HIPAA Training Requirements

The Health Insurance Portability and Accountability Act (HIPAA) is a federal statute enacted in 1996 with the primary objectives of modernizing the flow of healthcare information, addressing limitations of healthcare insurance coverage, and protecting healthcare data from theft and fraud.

With regards to protecting healthcare data from theft and fraud, Covered Entities are required under the HIPAA Privacy Rule to develop policies and procedures that protect individually identifiable health information against unauthorized access, use, disclosure, modification, or destruction (hereafter referred to as Protected Health Information or PHI).

It is a further requirement of the Privacy Rule that Covered Entities train members of their workforces on policies and procedures relating to PHI and how to report a breach of unsecured PHI; while the Security Rule states Covered Entities and Business Associates must implement a security awareness and training program for all members of the workforce. The failure to comply with the HIPAA training requirements is a violation of HIPAA.

Although not directly stipulated by the HIPAA Privacy Rule, Business Associates should also provide HIPAA training to employees in order that they can deliver a compliant service to the Covered Entity. Covered Entities are required to conduct due diligence on Business Associates and other Covered Entities with whom they share PHI, and it is important for service providers to have a trained and compliant workforce.

What Training is Required Under HIPAA?

Other than the HIPAA training requirements to implement a security awareness and training program and document the training, the Act states training must be provided within a reasonable period of time of a new employee joining a covered entity´s workforce and “as necessary and appropriate for the members of the workforce to carry out their functions”.

This flexible approach to the HIPAA training requirements implies there is no one-size-fits-all HIPAA training curriculum. However, although HIPAA training for healthcare professionals will not be the same as HIPAA training for healthcare administrators nor the same as HIPAA training for healthcare students, there are some fundamental areas of HIPAA all employees need to be aware of to better understand the scope of the Act and provide context for subsequent role-based training.

Furthermore, there are some areas of the HIPAA training requirements that will be the same regardless of an employee´s function – for example, understanding what unauthorized disclosures are, what impact the technical, administrative, and physical safeguards of the Security Rule have on using personal devices, and what sanctions apply for violating HIPAA policies and procedures.

Consequently, the most effective way for Covered Entities and Business Associates to comply with the HIPAA training requirements is to provide basic HIPAA training to all employees and supplement the basic training with comprehensive training and HIPAA refresher training according to employees´ roles, responsibilities, and functions whenever “necessary and appropriate”.

Basic HIPAA Training

Basic training covers the fundamental areas of HIPAA employees need to be aware of and areas of HIPAA which are the same regardless of an employee´s function. In this respect the HIPAA training curriculum suggested below can be used as a foundation course for new employees (provided it is supplemented with role-based training) or as HIPAA refresher training.

HIPAA Overview

What is HIPAA? – The most fundamental part of the course. It is good to start with a general overview of the Act to ensure all employees have the same understanding of the purpose of the Act, what its objectives are, and who it applies to.

HIPAA Definition and Lexicon

HIPAA is a piece of legal documentation. Consequently, it is written with terminology that may be unfamiliar to healthcare professionals. Before undergoing further training, employees should understand the most common terms they will encounter in subsequent modules.

The HITECH Act

The HITECH Act had a significant impact on how HIPAA is enforced so it is important employees are aware of sections of the Act that apply to their roles. For example, HITECH was the springboard for the Meaningful Use program which drove the adoption of technology in the healthcare industry,

The Main HIPAA Regulatory Rules

Since HIPAA was enacted, five sets of Rules have been added to the legislation. While it is unlikely most employees will ever need to know the intricacies of the Enforcement Rule or the Breach Notification Rule, the content of other three Rules should be explained in detail.

HIPAA Omnibus Final Rule

The HIPAA Omnibus Final Rule implemented provisions of the HITECH Act to strengthen existing privacy and security protections. It also made business associates and their subcontractors directly liable for their own compliance with HIPAA – and directly liable for violations of HIPAA.

HIPAA Privacy Rule Basics

The Privacy Rule was the first HIPAA Rule. It defined PHI and stipulated how covered entities and business associates should safeguard it. The Privacy Rule also includes the Minimum Necessary Standard which limits allowable disclosures of PHI to the minimum necessary.

HIPAA Security Rule Basics

For the majority of employees, the technical, administrative, and physical safeguards of the Security Rule will impact practically every area of their day-to-day routines. This module of basic training should be supplemented with modules from the suggested comprehensive training modules below.

HIPAA Patient Rights

Training about patients´ rights should go beyond the regulations related to patient access to PHI and include dealing with children and minors, decision-making by legal guardians, and alerting Child Services in cases of abuse and neglect.

HIPAA Disclosure Rules

The HIPAA disclosure rules are another of the areas of HIPAA that apply to all employees in whatever function they perform, but front line healthcare employees may require more than an overview of the rules to help them perform their functions in compliance with HIPAA.

HIPAA Violation Consequences

HIPAA violations can have consequences for patients, organizations, and the personnel who work for them. Therefore, it is recommended employees are made aware of the consequences of failing to comply with HIPAA and reminded of the covered entity´s employee sanction policy.

Preventing HIPAA Violations

This module can be used as an overview of HIPAA best practices to provide context for subsequent role-based training or tailored to specific roles in order to be more relevant to groups of employees – particularly front line personnel who may be more exposed to potential HIPAA violations.

Being a HIPAA Compliant Employee

An appropriate refresher module, the training on being a HIPAA compliant employee can summarize what has been discussed previously, include general do´s and don´ts, or focus on specific roles similar to the previous module. This module should include policies for reporting HIPAA violations.

Comprehensive HIPAA Training

The basic HIPAA training course provides employees with the fundamentals of HIPAA, but more comprehensive training is often necessary for employees to apply the fundamentals in real-life situations. The following curriculum can be tailored according to employees´ roles and refreshed to meet the HIPAA training requirements whenever “functions are affected by a material change”.

HIPAA Timeline

A HIPAA timeline module can help employees better understand the objectives of HIPAA by explaining the background to the HIPAA Rules and why the Rules were introduced when they were. The module can also mention that HIPAA is constantly evolving to meet emerging challenges.

Threats to Patient Data

This should be a comprehensive module that explains both the cyberthreats to patient data and the physical threats such as leaving mobile devices unattended, positioning workstations in public view, and failing to safeguard hard copies of patient data.

Computer Safety Rules

Covered entities should already have mechanisms in place to protect computers, removable media, and the data they maintain. However, it is important for employees to know how to use these mechanisms in compliance with HIPAA and not try to circumnavigate them “to get the job done”.

HIPAA and Social Media

Healthcare professionals have to be particularly careful with how they use social media because it is very easy to disclose PHI on social networks. A social media module should provide tips on how to avoid inadvertent HIPAA violations and best practices for managing accounts safely.

HIPAA and Emergency Situations

In some emergency situations, disclosures of PHI beyond what is normally allowed may be permitted for public health purposes. It may also be the case the Office for Civil Rights waives certain elements of HIPAA to remove obstacles to the flow of healthcare information.

HIPAA Officer

It is important for employees to know who their HIPAA Officer is and what the Officer´s roles and responsibilities are. For this reason, it is recommended to have a HIPAA Officer presenting this module so employees can put a name to a face and ask questions.

HIPAA Compliance Checklist

Although a HIPAA compliance checklist is most often a huge document used by HIPAA Officers and IT managers to avoid oversights, a checklist can also be used to test employee understanding of the HIPAA Rules as the Rules apply to their roles.

Recent HIPAA Updates

As mentioned previously, HIPAA is an evolving Act of legislation that has been updated in the past – and will be updated in the future – to meet emerging challenges. If there has been a HIPAA update since training was last provided, this is an essential module.

Texas Medical Privacy Act and HB 300

The Texas Medical Privacy Act and HB 300 applies to all covered entities that create, use, maintain, or transmit the PHI of a Texas resident – regardless of where the covered entity is located – and therefore may apply to HIPAA covered organizations outside of Texas.

Cybersecurity Dangers for Healthcare Employees

Healthcare data is highly sought after by cybercriminals, and it is vital that employees are aware of cybersecurity best practices for mitigating the risk of a data breach. Topics covered in this module should include password management and phishing susceptibility.

How to Protect PHI from Cyber Threats

Beyond password management and phishing susceptibility, there are many other ways to protect PHI from cyber threats. This module should include topics such as multi-factor authentication, access controls, and network monitoring.

HIPAA Training for Healthcare Students

Healthcare students should be provided with HIPAA training before they start working with patients and accessing and updating patient records. However, because it is not always known what areas of healthcare students will graduate into, HIPAA training for healthcare students needs to cover a little of everything. Therefore, a HIPAA training curriculum for students might include all these modules:

  • HIPAA Timeline
  • HIPAA Overview
  • Definitions and Lexicon
  • The HITECH Act
  • The Main HIPAA Regulatory Rules
  • HIPAA Omnibus Final Rule
  • HIPAA Privacy Rule
  • HIPAA Security Rule
  • Patients´ Rights
  • PHI Disclosure Guidelines
  • HIPAA and Social Media
  • Threats to Patient Data
  • Computer Safety Rules
  • HIPAA Violation Consequences
  • Preventing HIPAA Violations
  • HIPAA in an Emergency
  • The HIPAA Officer
  • Recent HIPAA Updates

Electronic Health Record Access by Healthcare Students

During their training, healthcare students may be permitted to access EHRs under supervision. It is important students know what they can and cannot do with patient PHI under HIPAA, and also that it is a violation of HIPAA to use another person´s EHR login credentials to access patient PHI.

PHI & Student Reports and Projects

Students need to be aware that, when writing reports, preparing case studies, or giving presentations, they are unable to use PHI unless the patient has given their informed consent, or the PHI is de-identified by removing any identifiers that make the health information “protected”.

Being a HIPAA Compliant Student

It is a student´s responsibility to understand the covered entity´s HIPAA policies and procedures and comply with them just as if they were a healthcare professional. They also need to know how to identify a violation of HIPAA and who to report the violation to.

How Often is HIPAA Training Required?

Neither the Privacy Rule nor the Security Rule provide guidelines about the frequency of HIPAA training other than stating new employees should receive training “within a reasonable period of time” of joining a covered entity´s workforce, while further training is necessary whenever employee functions “are affected by a material change” – again within a reasonable period of time.

However, the regulation stipulating that training should be provided “as necessary and appropriate” implies that if a need for training is identified (i.e., after a risk assessment or patient complaint), the training should be provided sooner rather than later. For this reason, it is a best practice to schedule periodic refresher training on both the HIPAA Privacy Rule and the HIPAA Security Rule.

HIPAA Training Requirements: FAQs

Has the HHS’ Office for Civil Rights imposed fines for inadequate training?

Yes. In 2020, OCR imposed a $1.5 million fine on Athens Orthopedic Clinic to resolve multiple HIPAA violations including the failure to provide HIPAA Privacy Rule training to workforce members and Agape Health Services was fined $25,000 for HIPAA violations including not providing security awareness training to employees.

What is the most important aspect of HIPAA training?

You must naturally provide training on all aspects of HIPAA that are appropriate to the role of each employee. The most important element is making employees understand why HIPAA is important and why HIPAA Rules must be followed. Employees need to care about compliance, or they will not apply the knowledge they receive in training to their work duties.

How targeted must HIPAA training be to the role of each individual?

Role-based training is important for teaching individuals about aspects of HIPAA that are appropriate to their jobs. For instance, there is no point training nurses on issuing breach notification letters when they will not be responsible for sending them. Modular training courses make this easy. You can pick the appropriate aspects of HIPAA for training different groups of employees.

Do I need to provide security awareness training to the C-Suite?

Absolutely. The credentials of C-Suite members are extremely valuable to cybercriminals and C-Suite members are frequently targeted in phishing campaigns. It is important for everyone to receive security awareness training if they have access to a computer, including members of the IT department.

Is annual security awareness training enough?

In addition to providing periodic security awareness training, consider providing regular updates on email about cybersecurity to keep it fresh in the mind and to alert employees about new threats they may encounter. You could send a monthly or quarterly cybersecurity newsletter in addition to providing annual security awareness training or send alerts in response to specific threats targeting healthcare employees.

How long is HIPAA training?

Because HIPAA compliance is ongoing, HIPAA training should also be ongoing – with periodic refresher training on the Privacy Rule supporting the ongoing security and awareness training program required by the Security Rule. In terms of individual training sessions, these should last no longer than an hour to ensure the content of the training is retained.

How often does HIPAA training need to be completed?

Covered Entity´s workforces need to complete policy and procedure training when they first start working for the Covered Entity. Thereafter, the frequency of HIPAA training is governed by changes to policies and procedures, risk assessments, and corrective action plans. Covered Entities also have to maintain a security and awareness training program for all members of the workforce.

Why is HIPAA training necessary?

The reason for undergoing HIPAA training is so that employees, students, and volunteers understand why protecting patient data from unauthorized uses and disclosures is crucial to the organization they work for, for the patients they care for, and for themselves. In some cases, the failure to comply with lessons learned in HIPAA training can end an individual´s career.

What information would you include in a HIPAA handout training session?

While the content of handouts should reflect the area of HIPAA being discussed in the training session, it is always a good idea to remind attendees of the eighteen PHI identifiers, the most common causes of HIPAA violations (unauthorized disclosures, the Minimum Necessary Standard, and patient access requests), and the organization´s sanctions policy for violations of HIPAA.

How long is HIPAA training valid?

As a member of a Covered Entity´s or Business Associate´s workforce, what you learn in HIPAA training is valid until there is a change to policies and procedures, until a risk assessment identifies a need for additional training, or until you change jobs and work for another Covered Entity or Business Associate (because each Covered Entity and Business Associate is required to develop unique policies and procedures, and you will need to be trained on your new employer´s policies).

What is the best way to compile an orientation for HIPAA training?

An orientation for HIPAA training is usually a pre-training exercise for familiarizing trainees with the basics of HIPAA. As you may not know what level of knowledge each trainee has, it can be beneficial to compile an orientation using the modules suggested above in order to ensure everyone has the same level of basic knowledge. This will not only create a level playing field for training, but it will also help put the content of subsequent training into context.

How long must security awareness and training records on HIPAA be maintained?

The implementation specification relating to documentation states records have to be maintained for six years from the date of their creation or from the date in which they were last in effect – whichever is the later. Due to security awareness training being an ongoing program, it will be necessary for Covered Entities and Business Associates to implement some form of version control to maintain records in order for each employee during their lifecycle.

What training could a healthcare manager put in place to prevent medical record HIPAA violations?

If training is being provided to mitigate the risk of medical record HIPAA violations, it would be wise to include a selection of the relevant modules listed above – for example Privacy Rule Basics, Disclosure Rules, and Computer Safety Rules. If medical record HIPAA violations are already occurring, and the cause of the violations is known, the training should focus on the actions that are causing the violations and the consequences of HIPAA violations.

What does security awareness training mean in HIPAA Administrative Safeguards?

To best understand the meaning of security awareness training, you need to read the individual standard in the context of the Administrative Safeguards. These start with the requirement to “implement policies and procedures to prevent, detect, contain, and correct security violations”, and therefore security awareness training should concentrate on preventing data breaches, reporting data breaches when they occur, and correcting errors that result in security violations.

Who should have HIPAA training?

All members of a Covered Entity´s or Business Associate´s workforce should have HIPAA training – the definition of workforce being “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate.”