There are training requirements in both the HIPAA Privacy and Security Rules; however, many people are unsure about who should have HIPAA training. In this post, we explain the HIPAA training requirements, and which staff members should be provided with training to mitigate the risk of non-compliance and HIPAA violations.
What are the HIPAA Training Requirements?
The HIPAA Privacy Rule training requirements apply to covered entities and not business associates. 45 CFR § 164.530 of the HIPAA Privacy Rule states, “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce carry out their functions within the covered entity.”
Training must be provided within a reasonable period of time after the person joins the covered entity’s workforce. Training must also be provided when job functions are affected by a material change that becomes effective.
While there is no requirement for ongoing HIPAA training to be provided to the workforce, additional HIPAA training may be required as dictated by a risk assessment. For example, if an employee has been discovered to have violated a provision of the HIPAA Privacy Rule, further training for that individual would be appropriate. Many covered entities choose to provide annual refresher training sessions on HIPAA and internal policies and procedures to reduce the risk of HIPAA violations. The provision of annual HIPAA training is a best practice in healthcare.
Who Should Have HIPAA Training?
The HIPAA text explains who should have HIPAA training, but there is room for confusion as it states that “training must be provided to all members of the workforce.” Workforce naturally includes doctors, nurses, radiologists, admin assistants, but also other employees who interact with protected health information in any form as part of their job duties.
HIPAA training is not limited to employees. Workforce is defined in 45 CFR § 160.103 as, “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”
The HIPAA Privacy Rule requires training on policies and procedures relative to the role of each employee, so that interpretation would exclude individuals that could potentially come into contact with PHI but are not required to interact with PHI as part of their work duties. HIPAA requires a risk analysis to be conducted, and the risk analysis should guide covered entities on who should receive training on HIPAA policies and procedures.
The training provided should be tailored to the role of each member of the workforce and should be sufficient to allow them to complete their job duties in a HIPAA-compliant way. That means a standard training course for all individuals is not practical. It is best to develop or purchase a modular training course, where modules can be selected for different categories of workers based on their individual roles and responsibilities.
Who Should Have Security Awareness Training?
The HIPAA Security Rule applies to covered entities and business associates and the administrative safeguards require training to be provided to all workforce members on the organization’s security policies and procedures. They must also be advised of the sanctions that apply when members of the workforce fail to comply with the security policies and procedures.
HIPAA was written in technology-agnostic language to account for changing best practices over time and is light on detail on what security awareness training should entail. While the content of security awareness training is largely left to the discretion of each covered entity and business associate, it is an area where covered entities and business associates should go beyond what is stated in the HIPAA Security Rule and focus on providing training to ensure risk is effectively managed and reduced.
The HHS’ Office for Civil Rights explained in one of its regular cybersecurity newsletters about the high risk of phishing attacks on healthcare organizations. The threat from phishing, malware, and other common security threats that are likely to be encountered should be covered in training sessions. Training should also cover passwords, protecting PHI in all its forms, email, the Internet, social media, accessing PHI remotely, how PHI should be disposed of, and security best practices concerning physical documents, electronic devices, medical devices, and mobile devices. The topics to be included in security awareness training should be guided by a risk analysis and should be relative to the role of each individual. As with HIPAA training, modular training courses are best as they allow modules to be provided relative to the role of each individual.
All members of the workforce must be provided with security awareness training from the CEO down, as any member of staff could encounter a threat that could allow ePHI to be accessed by unauthorized individuals or could act in a way that places IT equipment, PHI, or ePHI at risk.
Security awareness training must be provided as necessary and appropriate. As for the frequency of training sessions, a one-time training session is unlikely to be effective. The National Institute of Standards and Technology (NIST) has published guidelines recommending security awareness training be provided at least annually. Given the fast-changing threat landscape and the extent to which the healthcare industry is targeted by cyber threat actors, security experts no longer consider annual training to be sufficient.
The best practice is now to provide ongoing security awareness training to the workforce, involving classroom-based or computer-based training, and to also provide regular security reminders to the workforce, such as monthly or quarterly cybersecurity newsletters raising awareness of the latest threats.
Make Sure You Retain Documentation of all Training Provided to the Workforce
All training documentation must be retained as proof that training has been provided. Regulators may ask to see training documentation in the event of an audit, investigation of a complaint, or following a data breach or potential HIPAA violation. Training materials should be retained, and records kept to prove that all employees have been provided with HIPAA and security awareness training. Employees should sign, either physically or electronically, to confirm they have received training and that it has been understood.
The retention period for training records is at least six years from the last date when it was effective, which means at least 6 years from when an employee’s employment is terminated, although retaining training records indefinitely is strongly recommended.
