPAA.
Under the Texas Medical Records Privacy Act, almost all organizations that “assemble, collect, analyze, use, evaluate, store, or transmit PHI [of a resident of Texas]” are considered to be Covered Entities. This includes public agencies, lawyers, schools (except records covered by FERPA), and organizations that maintain an Internet site. Naturally, it includes HIPAA-Covered Entities such as health plans, health care clearinghouses, and health care providers.
A feature of the Texas Medical Records Privacy Act is that an organization doesn´t have to be located in Texas for the Act to apply. Any organization might be an HB 300 Covered Entity if it collects or maintains data about a Texas resident – even if the resident was outside of Texas when the data was collected. In these circumstances, HIPAA Covered Entities and Business Associates (who are now HB 300 Covered Entities) will have to provide HB 300 and HIPAA training for new staff.
Importantly, the time frame for providing HB 300 training is stipulated in the Texas Medical Records Privacy Act. Covered Entities only have ninety days in which to provide training for new staff – which must consist of the HIPAA Privacy Training Standard and the Security and Awareness Training Standard with areas of the two Standards replaced with HB 300 content where the Texas Medical Records Privacy Act has more stringent requirements.
Conclusion: Fulfilling Requirements vs Having a HIPAA Compliant Workforce
When a Covered Entity or Business Associate provides HIPAA training for new staff, they have the choice of providing the minimum level of training to “tick the box” or setting a benchmark that reflects the organization´s commitment to HIPAA compliance. First impressions can count for a lot; and if an organization is making an effort to present HIPAA training that is understandable and relevant, there is a higher likelihood its workforce will comply with policies and procedures developed to safeguard PHI.
Having a HIPAA compliant workforce has multiple benefits. It can help reduce the number of patient complaints, contribute towards a patient safety culture, and positively influence a Covered Entity´s HCAHPS rating. From a regulatory perspective, having a HIPAA compliant workforce can result in a reduction of HIPAA violations and data breaches, and reduce the likelihood of sanctions for non-compliance being issued by the Department of Health and Human Services´ Office for Civil Rights.
However, providing different levels of HIPAA training for new staff with different training needs can be expensive and time-consuming. For this reason, it is recommended organizations take advantage of modular training packages in which modules can be mixed and matched to align with the trainees´ requirements. This is not only a cost-efficient method of providing HIPAA training for new staff, but individual modules can be easily updated when material changes in policies and procedures occur – an event which requires organizations to provide refresher training.
HIPAA Training FAQs
Who is responsible for providing HIPAA training for new staff?
Covered Entities are required to appoint a HIPAA Privacy Officer and a HIPAA Security Officer, while Business Associates have to appoint a Security Officer (the roles can also be assigned to existing members of the workforce). Although the Privacy and Security Officers do not have to present HIPAA training for new staff personally, it is their responsibility to ensure all new members of the workforce receive training within a reasonable period of time.
Why would you train somebody on HIPAA who has no access to PHI?
Other than the example mentioned above of an employee posting the details of a patient on social media, there are many scenarios in which a member of the workforce might come across PHI that has not been secured – for example, paper records left on a desk. In these circumstances, the member of the workforce needs to understand what PHI is, why it should be secured, and who to report the inadvertent exposure of PHI to.
What documentation should be kept to prove training has been provided?
The Administrative Requirements of the Privacy Rule only require Covered Entities to document that training has been provided. However, it is recommended that both Covered Entities and Business Associates document when training was provided, who it was provided to, and what the training consisted of as proof of specific training may be required during an HHS inspection, audit, or investigation into a patient complaint.
Some training courses suggest a background to HIPAA should be included. Why is that?
HIPAA is a complicated piece of legislation with a number of objectives. If the background to HIPAA is explained to new members of the workforce at the start of training, it adds context to subsequent training on (say) the Privacy Rule, Breach Notification Rule, and HITECH Act. The background information doesn´t have to extensive – just enough for trainees to understand why HIPAA was introduced and what issues it resolves.
What is a Covered Entity´s sanctions policy?
The Administrative Requirements of the Privacy Rule stipulate that Covered Entities must have and apply appropriate sanctions against members of its workforce that fail to comply with the Covered Entity´s HIPAA policies and procedures. The sanctions policy should explain the disciplinary process for non-compliance and what sanctions can be applied depending on the culpability of the individual and the severity of any violation or breach that results from the non-compliance.
Is the content of a security and awareness training program governed by the Security Rule?
No. The Security and Awareness Training Standard does not elaborate on what the training program should consist of. However, new members of the workforce are unlikely to be familiar with mechanisms put in place to comply with the Technical Safeguards of the Security Rule (IAM controls, auto logoff, etc.) and it is recommended a security and awareness training program includes training on these technologies along with Internet security best practices.