Are you confused about HIPAA training? Are you unsure if HIPAA training is required annually or how often you should be providing security awareness training for your workforce? If so, we hope this post will help to clear up any confusion and will help you implement a HIPAA training program at your organization that not only meets the requirements of the HIPAA Rules, but will also significantly reduce the risk of an accidental HIPAA violation or privacy breach.
An Introduction to HIPAA for Healthcare Employees
Before delving into the required frequency of training sessions and whether HIPAA training is required annually, lets start with initial HIPAA training. Whenever a new person joins the workforce, whether they are new to healthcare or have been in the industry for many years, HIPAA training must be provided. The HIPAA Privacy Rule is quite clear about this, stating:
“A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information.” Training must be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity,” and “to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce.”
The HIPAA Security Rule also calls for training. All members of the workforce, including management, must receive security awareness training. Security awareness training must also be provided within a reasonable period of time after a person joins the workforce.
It is worth pointing out here that “workforce” is not limited to paid employees. The definition of workforce is:
“Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”
Is HIPAA Training Required Annually?
Training needs to be reenforced. If you were only to provide training once, bad habits would creep in over time and certain aspects of HIPAA training may be forgotten, which increases the risk of accidental HIPAA violations. The HIPAA text is not so clear about the required frequency of refresher training sessions. The Privacy Rule states additional training must be provided:
“To each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective.”
That requirement is dictated by any changes, but if there are no changes that does not mean refresher training is not required. Training must be provided periodically, regardless of whether there are any HIPAA changes or changes to working practices.
You should never go for more than 2 years without providing refresher HIPAA training. The best practice, which should be followed, is to provide refresher HIPAA training annually. If you need to provide training to accommodate rule changes, that training session could also include a refresher on other aspects of HIPAA to meet the annual HIPAA training best practice.
What is the Right Length of Training Sessions?
HIPAA training does not need to see employees take a half day off, in fact, training sessions are much more effective if they are kept brief. Studies have shown that the maximum attention span is around 40 minutes, so training sessions of this length are ideal and should certainly last no longer than an hour in one go.
HIPAA does not specify how much training is required or the length of training sessions. Training should be long enough to cover all aspects of HIPAA that are appropriate to an individual’s role and responsibilities.
Hitting the Security Awareness Sweet Spot
The HIPAA Security Rule requires security awareness training for the workforce, which should be provided at the start of employment and periodically thereafter. Periodic training sessions must be guided by the threat level. It used to be sufficient to provide the workforce with an annual security awareness training session to raise awareness of the main threats and to teach or reenforce cybersecurity best practices.
Today, the number of cyberattacks that are being conducted, the extent to which healthcare employees are targeted by cyber actors, and the rapidly changing threat landscape means healthcare organizations really need to develop a security culture to weather the storm. That cannot easily be achieved with an annual security awareness training session.
Ideally, the security awareness program should be continuous and should incorporate regular security reminders with more frequent training. Twice yearly training sessions or quarterly training is recommended, with phishing email simulations also worth considering. The idea is to ensure employees are aware of the threats they will encounter, train them to be able to identify and avoid those threats, and to condition employees to stop and think before taking any action requested on a website, via email, text message, or over the phone.
Maintain Accurate Records for Regulators!
You must be able to prove that you have provided training to the workforce. Regulators will require access to your training records in the event of an audit or investigation into a HIPAA breach. Regulators will want to see that all members of the workforce have been trained, when they received training, and what training was provided. It is therefore essential for you to maintain accurate and up-to-date training logs.