The Health Insurance Portability and Accountability Act (HIPAA) has provisions covering HIPAA training in both the Privacy and Security Rules which explain, in broad terms, what training must be provided and how often HIPAA training is required. That said, the HIPAA training requirements are a source of confusion for some HIPAA covered entities and business associates.
Before providing our interpretation of how often HIPAA training is required and the industry best practices for HIPAA training, it is worthwhile covering the HIPAA training requirements of both the HIPAA Privacy and HIPAA Security Rules.
The HIPAA Training Requirements for Covered Entities and Business Associates
The HIPAA Privacy Rule requires training to be provided to the workforce to ensure all employees who encounter protected health information (PHI) are fully aware of their responsibilities with respect to the PHI, and the provisions of the HIPAA Rules that apply to their day-to-day work responsibilities. The training provisions of the HIPAA Privacy Rule do not specify exactly what training must be provided or the length of training courses, only stating, “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and that the training should be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
The HIPAA Security Rule training requirements call for a security awareness and training program to be implemented “for all members of its workforce (including management).” There are some implementation specifications detailed in the Security Rule, which state that training should address security reminders, protection from malicious software, log-in monitoring, and password management.
The Security Rule training requirements are “Addressable” rather than “Required.” Addressable does not mean that training can be ignored, it means there is some flexibility over how the provision is implemented. It should be noted that just because an aspect of security is not specifically mentioned it does not mean that it is not required in training. Phishing is not mentioned, as it was not a major problem when the Security Rule was written, yet security awareness training does need to include training for employees on how to recognize phishing emails. Security awareness training should cover all threats that healthcare employees are likely to face to help them identify the threats as such should they be encountered.
Who Must Receive Training?
The HIPAA Privacy and Security Rules require training to be provided by covered entities/business associates for “all members of its workforce.”
The HIPAA definition of workforce covers paid and non-paid individuals: “Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”
To further clarify this requirement, all individuals who may come into contact with PHI must receive training, which includes management, clinical staff, administration staff, hospital porters, and even cleaning staff, as the latter may encounter paperwork containing PHI. Training should be appropriate to the role of each individual and must cover all HIPAA provisions relevant to an individual’s role and responsibilities.
How Often is HIPAA Training Required?
There is some flexibility when it comes to the provision of training. The Privacy Rule states that training must be provided “To each member of the covered entity’s workforce by no later than the compliance date for the covered entity”; “to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce”; and “to each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures… within a reasonable period of time after the material change becomes effective.”
“Within a reasonable period of time” means as soon as possible, which should be days or weeks ideally, rather than several months after commencing employment or following changes to policies and procedures and certainly within 60 days.
In addition to initial HIPAA training and following a change to policies and procedures, refresher training sessions must also be provided. HIPAA only calls for “periodic” training, which is rather vague. The industry best practice is for refresher HIPAA training to be provided annually, with re-training on the requirements of HIPAA provided no less frequently than every two years.
The frequency of security awareness training should be guided by a risk assessment. Given the extent to which the healthcare industry is targeted by cybercriminals and the number of phishing attacks on healthcare organizations, annual security awareness training is no longer sufficient. The best practice is now to provide security awareness training every 6 months to reinforce cybersecurity best practices, along with more frequent security reminders such as monthly cybersecurity newsletters recommended.
While not a requirement of the HIPAA Security Rule, organizations should also consider conducting phishing simulations to test the effectiveness of their security awareness training program. If employees fail phishing simulations, further training should then be provided.