What Training is Required Under HIPAA?

The Health Insurance Portability and Accountability Act, better known as HIPAA, is one of the principal laws regulating the healthcare industry in the United States, but what are the training requirements for staff under HIPAA?

Due to the complex nature of HIPAA, no one can reasonably be asked to work with data or other elements subject to HIPAA Rules without first receiving appropriate training. The Act itself takes this into account and states in two different sections that training for staff is mandatory. For such a broad piece of legislation, with various exceptions and special cases, the risk that untrained individuals would make a mistake that jeopardizes the information security of potentially millions of patients is too great to leave training as a voluntary step.

Perhaps somewhat contradictory to this attitude towards risk reduction is the level of detail given in the text of the Act on exactly what training is to be given, and how it should be conducted. To put it bluntly, not a lot of information is provided. The HIPAA Privacy Rule only states that training should be given “as necessary and appropriate for members of the workforce to carry out their functions”, while the HIPAA Security Rule has a similarly vague statement remarking that covered entities and their business associates should “implement a security awareness and training program for all members of the workforce”.

Target Your HIPAA Training

At first glance, the training requirement might seem a little vague in that training has to be provided but the areas and subjects are not defined, nor are the levels of knowledge that trained staff must be shown to possess. However, given the evolution of the healthcare environment and the breadth of HIPAA’s scope, it makes sense to not try to regulate the specific training topics. This allows training to evolve with both changing regulations and also emerging concerns like social media. Indeed, the lack of specifics allows healthcare organizations a greater deal of flexibility in the systems they use and other vital aspects of how they conduct their business.

This flexible approach also puts a certain onus on the covered entity. Should a breach occur and it is discovered that staff had not been given training, it is quite likely that the organization would be liable and subject to penalties from OCR. If, on the other hand, the covered entity or business associate can show that they have a sufficiently robust training program in place that has been followed, the breach may be seen in a better light and as a result of an accident and not as a result of negligence on the part of the entity.

But how can a covered entity determine what training is “necessary and appropriate”? A key tool that the organization can refer to when determining their requirements and designing their training program is their risk assessment report. As part of this assessment, the roles and responsibilities of individual staff members of every level should have been cataloged, with the different risks estimated on the basis of the data being handled or the function being executed. When starting with this information, the “necessary and appropriate” training should be much easier to identify and design.

It is more than likely that the different functions will require training in different areas. Covered entities should resist the temptation to implement a “one-size-fits-all” approach and should instead examine who would benefit from what type of training in order to keep things as relevant as possible to employees’ roles. While designing multiple training courses would initially take more time, the long term efficiency benefits would far outweigh any extra initial costs.

Imagine, if you will, that every staff member had to sit through a day long training session where only some parts are relevant to their role and were interspersed irregularly throughout the presentations. First of all, we can easily see that employees would be wasting time learning information that is not relevant to their duties – time that would more efficiently be spent performing their job. Secondly, such a long session is likely to result in employees not paying attention, even despite best their intentions. Thirdly, it is a recipe for confusion; employees who receive training that is irrelevant to their function may incorrectly apply procedures or information they learned during the session to situations where it is not appropriate. Therefore the HIPAA training for healthcare professionals is not the same as HIPAA training for healthcare administrators which in turn is not the same as training for healthcare students.

Training and HIPAA Compliance: Some Best Practices

For training to be successful, we advise that it should be as relevant as possible to the employee’s role. For efficiency, try to strike a healthy balance in the number of modules between individual sessions for every employee and a single session for everyone. We also advise that sessions should be kept short, but held regularly. Information retention is likely to be higher following classes of about 40 minutes every month or few weeks as opposed to one three-hour session every quarter.

Given the short duration of the sessions, we advise you to focus on the vital information only – avoid filler such as the background of HIPAA or other “nice to have” details. Also, avoid lecture like sessions where the text of the law is dictated to employees – make the sessions active and the content relatable.

Be sure to document the who, what, and when of your training. Auditors may need to see records that show the frequency, attendance, and the content of sessions.

Finally, getting top management to buy-in, attend, and vocally support training will encourage buy-in from employees. It will also show them that the organization is taking compliance seriously – something that should be reinforced by sessions on the consequences of HIPAA breaches for companies, employees, and patients.

HIPAA Compliance – Training Curriculum

Designing a training curriculum can be very difficult, and it is usually the case that many different curricula are needed for different employee roles. Such diversity can be a management nightmare, both financially and logistically. To help ease the burden, we offer a sample HIPAA Training Curriculum below. Each module is essentially self-contained, and the selection of modules offered on each training course can be tailored to the needs of the employee.

  1. Introduction to HIPAA and HIPAA Compliance – Most employees will have a good understanding of what HIPAA legislation means, but newer employees will certainly benefit from such an introductory module. Indeed, even more experienced employees will probably benefit from a refresher course.
    1. What is HIPAA? – The most fundamental part of the course, it is good to start with a general introduction to ensure that all employees are starting from the same basic understanding of privacy regulation. To make it more relevant, you could also include recent news stories concerning HIPAA violations.
    2. Applicability of HIPAA –As with all legislative acts, HIPAA has far-reaching implications and any organization that deals with health information will have to abide by its rules. However, there are many exceptions. It is good to give employees a broad overview of such exceptions.
    3. “HIPAA Dictionary” –HIPAA is a piece of legal documentation. Thus, it is dense with terminology and abbreviations. Before beginning on any other training, give employees a chance to learn the most common phrases that they will use in their day-to-day work.
  2. Covered Entities and their Duties – Most organizations offering HIPAA training courses will be classed as “covered entities”. This includes any organization that creates, stores, transfers, or otherwise accesses private health data.
    1. What are the roles of a CE? – CE’s must be HIPAA-compliant, meaning they must maintain the integrity of all private health information (PHI) that they access. They have other responsibilities too, such as ensuring patients can access their data.
    2. Example CEs –Hospitals, medical practitioners, insurers and healthcare clearinghouses are the most common types of CEs. However, there are some unusual cases. If employers partake in an Employee Assistance Program, they are “hybrid entities”. Thus, they must be HIPAA-compliant.
  3. Business Associates – As well as CEs, business associates are charged with protecting patient data. Employees must be aware of what can be considered a BA, and how to deal with them.
    1. Business Associate Agreements – When hiring a third party, the CE must ensure they sign a Business Associate Agreement. Required by HIPAA, a BAA charges the BA with maintaining the integrity of PHI in the same way as the CE. Employees that deal with BAs should be trained how to write and interpret a BAA.
    2. Types of Associate –CE’s rarely carry out all data processing. Thus, they hire BAs to perform specific tasks. Common BAs include IT managers, accountants, and consultants. If the third party will come across PHI, they are considered a BA.
  4. Protected Health Information – HIPAA’s Privacy Rule classifies certain types of information as “protected”, meaning that it must remain private. Only authorized personnel can access the information, and certain measures must be in place to safeguard the data.
    1. What is PHI? – Protected Health Information includes, but is not limited to, names, addresses, gender, medical history, credit card information and social security numbers. If a cybercriminal accesses any of this information, patients are left vulnerable to identity theft. Thus, employees must be able to identify this information and treat it accordingly.
  5. HIPAA Rules – Since HIPAA was enacted, several “rules” have been added to the HIPAA legislation. Though these address specific aspects of privacy legislation, much of the wording is quite vague. This is deliberate, as it allows the legislation to remain “timeless”.
    1. Privacy Rule – The Privacy Rule was the first part of HIPAA that defined PHI and instructed CEs and BAs on how to protect it. The Minimum Necessary Rule is also part of the Privacy Rule, and prevents an excess of information being given to different individuals.
    2. Security Rule –With electronic PHI (ePHI) having increasing importance, HIPAA needed to address ways to protect it. The Security Rule outlines the minimum safeguards (physical, technical and administrative) needed.
    3. Breach Notification Rule –If a breach occurs, certain actions must be taken to protect patients. Thus, HIPAA lays out what actions are to be taken by the CE to prevent or limit harm. Employees must be informed on how and when to notify the OCR, the media and patients.
    4. Enforcement Rule – All legislation needs to have some associated punishment. The consequences for HIPAA breaches are laid out in the Enforcement Rule, though the OCR and Department of Health and Human Services can alter punishments at their discretion.
    5. Omnibus Rule –The Omnibus Rule covers a wide range of privacy-related areas, from the length of time a patient’s records can be held to the encryption requirements for PHI. Nevertheless, employees should be given an overview of the rule and trained in specific areas as necessary.
  6. Password Policies – Many organizations are confused about HIPAA’s Password Requirements. They are considered to be “addressable requirements”, meaning that some form of protection must be in place that is at least as effective as passwords.
    1. Password strength – Changing passwords is debated among tech specialists, though most agree that passwords should contain a mix of upper- and lower-case characters, special characters and numbers. Longer passwords are preferable, and tricks such as the phrase technique can help ensure the memorability of passwords.
    2. Two-factor Authentication – Two-factor authentication has become increasingly important to protect against password breaches. Upon each login attempt, users are provided with a one-time generated passcode that only they can use. Understanding this technology can help employees choose the appropriate safeguards for PHI.
  7. Dealing with Children and Minors – Patients under the age of 18 are the most common exception to the HIPAA Rules. Employees should learn to deal with this patient category, as there are some different procedures for protecting and accessing data.
    1. Legal guardians – Usually, medical decisions will be made by the minor’s legal guardian. Any consent for access to data must also be given by these legal guardians. However, there may be some instances in which a court decides the guardian is unable to make decisions and appoint a new proxy guardian. Additionally, emancipated minors must be treated as legal adults.
    2. Difficult cases – Unfortunately, healthcare workers are often at the frontline when spotting and reporting cases of child abuse. If a CE believes that the patient has been abused, they may choose not to disclose health data to their legal guardian and instead contact Child Services, who will take over the case.
  8. Health Information Technology for Economic and Clinical Health Act – The HITECH Act was introduced in the late 2000s to help encourage healthcare providers to use electronic patient records. As it concerns patient health information, employees should be made aware of its reach.
    1. HITECH and HIPAA – The HITECH Act and HIPAA both relate to patient data and patient privacy. The HITECH Act is seen as a reinforcement of HIPAA, with a special focus on digital health records and the meaningful use of collected data.
  9. Threats to Patient Privacy – There are many threats – both internal and external – to the integrity of patient data. Employees should be made aware of these threats so that they can be identified and addressed.
    1. Cybercrime – An increasing number of cybercriminals are choosing to target healthcare data. This can be via phishing emails, malware or hacking. Employees should receive thorough training on how to identify suspect emails.
    2. Human error –The second major threat to PHI integrity, employees making simple mistakes – such as leaving cabinets unlocked – can leave patients at risk from fraud. Employees must be trained in how to enact appropriate safeguards and prevent mistakes from being made.
  10. Penalties for non-compliance – As outlined above in the Enforcement Rule, HIPAA non-compliance has severe penalties. These should be outlined to employees as a deterrent mechanism, highlighting the importance of compliance.
    1. Financial Penalties – There are two types of financial penalties: administrative or personal. The administrative fines range from $50,000 to $2.5 million and are levied against the negligent organization. By contrast, personal fines are for individuals who were HIPAA non-compliant. If it was deemed that there was malicious intent behind the non-compliance, individuals may face fines of up to $250,000.
    2. Jail terms –In severe cases, the OCR may seek judicial remedies to HIPAA violations. This may result in a jail term of up to 10 years.

HIPAA Training – Conclusion

All employees that deal with PHI should be trained in HIPAA compliance. Given the extensive nature of HIPAA documentation, the training should be aligned to the employee’s role within the company. The above curriculum is a good starting place from which such training courses can be developed, helping to minimize the risk of HIPAA breaches and avoid any resulting penalties.

Refresher HIPAA Training

All healthcare employees with access to PHI should receive initial HIPAA training appropriate to their position and role, but training cannot be a one-time event. HIPAA states that further training must be provided to “each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures,” and for refresher training to be provided periodically. If HIPAA refresher training is not provided, employees may forget about certain HIPAA requirements which could easily lead to a HIPAA breach.

How Often is HIPAA Refresher Training Needed?

The HIPAA text does not specify exactly how often refresher training should be provided, only stating that refresher training should be “periodic”. How often refresher training sessions are provided to the workforce is left to the discretion of the covered entity or business associate but it is considered a good best practice to provide refresher HIPAA training at least annually to keep the workforce up to date on new developments, to remind employees of the importance of HIPAA compliance, and to ensure that any questions about the requirements of HIPAA in relation to certain situations are answered. Providing shorter training sessions more regularly can help with knowledge retention and is likely to be more effective at reinforcing the importance of HIPAA compliance.

To make it easier for HIPAA-covered entities and business associates to comply with the training requirements of HIPAA, Compliance Junction offers an annual HIPAA refresher training course specifically designed for healthcare professionals (with another course designed for healthcare students). The training course reminds healthcare employees about each aspect of HIPAA to keep compliance fresh in the mind and prevent accidental HIPAA violations.

HIPAA Refresher Training Course for Healthcare Professionals

The Compliance Junction HIPAA Refresher Training Course for healthcare professionals is modular and fully customizable to suit the training requirements of all HIPAA covered entities and business associates. You can select the core modules along with optional training modules, adjust the training text to make it specific to your organization, and add in your own additional questions should you wish.

You can also select your own grading scheme and add your own certificate to demonstrate training has been completed. In the event of a compliance audit, you will be able to demonstrate your organization has met the periodic training requirements of HIPAA.

HIPAA Refresher Training Course Modules

The refresher HIPAA training course modules can be customized to suit your organization’s HIPAA training needs. The course consists of core modules and optional modules that can be selected as appropriate. These modules are short to allow them to be easily fitted into busy workflows.

Core Modules

HIPAA Overview HIPAA Omnibus Final Rule HIPAA Disclosure Rules
HIPAA Definitions & Lexicon HIPAA Privacy Rule Basics HIPAA Violation Consequences
The HITECH Act HIPAA Security Rule Basics Preventing HIPAA Violations
Main HIPAA Regulatory Rules HIPAA Patient Rights Being a HIPAA Compliant Employee

Optional modules

HIPAA Timeline HIPAA and Emergency Situations
Threats to Patient Data HIPAA Officer
Computer Safety Rules HIPAA Compliance Checklist
HIPAA and Social Media Recent HIPAA Updates

HIPAA Security Awareness Training Course

The HIPAA Security Rule requires HIPAA covered entities and their business associates to conduct regular security awareness training to help employees recognize and avoid threats to the confidentiality, integrity, and availability of protected health information. Two training modules are available for use by HIPAA covered entities and business associates to meet this training requirement of the HIPAA Security Rule – Cybersecurity Dangers for Healthcare Employees and How to Protect PHI from Cyber Threats.

These training modules raise awareness of the threats that healthcare employees are likely to encounter such as malware, phishing, social engineering, and ransomware. They can be used to teach employees how to identify and avoid these threats and detail cybersecurity best practices to adopt to keep patient data private and confidential and prevent threat actors from gaining access to systems containing patient data.

Texas HB 300 Training

Covered entities and business associates that create, store, receive, transmit, or process the protected health information of Texas residents are required to comply with Texas HB 300 and associated state legislation such as the Texas Medical Records Privacy Act. An additional training module – Texas HB 300 for Healthcare Professionals and Students – can be combined with the HIPAA refresher training and security awareness training courses or used as a standalone training course to meet Texas state training requirements.

HIPAA Training for Healthcare Students

All healthcare students should be provided with training to ensure they understand HIPAA and its importance before they start working with patients and accessing and updating patient records. Students must be made aware of the importance of HIPAA compliance and the potential consequences of noncompliance for them personally, as well as their organization.

Our HIPAA training course for healthcare students broadly follows the healthcare employee training course but has been tailored to specifically address aspects of the HIPAA Rules that are relevant to students’ studies and training. Student-specific training modules include electronic health record (EHR) access by healthcare students, PHI and student reports and projects, being a HIPAA compliant student, and HIPAA and social media. As with other Compliance Junction training courses, the course can be customized to meet the requirements of your university.


Has the HHS’ Office for Civil Rights imposed fines for inadequate training?

Yes. In 2020, OCR imposed a $1.5 million fine on Athens Orthopedic Clinic to resolve multiple HIPAA violations including the failure to provide HIPAA Privacy Rule training to workforce members and Agape Health Services was fined $25,000 for HIPAA violations including not providing security awareness training to employees.

What is the most important aspect of HIPAA training?

You must naturally provide training on all aspects of HIPAA that are appropriate to the role of each employee. The most important element is making employees understand why HIPAA is important and why HIPAA Rules must be followed. Employees need to care about compliance, or they will not apply the knowledge they receive in training to their work duties.

How targeted must HIPAA training be to the role of each individual?

It is useful to give everyone an overview of HIPAA so they understand the breadth and scope of the legislation. Role-based training is important for teaching individuals about aspects of HIPAA that are appropriate to their jobs. For instance, there is no point training nurses on issuing breach notification letters when they will not be responsible for sending them. Modular training courses make this easy. You can pick the appropriate aspects of HIPAA for training different groups of employees.

Do I need to provide security awareness training to the C-Suite?

Absolutely. The credentials of C-Suite members are extremely valuable to cybercriminals and C-Suite members are frequently targeted in phishing campaigns. It is important for everyone to receive security awareness training if they have access to a computer, including members of the IT department.

Is annual security awareness training enough?

In addition to providing periodic security awareness training, consider providing regular updates on email about cybersecurity to keep it fresh in the mind and to alert employees about new threats that they may encounter. You could send a monthly or quarterly cybersecurity newsletter in addition to providing annual security awareness training or send alerts in response to specific threats targeting healthcare employees.