Every HIPAA-covered entity must conduct HIPAA training on an ongoing basis to ensure that all employees know what they must do to avoid a HIPAA breach occurring. Equally important as conducting the training is choosing the best time to do so.
There is an obligation on HIPAA-covered entities, business associates and subcontractors to provide their staff with HIPAA training, ideally prior to being allowed to access PHI. The training provided must cover the permissible uses and sharing of PHI, patient privacy, data security, job-specific data, internal policies covering privacy & security, and HIPAA best practices.
If employees are not provided with training, they will not be aware of their responsibilities and HIPAA violations are much more likely to take place leading to penalties for HIPAA violations. Of course any time there is a change or update to HIPAA then additional training will be required.
The HIPAA Privacy Rule Administrative requirements, outlined in 45 CFR § 164.530, states that all employees must receive training on HIPAA Rules and policies and procedures in relation to PHI. Training should be conducted, as appropriate, to permit employees to complete their work duties and functions within the covered entity. One training program therefore does not work for every group. The Privacy Rule requires training to be provided for all new employees “within a reasonable timeframe”.
The HIPAA standard 45 CFR § 164.308(a)(5) covers two types of training – Job-specific training and security awareness training, neither of which can be a one-time event.
While is it wise to conduct training with new members of staff at the beginning of an employment contract this is only the beginning point. Ongoing training is vital so employees do not forget about their responsibilities. Along with this it will also, in the event of a breach occurring, show that you were doing everything possible to prevent a breach from taking place.
HIPAA legislation does not outright state how regularly refresher training should be conducted. The only stipulation is that is takes place ‘regularly.’ Most advice issued in relation to this advises that it be conducted annually.
In tandem with training for HIPAA compliance and security awareness being conducted it is a good idea to back this up by promoting HIPAA awareness within your organization on an ongoing basis. While formal training sessions can be conducted on an annual basis, the use of newsletters, email bulletins, posters, and quizzes can all help to raise and maintain awareness of HIPAA Rules. This can be particularly effective when it comes to security awareness training.
It is a good best practice to provide security awareness training twice per year and to issue cybersecurity reminders every month. When a new threat presents itself you should inform your staff as soon as you can. These work even better with yearly refresher training sessions and retraining on HIPAA Rules iany privacy or security violation and after a data breach.
