In recent years, there has been an increase in the number of companies offering online HIPAA training for employees. While there are many circumstances in which training courses of this nature can be beneficial, it is important for Covered Entities and Business Associates to be aware that online HIPAA training for employees is not a replacement for HIPAA-mandated training.
The HIPAA Privacy and Security Rules are clear about HIPAA training for employees. The Privacy Rule states a Covered Entity must train all members of its workforce on policies and procedures relating to PHI as necessary for members of the workforce to carry out their functions, while the Security Rule stipulates Covered Entities and Business Associates must implement a security and awareness training program.
In addition to the above, the Privacy Rule requires Covered Entities to provide further training whenever employee functions are affected by a material change to policies and procedures, while the Security Rule instructs Covered Entities and Business Associates to conduct risk analyses to assess potential threats to ePHI. If a risk analysis determines the need for further training to mitigate potential threats, it must be provided.
Beyond these requirements, the only other time it may be necessary for a Covered Entity or Business Associate to provide further employee training is if it is a condition of a corrective action plan following an OCR investigation into a HIPAA violation. Ironically, the most commonly investigated HIPAA violations could easily be prevented if Covered Entities and Business Associates had the resources to provide regular refresher training.
The Issues with the HIPAA-Mandated Training Requirements
Although the HIPAA-mandated training requirements are deliberately flexible to accommodate the range in types and sizes of organizations that have to comply with them, there are issues. Covered Entities only have to provide “policy and procedure” training when a new employee joins the Covered Entity´s workforce. Unless there is a material change in the policies – or a risk assessment identifies a need for further training – that is all the training on HIPAA each employee receives.
In addition, many new entrants to the medical profession may be unfamiliar with HIPAA at the time they start working for a Covered Entity. Not all teaching institutions are classified as Covered Entities, and therefore they have no reason to provide training on their policies and procedures, nor give medical students a background to the HIPAA regulations. Consequently, new entrants may not understand the content of policy and procedure training due to a lack of basic HIPAA training.
While this issue can also impact the effectiveness of security and awareness training, this type of training is often not HIPAA-specific due to the content relating to general Internet best practices. However, the combination of a lack of basic training and a lack of refresher training can result in poor compliance practices developing in the workplace which – if not identified and prevented by a risk assessment – can lead to a cultural norm of non-compliance and multiple HIPAA violations.
How Online HIPAA Training for Employees Helps Resolve the Issues
In most cases, online HIPAA training for employees includes all the basic information new entrants to the medical profession require before undergoing policy and procedure training or security and awareness training. This ensures new employees will have a basic knowledge of HIPAA prior to undergoing further training, which will help them better understand – and comply with – the content of policy and procedure training and security and awareness training.
The information is delivered in bite-sized modules that new entrants can take when time in their schedules allows. The modules are also suitable for periodic refresher training that mitigate the likelihood of poor compliance practices developing in the workplace, the risk of HIPAA violations, and the possibility of an OCR investigation following a patient complaint or data breach. Furthermore, modular online HIPAA training for employees can be repeated whenever required.
Online HIPAA training for employees not only benefits Covered Entities and Business Associates by helping curate a more HIPAA-compliant workforce. It also enables resource-stretched organizations to train employees effectively without having to disrupt the workplace to hold classroom-style training sessions or reassign staff to train employees on HIPAA basics. In this respect, online HIPAA training for employees can deliver a significant ROI for organizations that take advantage of it.