How often is HIPAA training required? Answers about this and other frequently asked questions about HIPAA training for employees of covered entities and business associates.
Why is HIPAA Training Important?
The Health Insurance Portability and Accountability Act (HIPAA) is a major legislative act covering the healthcare industry. Since 1996, when the Act was signed into law by Present Clinton, there have been several updates that have expanded its scope and added new requirements for HIPAA-covered entities and vendors used by those entities that require access to protected health information.
All employees in the healthcare industry are required to comply with HIPAA to some extent and must be aware of the requirements of HIPAA and how it impacts their working lives. Training must be provided to communicate the importance of the legislation with respect to their working duties.
The purpose of HIPAA training is to communicate to how HIPAA applies, the restrictions on uses and disclosures of protected health information (PHI), security to protect healthcare data and systems on which data are stored, and patient rights under HIPAA. Staff members must also be told about the sanctions policy, should HIPAA Rules be violated.
Everyone in a healthcare organization is required to play their part in ensuring compliance. If HIPAA training is not provided, employees will not understand how their job is impacted by HIPAA and the steps they must take to ensure compliance.
Who Must Receive HIPAA Training?
The HIPAA Privacy and Security Rules require training to be provided by covered entities/business associates for “all members of its workforce.”
The HIPAA definition of workforce covers paid and non-paid individuals: “Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”
To further clarify this requirement, all individuals who may come into contact with PHI must receive training. This includes management, clinical staff, administration staff, hospital porters, and even cleaning staff, as the latter may encounter paperwork containing PHI. Training should be appropriate to the role of each individual and must cover all HIPAA provisions relevant to an individual’s role and responsibilities.
The HIPAA Privacy Rule Training Requirements
The HIPAA Privacy Rule requires training to be provided to the workforce to ensure all employees who encounter protected health information (PHI) are fully aware of their responsibilities with respect to the PHI, and the provisions of the HIPAA Rules that apply to their day-to-day work responsibilities.
The training provisions of the HIPAA Privacy Rule do not specify exactly what training must be provided or the length of training courses, with the administrative safeguards (45 CFR § 164.530) stating, “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and that the training should be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
The HIPAA Security Rule Training Requirements
The HIPAA Security Rule training requirements call for a security awareness and training program to be implemented “for all members of its workforce (including management).” There are some implementation specifications detailed in the Security Rule, which state that training should address security reminders, protection from malicious software, log-in monitoring, automatic log-off, and password management.
The Security Rule training requirements are “Addressable” rather than “Required.” Addressable does not mean that training can be ignored, it means there is some flexibility over how the provision is implemented. It should be noted that just because an aspect of security is not specifically mentioned it does not mean that it is not required in training.
Phishing is not mentioned, as it was not a major problem when the Security Rule was written, yet security awareness training does need to include training for employees on how to recognize phishing emails. Security awareness training should cover all threats that healthcare employees are likely to face to help them identify threats to the confidentiality of PHI.
How Often is HIPAA Training Required?
Basic training on HIPAA should be provided to all staff, with training on specific aspects of HIPAA relevant to that individuals position and their work duties must also be provided. A cleaner, for example, should be aware what protected health information is to allow that information to be identified, together with the rules covering secure disposal of that information. An administrative worker would have considerable interactions with healthcare data and patients and would need extensive role-based knowledge. Such a worker would need to be fully aware of the restrictions on uses and disclosures of PHI, protecting PHI, and patient rights.
Training must be provided during the onboarding process, “to each new member of the workforce within a reasonable period of time after the person joins the Covered Entity’s workforce.” That applies to individuals new to healthcare as well as employees who have extensive experience in healthcare settings.
There is considerable confusion about how often HIPAA training is required. As previously mentioned, HIPAA training is required when a person joins the workforce, and training must also be provided when “functions are affected by a material change in policies or procedures,” ideally when policies and procedures are about to change, or within a reasonable period of time thereafter.
HIPAA training is not a one-time checkbox item to ensure compliance. Training should be a continual process. HIPAA refresher training should be provided periodically to ensure no aspect of the HIPAA Rules are forgotten. Security awareness training must also be provided regularly to ensure employees are kept aware of threats and risks to the confidentiality, integrity, and availability of PHI.
The best practice is to provide refresher HIPAA training annually, and certainly no less frequently than every two years. Refresher security awareness training should be provided at least annually, with the frequency determined by a risk assessment.
How Long Must HIPAA Training Records be Kept?
It is important to retain records of training as these may need to be produced in the event of an audit, investigation into compliance following a data breach, or when complaints are investigated. Regulators will want to make sure that employees have been provided with appropriate role-based training.
The HIPAA documentation requirements are for covered entities and business associates to retain HIPAA documentation for at least 6 years from either the date of creation or the last effective date, whichever is later. The best practice is to keep training records indefinitely with all other HIPAA documentation, and to also keep individual records of the training provided in each employee file.