HIPAA compliance training companies often provide trainees with a certificate at the conclusion of a HIPAA training course to demonstrate trainees have completed the course. This is sometimes referred to as HIPAA Certification, but what exactly does HIPAA Certification mean and how long does HIPAA Certification last?
What is HIPAA Certification?
HIPAA certification is a proof of training certificate provided by a third-party compliance training company to members of a Covered Entity´s or Business Associate´s workforce when members of the workforce complete a HIPAA training course. In some cases, a copy of the certificate is also provided to the Covered Entity or Business Associate to demonstrate compliance with the training and documentation requirements of the HIPAA Privacy Rule.
Depending on the nature of the training course, the certificate can list the topics or modules covered in the training. Listing the topics helps Covered Entities and Business Associates better monitor what training each individual has received and determine whether refresher training is required due to a “material change in policies and procedures“ (under CFR 45 § 164.530), a threat identified in a risk assessment, or as part of an OCR-mandated corrective action plan.
It can also be beneficial for members of the workforce to have HIPAA Certification when applying for new jobs or a promotion. The certification demonstrates that the member of the workforce has an understanding of HIPAA and, if the topics covered in the training are itemized, what further training might be necessary to promote the individual to a role with more responsibility and increased access to Protected Health Information.
How Long Does HIPAA Certification Last?
Although a certificate awarded at the end of a training course is a point-in-time recognition, it is also a proof-of-compliance document that training has been provided. Covered Entities and Business Associates are required to retain HIPAA-related documents for a minimum of six years, so the answer to the question how long does HIPAA Certification last is six years – although the shelf-life of a training certificate could be much longer in practice.
This is because whenever an event occurs for which refresher training is necessary, members of the workforce who complete refresher training will be provided with a new certificate. The new certificate also has to be retained for six years but will only list topics covered in the refresher training. Therefore, it may be necessary to retain the original proof-of-compliance document for longer than six years to complement subsequent HIPAA certifications.
Even when no event occurs for which mandated HIPAA training is necessary, it is a best practice to provide refresher training annually. This is because members of the workforce should be reminded of the requirement to carry out their roles in compliance with HIPAA and to stay alert to possible HIPAA violations. In certain states, biennial refresher training is a requirement of the state´s own data privacy regulations, but this can often not be enough to prevent avoidable violations of HIPAA.
Workforce Certifications vs Organizational Certifications
While the provision of workforce training and the documentation of training are requirements of HIPAA, there are no such requirements for Covered Entities or Business Associates to be certified. Indeed, the Department of Health and Human Services (HHS) has published an article stating there is no standard or implementation specification that requires Covered Entities and Business Associates to certify compliance.
However, the article mentions that under the Administrative Safeguards of the Security Rule (45 CFR § 164.308), organizations are required to conduct “periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements”. These evaluations can be conducted internally by a HIPAA Compliance Officer or outsourced to an external organization – who may issue an organizational certification.
In the event that a Covered Entity or Business Associate receives a HIPAA certification from an external organization, the HHS notes such certifications do not absolve Covered Entities and Business Associates of their legal responsibilities under HIPAA – unlike workforce training certifications which demonstrate the Covered Entity or Business Associate has complied with the HIPAA training requirements.
How Long Does HIPAA Certification Last? FAQs
Do all members of a Covered Entity´s workforce require HIPAA training?
Although the Administrative Requirements of the Privacy Rule state training should be provided “on policies and procedures […] as necessary and appropriate for members of the workforce to carry out their functions”, it is important all members of the workforce have an understanding of Privacy Rule basics such as what is PHI, allowable uses and disclosures of PHI, and preventing HIPAA violations.
Why should non-medical employees have an understanding of privacy Rule basics?
There are many circumstances in which a member of a Covered Entity´s workforce may see or hear information about a patient that should not be disclosed to the general public. Therefore, workers engaged in (for example) environmental services, security, and maintenance need to be trained on the basics of the Privacy Rule to avoid unauthorized disclosures of PHI due to ignorance.
Does the term “members of the workforce” only apply to employees of Covered Entities?
No. The HHS defines a workforce as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate.”
How might refresher training be a requirement of a corrective action plan?
Each year, the HHS´ Office for Civil Rights (OCR) receives in excess of 20,000 complaints – many of which are attributable to the failure to comply with patient access requests and unauthorized uses and disclosures of PHI. The complaints are most often resolved with technical assistance and a corrective action plan – which may involve the provision of HIPAA refresher training.
Can a healthcare professional take HIPAA certification from one employer to another employer?
Healthcare professionals can take HIPAA certifications with them when they change jobs but will still have to undergo training on their new employer´s policies and procedures with respect to Protected Health Information as each Covered Entity will likely have unique policies and procedures for safeguarding PHI, preventing unauthorized uses and disclosures, and reporting HIPAA violations.
