Is HIPAA Training Required Annually?

Is HIPAA Training Required Annually?

Are you confused about HIPAA training? Are you unsure if HIPAA training is required annually or how often you should be providing security awareness training to your workforce?

If so, we hope this post will help to clear up any confusion and will help you implement a HIPAA training program at your organization that not only meets the requirements of the HIPAA Rules, but will also significantly reduce the risk of an accidental HIPAA violation or privacy breach.

An Introduction to HIPAA for Healthcare Employees

Whenever a new person joins the workforce, whether they are new to healthcare or have been in the industry for many years, HIPAA training must be provided. The HIPAA Privacy Rule is quite clear about this, stating: “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information.”

Training must be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity,” and “to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce.” This requirement applies regardless of whether the new members of the workforce are paid employees or unpaid volunteers and students, provided the new person is under the control of the Covered Entity.

There is no single standardized program that could appropriately train workforces of all entities, so training should be focused on each role and the extent to which each member of the workforce has access to protected health information and interactions with patients and their families.

The HIPAA Security Rule also states that security awareness training must be provided to all members of the workforce, including management. This must also be provided within a reasonable period of time after a person joins the workforce and should be an ongoing program of security awareness rather than a one-off event.

Importantly, the HIPAA Security Rule applies to Business Associates as well as Covered Entities, and although there is no regulatory requirement for Business Associates to provide training on the HIPAA Privacy Rule for members of its workforce, Business Associates are required to protect ePHI against uses and disclosures that are not permitted by the HIPAA Privacy Rule. Therefore, a Business Associate´s workforce is required to have a basic knowledge of the HIPAA Privacy Rule.

Is HIPAA Training Required Annually?

If Covered Entities were only to provide training once, bad habits would likely creep in over time and certain aspects of the initial HIPAA training may be forgotten, which increases the risk of accidental HIPAA violations. The text of HIPAA does not mention refresher training; and although industry experts suggest annual refresher training is a best practice to support HIPAA compliance, the actual frequency is at the discretion of each Covered Entity.

However, the Privacy Rule states additional training must be provided, “to each member of the covered entity’s workforce whose functions are affected by a material change in policies or procedures… within a reasonable period of time after the material change becomes effective.” This requirement is dictated by any “material” changes that occur, but if there are no changes in policies and procedures (or technologies), that does not mean refresher training should not be provided.

The failure to provide refresher training can lead to an increase in patient complaints and enforcement action by HHS´ Office for Civil Rights – which may include a corrective order requiring further training anyway. In addition, Covered Entities and Business Associates are required to conduct periodic risk analyses. If a risk analysis identifies a need for further training, it has to be provided – ideally as soon as reasonably possible after the need for further training has been identified rather than annually.

Right Length of Training Sessions?

HIPAA training does not need to see employees take a half day off work. In fact, training sessions are much more effective if they are kept brief. Studies have shown that the maximum attention span is around 40 minutes, so training sessions of this length are ideal and should certainly last no longer than an hour in one go.

HIPAA does not specify how much training is required nor the length of training sessions. Training sessions should be long enough to cover all aspects of HIPAA that are appropriate to an individual’s role and responsibilities.

HIPAA also does not specify the format training should take. It is perfectly acceptable for computer-based training to be provided to the workforce, and this may be the preferred option for most Covered Entities. Modular online training programs are ideal, as they have concise modules covering various aspects of HIPAA. These modules can be completed as and when  employees have time available, and are easy to incorporate into busy workflows. If online training is provided, a log should be kept as proof that each individual has successfully completed each training module.

Hitting the Security Awareness Sweet Spot

The HIPAA Security Rule requires security awareness training for the workforce, which should be provided at the start of employment and periodically thereafter. Periodic training sessions should be guided by a risk assessment and the threat level. Due to the constantly evolving threat landscape, it is not sufficient to provide annual security awareness training session to reinforce cybersecurity best practices and to raise awareness of the main threats to ePHI.

The number of healthcare data breaches being reported to the HHS’ Office for Civil Rights has skyrocketed in recent years, and there is no sign of the attacks slowing. The healthcare industry is extensively targeted by cyber threat actors due to the high value of healthcare data, the extent to which healthcare providers rely on patient data, and the ease of conducting attacks on healthcare organizations.

Attackers are adopting new tactics, techniques, and procedures (TTPs) to bypass security solutions and fool healthcare employees into installing malware, ransomware, or disclosing account credentials.  Therefore, a security awareness program should be continuous and incorporate regular security reminders with more frequent training sessions. Twice yearly or quarterly refresher training sessions are recommended, and it is also worthwhile considering conducting an ongoing phishing email simulation program. Phishing remains the primary way that hackers gain a foothold in healthcare networks.

Security awareness training sessions should focus on the threats that employees are likely to encounter, and to provide training to help them identify and avoid those threats. Training sessions will help to condition employees to stop and think before taking any action on their computer that could give hackers access to email accounts, healthcare networks, medical devices, and the ePHI stored on those systems.

Maintain Accurate Records for Regulators

You must be able to prove that you have provided training to the workforce and have implemented a training program that is fully compliant with the HIPAA Privacy and Security Rules. Regulators will require access to your training records in the event of an audit, investigation into a data breach, or privacy complaint. Regulators will want to see proof that all members of the workforce have been trained, a record of when they received training, and what training was provided.

It is therefore essential to maintain accurate and up-to-date training logs. These should be kept with your HIPAA documentation and you should also keep a record of the training provided to each employee in their employee file.