There is no one-size-fits-all answer to the question of how often is HIPAA training required because, beyond the training requirements of the Privacy and Security Rules, the frequency of HIPAA training should be determined by a risk analysis.
The question of how often is HIPAA training required is not one that can be answered by solely referring to the training requirements of the Privacy and Security Rules. This is because the training requirements of the Privacy Rule are insufficient to cultivate a HIPAA-compliant workforce, while the training requirements of the Security Rule are not specific enough to guide organizations on the best ways to mitigate threats to ePHI.
Consequently, basing the frequency of HIPAA training on the mandated training requirements of the Privacy and Security Rules can expose Covered Entities and Business Associates to liability for HIPAA violations if – for example – a HIPAA violation occurs that was foreseeable and that could have been prevented with non-mandated training. Therefore, the best way to determine how often is HIPAA training required is via a risk analysis.
What´s Wrong with the Training Requirements of the Privacy Rule?
The training requirements of the Privacy Rule are fairly easy to understand. Covered Entities must develop policies and procedures to reasonably safeguard PHI from any use or disclosure that violates the Privacy Rule (see 45 CFR § 164.530), and train members of the workforce on the policies and procedures “as necessary and reasonable for members of the workforce to carry out their functions with the Covered Entity”.
Training has to be provided “within a reasonable period of time” after an individual first starts working for a Covered Entity, and whenever individuals´ functions are affected by a “material change” in the policies and procedures. Thereafter, there is nothing in the Privacy Rule to suggest further HIPAA training is required, and therefore no guidance to help answer the question how often is HIPAA training required.
With regards to being insufficient to cultivate a HIPAA-compliant workforce, the Privacy Rule doesn´t even stipulate HIPAA training should be provided to all members of the workforce – only to those for whom the policies and procedures are relevant to their functions. This means some members of a Covered Entity´s workforce might not have an understanding of what PHI is, why it should be protected, and what constitutes an impermissible use or disclosure.
What´s Wrong with the Training Requirements of the Security Rule?
By comparison, the training requirements of the Security Rule – that “[Covered Entities and Business Associates must] implement a security awareness and training program for all members of the workforce” – lack specificity. For example, in the context of the Administrative Safeguards of the Security Rule (see 45 CFR § 164.308), the requirement implies that the security awareness and training program should focus on mitigating threats to ePHI. But that´s not the case.
Most Covered Entities and Business Associates implement technical safeguards to protect ePHI from unauthorized access and train workforce members on how to use the technical safeguards in compliance with HIPAA. Cybercriminals are aware of this; so, rather than attempt to extract ePHI directly, they will attempt to identify the weakest link in the network, obtain their login credentials, and use the login credentials to move laterally through the network to where ePHI is stored.
In many cases, the weakest link in the network will not be an individual who does not have access to ePHI nor whose network access is protected by technical safeguards. This is why the training requirements of the Security Rule state a security awareness and training program must be implemented for all members of the workforce and not just those with access to ePHI. Therefore, every member of an organization´s workforce must receive security awareness training.
How Best to Determine the Frequency of HIPAA Training
With the Privacy Rule implying that HIPAA training only needs to be a one-off event on policies and procedures to members of the workforce for whom the policies and procedures are relevant, and the Security Rule implying that security and awareness training has to be an ongoing event for all members of the workforce, it is difficult to determine how often is HIPAA training required from the HIPAA training requirements alone.
Therefore, Covered Entities and Business Associates should conduct risk assessments to identify potential HIPAA violations and analyze the results of the risk assessments to establish where potential violations can be prevented with training beyond the requirements of the Privacy and Security Rules. The risk analyses should also help establish the frequency at which HIPAA training is required to maximize retention of the training.
Establishing the frequency of HIPAA training via a risk analysis is the most viable way to determine how often is HIPAA training required; for although many compliance experts advocate annual HIPAA training, it may be the case that some groups of the workforce require more frequent refresher training, while other groups may not need reminding of the HIPAA Rules so often. Indeed, it may also be the case that some individuals require more frequent HIPAA training.
How Best to Cultivate a HIPAA-Compliant Workforce
The ultimate objectives of HIPAA training is to prevent violations of HIPAA, protect the privacy of PHI, and ensure the confidentiality, integrity, and availability of ePHI. The best way to achieve these objectives is to cultivate a HIPAA-compliant workforce, and the best way to cultivate a HIPAA-compliant workforce is to ensure every member of the workforce receives the training they need to carry out their functions in the most HIPAA-compliant manner possible.
Ensuring that every member of the workforce receives the training they need may appear difficult when different individuals – or groups of individuals – may need different levels of training. Even providing basic HIPAA training to all members of the workforce can be a drain on resources – especially when it is still necessary to provide training on policies and procedures to those who require it and maintain an ongoing security awareness and training program.
However, by outsourcing basic HIPAA training to a third-party training organization that offers an online modular training option, Covered Entities and Business Associates can reduce the administrative burden of cultivating a HIPAA-compliant workforce while ensuring all members of the workforce receive the training they need to carry out their functions in the most HIPAA-compliant manner possible – thus reducing potential HIPAA violations and the costs of non-compliance.
In addition to providing role-appropriate basic HIPAA training, online modular HIPAA training can be used to provide refresher training when required to individuals or groups of individuals on just the subjects a risk analysis has identified they lack training in. Furthermore, because the training is provided in an online format, it can be completed when members of the workforce have a gap in their schedules, rather than having to disrupts operations to conduct classroom training.
How Often is HIPAA Training Required FAQs
Why is HIPAA security and awareness training described as an ongoing event?
HIPAA security and awareness training is described as an ongoing event because the training requirements of the Security Rule state Covered Entities and Business Associates must implement a security awareness and training program. The inclusion of the word “program” suggests Security Rule training should not be a one-off event, but rather ongoing.
Can you use risk assessments to identify threats to physical PHI?
Although the requirement to conduct risk assessments appears in the Security Rule and is widely assumed to apply exclusively to ePHI, there is no good reason why Covered Entities and Business Associates should not conduct risk assessments on the privacy of PHI in any format – for example, verbal and written PHI as well as electronic PHI.
Why is annual HIPAA training advocated so often if it is not a requirement of HIPAA?
By scheduling periodic HIPAA refresher training, Covered Entities have the opportunity to avert the need for post-violation training by keeping compliance at “front of mind”. The more frequently training takes place, the less likely it is likely a violation of HIPAA will occur; however, it is impractical to suggest training should take precedence over operations, which is why it is advocated annually.
Who is responsible for determining how often HIPAA training is required?
In most cases, the provision of HIPAA training is the responsibility of the HIPAA Privacy Officer or HIPAA Security Officer. However, in some organizations, decisions about the frequency of HIPAA training can be made at a supervisory or middle-management level – it depends on the training structure of the organization in question.
Does every HIPAA training session have to be documented?
The HIPAA Privacy Rule states Covered Entities have to document policy and procedure training. However, it is advisable to document all training as the documentation may be required to prove training has been provided when – for example – a risk analysis identifies a need for refresher training and a violation of HIPAA subsequently occurs that prompts an HHS investigation.