Are you confused about HIPAA training? Are you unsure if HIPAA training is required annually or how often you should be providing security awareness training to your workforce?
If so, we hope this post will help to clear up any confusion and will help you implement a HIPAA training program at your organization that not only meets the requirements of the HIPAA Rules, but will also significantly reduce the risk of an accidental HIPAA violation or privacy breach.
An Introduction to HIPAA for Healthcare Employees
Whenever a new person joins the workforce, whether they are new to healthcare or have been in the industry for many years, HIPAA training must be provided. The HIPAA Privacy Rule is quite clear about this, stating: “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information.”
Training must be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity,” and “to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce.” This requirement applies regardless of whether the new members of the workforce are paid employees or unpaid volunteers and students, provided the new person is under the control of the Covered Entity.
There is no single standardized program that could appropriately train workforces of all entities, so training should be focused on each role and the extent to which each member of the workforce has access to protected health information and interactions with patients and their families.
The HIPAA Security Rule also states that security awareness training must be provided to all members of the workforce, including management. This must also be provided within a reasonable period of time after a person joins the workforce and should be an ongoing program of security awareness rather than a one-off event.
Importantly, the HIPAA Security Rule applies to Business Associates as well as Covered Entities, and although there is no regulatory requirement for Business Associates to provide training on the HIPAA Privacy Rule for members of its workforce, Business Associates are required to protect ePHI against uses and disclosures that are not permitted by the HIPAA Privacy Rule. Therefore, a Business Associate´s workforce is required to have a basic knowledge of the HIPAA Privacy Rule.
Is HIPAA Training Required Annually?
If Covered Entities were only to provide training once, bad habits would likely creep in over time and certain aspects of the initial HIPAA training may be forgotten, which increases the risk of accidental HIPAA violations. The text of HIPAA does not mention refresher training other than when there is a “material change” to policies and procedures; and although industry experts suggest annual refresher training is a best practice to support HIPAA compliance, the actual frequency is at the discretion of each Covered Entity.
The way to determine if HIPAA training is required annually – or at any other frequency – is to conduct a risk assessment to identify threats to the privacy of PHI, and them analyse the threats to see if they can be mitigated with further training. Although risk assessments are most often used to identify threats to ePHI, there is no reason why they should not also be used to identify threats to verbal or written PHI, or PHI maintained in any format.
The failure to provide refresher training when a need for it has been identified in a risk analysis can lead to enforcement action by HHS´ Office for Civil Rights – which may include a corrective order requiring further training anyway. By anticipating potential threats, providing refresher training to mitigate the risk of HIPAA violations, and documenting the training, Covered Entities can demonstrate a willingness to cultivate a HIPAA-compliant workforce in the event of an HHS investigation, inspection, or audit.
Right Length of Training Sessions?
HIPAA training does not need to see employees take a half day off work. In fact, training sessions are much more effective if they are kept brief. Studies have shown that the maximum attention span is around 40 minutes, so training sessions of this length are ideal and should certainly last no longer than an hour in one go.
HIPAA does not specify how much training is required nor the length of training sessions. Training sessions should be long enough to cover all aspects of HIPAA that are appropriate to an individual’s role and responsibilities.
HIPAA also does not specify the format training should take. It is perfectly acceptable for computer-based training to be provided to the workforce, and this may be the preferred option for most Covered Entities. Modular online training programs are ideal, as they have concise modules covering various aspects of HIPAA. These modules can be completed as and when members of the workforce have time available, and are easy to incorporate into busy workflows.
Hitting the Security Awareness Sweet Spot
The HIPAA Security Rule requires both Covered Entities and Business Associates to implement a security awareness and training program – the inclusion of the word “program” implying that training should be ongoing rather than a one-off event. Due to the constantly evolving threat landscape, it is not sufficient to provide annual security awareness training session to reinforce cybersecurity best practices and to raise awareness of the main threats to ePHI.
The number of healthcare data breaches being reported to the HHS’ Office for Civil Rights has skyrocketed in recent years, and there is no sign of the attacks slowing. The healthcare industry is extensively targeted by cyber threat actors due to the high value of healthcare data, the extent to which healthcare providers rely on patient data, and the ease of conducting attacks on healthcare organizations.
Attackers are adopting new tactics, techniques, and procedures (TTPs) to bypass security solutions and fool members of the workforce into installing malware, ransomware, or disclosing account credentials. Therefore, a security awareness program should be continuous and incorporate regular security reminders with more frequent training sessions. Twice yearly or quarterly refresher training sessions are recommended, and it is also worthwhile considering conducting an ongoing phishing email simulation program. Phishing remains the primary way that hackers gain a foothold in healthcare networks.
Security awareness training sessions should focus on the threats most likely to be encountered and provide training to help identify and avoid those threats. Training sessions will help to condition members of the workforce to stop and think before taking any action on their computer that could give hackers access to email accounts, healthcare networks, medical devices, and the ePHI stored on those systems.
Maintain Accurate Records for Regulators
You must be able to prove that you have provided training to the workforce and have implemented a training program that is fully compliant with the HIPAA Privacy and Security Rules. Regulators will require access to your training records in the event of an audit, investigation into a data breach, or privacy complaint. Regulators will want to see proof that all members of the workforce have been trained, a record of when they received training, and what training was provided.
It is therefore essential to maintain accurate and up-to-date training logs. These should be kept with your HIPAA documentation and you should also keep a record of the training provided to each member of the workforce in their HR file.