What Do You Learn During HIPAA Training?

Limited HIPAA waiver

Because every organization has different HIPAA policies and procedures, what you learn during HIPAA training for new members of the workforce will likely vary from organization to organization. However, what you learn during security and awareness training and refresher HIPAA training often follows the same pattern.

Under the Administrative Requirements of the HIPAA Privacy Rule (45 CFR § 164.580), Covered Entities are required to train new members of the workforce on “policies and procedures with respect to PHI […] as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity”. Additional training must also be provided “when functions are affected by a material change in policies and procedures”.

Because each Covered Entity is likely to have unique policies and procedures to protect the privacy of PHI, what you learn during HIPAA training as a new member of the workforce will be different with each Covered Entity you work for. It is also the case that what you learn during HIPAA training prompted by a risk assessment or a corrective action plan will vary depending on the nature of event identified in the risk assessment or OCR investigation.

What You Learn During Security and Awareness Training

In addition to providing training on policies developed to protect PHI, Covered Entities (and Business Associates) have to implement a security and awareness training program for all members of the workforce. In many cases, the content of the security and awareness training programs will be more consistent, as the implementation specifications for this standard (45 CFR § 164.308) include security reminders, reporting malware, log-in monitoring, and password management.

Due to an increase in cyber threats to healthcare data since the requirement to provide security awareness training was published, most Covered Entity will have expanded their security and awareness training programs. Therefore, what you learn during HIPAA training of this type may also include reducing susceptibility to phishing, the importance of frequent back-ups, computer safety rules, and how to protect healthcare data from cyberthreats.

What You Learn During Refresher HIPAA Training

In addition to the HIPAA-mandated training requirements, some Covered Entities also provide refresher training to all members of the workforce. This type of training serves two purposes – it provides context to training on policies and procedures inasmuch as it helps trainees better understand why certain policies and procedures exists, and it also raises awareness of HIPAA for members of the workforce who might not qualify for training on policies and procedures.

What you learn during HIPAA training of this type includes an overview of HIPAA, details of the main regulatory rules, patients´ rights, permissible uses and disclosures of PHI, the consequences of HIPAA violations and how best to prevent them. If not already covered by HIPAA-mandated training, you will likely also learn about the Minimum Necessary Standard, how to report violations of HIPAA, and when some HIPAA Rules may be waived during emergency situations.

How You Learn During HIPAA Training

In recent years – and particularly since the beginning of the COVID-19 pandemic – there has been a move away from classroom training towards online training. Although there is no one-size-fits-all in-house HIPAA training program that covers policies and procedures in respect of PHI, many online security and awareness training programs and refresher training courses cover much the same ground to ensure a consistent approach to HIPAA awareness and compliance.

One of the benefits of online HIPAA training is that it can be provided in modular form so trainees can take modules as and when gaps in their schedules allow. Modular training also has the advantages of being cost-effective, convenient, and scalable, and enable trainees to repeat modules if there is something they are not sure about or if the module is relevant to an event identified in a risk assessment or OCR investigation.

What You Learn During HIPAA Training FAQs

If a new member of the workforce has received HIPAA training from a previous employer, do they have to undergo training again?

Yes. As each Covered Entity is likely to have unique policies and procedures to protect the privacy of PHI, the policies and procedures implemented by the individual´s previous employer are unlikely to be the same as those of their new employer. Therefore, even though much of the content may be similar, new members of the workforce have to undergo training on policies and procedures.

Why might HIPAA training be prompted by a risk assessment?

Covered Entities and Business Associates are required to conduct periodic risk assessments. If a risk assessment identifies a threat to the confidentiality, integrity, or availability of PHI that could be mitigated by further HIPAA training, it will be necessary to provide sufficient training to mitigate the threat to a “reasonable and acceptable level”.

Why might HIPAA training be prompted by an OCR corrective action plan?

The HHS´ Office for Civil Rights (OCR) receives in excess of 20,000 complaints each year relating to issues such as impermissible uses and disclosures, disclosing more than the minimum necessary PHI, and the failure to provide access to PHI. Most of these issues are resolved via corrective action plans which often include additional training to prevent them happening again.

Under what circumstances might members of the workforce not qualify for training on policies and procedures?

Members of the workforce might not qualify for training on policies and procedures if their functions do not expose them to PHI. Examples can include environmental services, maintenance teams, and security personnel – who, although undergoing security awareness training, may not be aware not to share what they see or hear at the workplace on (for example) social media platforms.

How is it possible to document training provided in modular form if trainees take modules when gaps in their schedules allow?

Training modules usually conclude with some form of quiz or questionnaire. When trainees pass the quiz or questionnaire, they are provided with a certificate of completion. A copy of this certificate should be forwarded to the team responsible for providing HIPAA training so each trainee´s progress can be monitored and a record maintained of what training they have received.