The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to provide HIPAA compliance training to the workforce. In this article, we explain some of the important considerations for providing HIPAA compliance training to the workforce to meet the standards set by the Department of Health and Human Services and to prevent potentially costly HIPAA violations.
What Does the HIPAA Text Say About Training the Workforce?
There are training requirements outlined in both the HIPAA Privacy and HIPAA Security Rules. The HIPAA Privacy Rule training requirements are concerned with providing training to employees to allow them to perform their working duties in compliance with HIPAA standards, whereas the HIPAA Security Rule training requirements concern security awareness training for the workforce.
The HIPAA text does not provide much in the way of detail about the content of HIPAA compliance training. In terms of content, HIPAA says training should be provided “as necessary and appropriate for the members of the workforce to carry out their functions.”
All employees should be provided with basic HIPAA compliance training that covers the fundamental aspects of HIPAA, why the legislation is important, how the legislation governs privacy and security, the information covered by HIPAA, allowable uses and disclosures of protected health information, patient rights, and the consequences of HIPAA violations by employees, including the organization’s sanction policy.
Further HIPAA compliance training should be provided that is tailored to the role of an individual in the organization. An employee in payroll would not need to be trained on providing a notice of privacy practices to patients, for instance. Training should cover all aspects of HIPAA that an employee needs to know to perform their work duties in a HIPAA compliant manner.
Security awareness training should be provided to all individuals from the C-suite down. The training should cover the most common threats, teach employees how to identify and avoid phishing emails, and cover physical security and cybersecurity best practices.
There is some flexibility regarding the timeframe for providing HIPAA compliance training to employees. In an ideal world, training would be provided before an employee starts working with protected health information; however, that may not always be possible. HIPAA allows for this, and only requires training to be provided to “each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce.”
In addition to initial training, it is necessary to provide training “when functions are affected by a material change in policies or procedures.” The same applies to security awareness training for the workforce, which must also be provided within a reasonable period of time after an employee starts work, and when policies, procedures, or technology change.
These flexible timescales for HIPAA compliance training are open to interpretation, but a “reasonable period of time” should be taken to mean within days or the first few weeks, not months after employment starts.
How Often Should HIPAA Compliance Training be Provided?
Training is not a one-time checkbox item that needs to be completed for HIPAA compliance. Training is an ongoing process, with refresher HIPAA and security awareness training required.
The HIPAA text says HIPAA compliance training and security awareness training should be provided “as necessary and appropriate.” Generally speaking, “as necessary and appropriate” means conducting refresher HIPAA training sessions no less frequently than every two years; however, the best practice for refresher HIPAA training is to retrain employees annually.
With security awareness training, annual refresher training sessions are no longer considered to be sufficient due to the constantly changing threat landscape. Refresher security awareness training should be provided every 6 months, and the workforce should be frequently reminded of cybersecurity best practices and new threats, through monthly cybersecurity newsletters for example.
It should be noted that a need may arise for further training to be provided more frequently, such as when an employee has been discovered to have violated the HIPAA Rules, if a risk assessment calls for additional training to be provided, or for additional security awareness training to be provided if an employee is duped by a phishing email.
Additional Training Requirements
HIPAA is not the only legislation covering the privacy and security of healthcare data. Many states have introduced their own legislation covering medical data that has training requirements. For instance, healthcare organizations based in Texas and those who provide healthcare services to Texas residents must ensure they provide training on Texas HB 300 and the Texas Medical Records Privacy Act, which include more stringent requirements than the minimum standards of HIPAA.
Document All Training Activities
In the event of a compliance audit, data breach, or investigation of a complaint, the HHS’ Office for Civil Rights or state attorneys general are likely to require proof that the workforce has received appropriate training. It is therefore vital for all training activities to be documented, and for that information to be stored with all other HIPAA documentation.
You should also keep a record of the training provided to each employee in their employment files and all employees should sign a document to confirm that they have received HIPAA and security awareness training.
Take Advantage of Third-Party Training Companies
It can be time-consuming developing a HIPAA compliance training program from scratch that provides basic training for employees and more in-depth role-specific training, then ensuring the training courses are updated following any legislative changes. In addition, training courses are needed to teach cybersecurity best practices and raise awareness of the latest threats.
Many HIPAA-covered entities and business associates use a third-party training company that either offers in-house training or, more commonly, computer-based training. These training programs are comprehensive, cover all aspects of HIPAA for different categories of employees, and are often a much lower cost and more convenient option. Many training companies also provide HIPAA certification after the completion of a training course which acts as proof that training has been provided.