What Training is Required Under HIPAA?

The Health Insurance Portability and Accountability Act, better known as HIPAA, is one of the principal laws regulating the healthcare industry in the United States, but what are the training requirements for staff under HIPAA?

Due to the complex nature of HIPAA, no one can reasonably be asked to work with data or other elements subject to HIPAA Rules without first receiving appropriate training. The Act itself takes this into account and states in two different sections that training for staff is mandatory. For such a broad piece of legislation, with various exceptions and special cases, the risk that untrained individuals would make a mistake that jeopardizes the information security of potentially millions of patients is too great to leave training as a voluntary step.

Perhaps somewhat contradictory to this attitude towards risk reduction is the level of detail given in the text of the Act on exactly what training is to be given, and how it should be conducted. To put it bluntly, not a lot of information is given. The HIPAA Privacy Rule only states that training should be given “as necessary and appropriate for members of the workforce to carry out their functions”, while the HIPAA Security Rule has a similarly vague statement remarking that covered entities and their business associates should “implement a security awareness and training program for all members of the workforce”.

Won’t This Lead to Confusion and Compliance Issues?

At first, this approach may seem a bit lax – training has to be provided but the areas and subjects are not defined, nor are the levels of knowledge that trained staff must be shown to possess. However, given the evolution of the healthcare environment and the breadth of HIPAA’s scope, it makes sense to not try to regulate this area too closely. Indeed, the lack of specifics allows healthcare organizations a greater deal of flexibility in the systems they use and other vital aspects of how they conduct their business.

No one should be better positioned to determine appropriate training for staff on various components of a covered entity’s systems or procedures than the covered entity itself. If the Department of Health and Human Services’ Office for Civil Rights (OCR) had to review and design training for every system or organization, they would quite probably lack the resources to do anything else.

This approach also puts a certain onus on the covered entity. Should a breach occur and it is discovered that staff had not been given any training, it is quite likely that they organization would be liable and subject to penalties from the OCR. If, on the other hand, the covered entity or business associate can show that they have a sufficiently robust training program in place that had been followed, the breach may be seen in a better light as a result of an accident and not as a result of negligence on the part of the entity.

But how can a covered entity determine what training is “necessary and appropriate”? A key tool that the organization can refer to when determining their requirements and designing their training program is their risk assessment report. As part of this assessment, the roles and responsibilities of individual staff members of every level should have been cataloged, with the different risks estimated on the basis of the data being handled or the function being executed. When starting with this information, the “necessary and appropriate” training should be much easier to identify and design.

It is more than likely that the different functions will require training in different areas. Covered entities should resist the temptation to implement a “one-size-fits-all” approach and should instead minutely examine who would benefit from what training in order to keep things as relevant as possible to employees’ roles. While designing multiple modules would initially take more time, the long term efficiency benefits would far outweigh any short term gains.

Imagine, if you will, that every staff member had to sit through a day long training session where only some parts relevant to their role were interspersed irregularly throughout the presentations. First of all, we can easily see that employees would be wasting time learning information that is not relevant to their duties – time that would more efficiently be spent performing their job. Secondly, such a long session is likely to result in employees not paying attention, even despite best their intentions. Thirdly, it is a recipe for confusion; employees who receive training that is irrelevant to their function may incorrectly apply procedures or information they learned during the session to situations where it is not appropriate.

Training and HIPAA Compliance: Some Best Practices

For training to be successful, we advise that it should be as relevant as possible to the employee’s role. For efficiency, try to strike a healthy balance in the number of modules between individual sessions for every employee and a single session for everyone. We also advise that sessions should be kept short, but held regularly. Information retention is likely to be higher following classes of about 40 minutes every month or few weeks as opposed to one three-hour session every quarter.

Given the short duration of the sessions, we advise you to focus on the vital information only – avoid filler such as the background of HIPAA or other “nice to have” details. Also, avoid lecture like sessions where the text of the law is dictated to employees – make the sessions active and the content relate-able.

Be sure to document the who, what, and when or your training. Auditors may need to see records that show the frequency, attendance, and content of sessions.

Finally, getting top management to buy-in, attend, and vocally support training will encourage buy-in from employees. It will also show them that the organization is taking it seriously – something that should be reinforced by sessions on the consequences of HIPAA breaches for companies, employees, and patients.