Many organizations limit HIPAA training for employees to just the requirements of the HIPAA Privacy and Security Rules, and while this may “tick the box” for compliance purposes, it could leave an organization exposed to the risk of HIPAA violations and data breaches.
When discussing HIPAA training for employees, it is important to be aware that the HIPAA training requirements do not distinguish between employees and other members of a workforce. Therefore, if your organization´s workforce includes students, volunteers, unpaid trainees, or any other persons under the organization´s direct control, they need to receive the same training as employees.
The content of the training depends on the nature of the organization´s operations. For example, a public-facing healthcare provider´s workforce will have different training requirements than an office-based health plan´s workforce. Additionally, a Business Associate´s workforce may only need to receive security and awareness training depending on the service being provided.
What HIPAA Says about HIPAA Training for Employees
There are two references to HIPAA training for employees in the Administrative Simplification Regulations. The first is in the Administrative Requirements of the Privacy Rule (§164.530). The Administrative Requirements require a Covered Entity to develop and implement policies and procedures that protect the privacy of Protected Health Information and:
“Train all members of its workforce on the policies and procedures with respect to Protected Health Information required by this subpart [the Privacy Rule] and subpart D of this part [the Breach Notification Rule], as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity”.
The second reference to HIPAA training for employees appears in the Administrative Safeguards of the Security Rule (§164.308). This standard requires both Covered Entities and Business Associates to “Implement a security awareness and training program for all members of its workforce (including management).” Fulfilling these requirements is enough to “tick the box” for compliance purposes.
Why Ticking the Box May Not be Enough
One of the issues with the HIPAA training requirements is that they assume workforce members already have an existing knowledge of HIPAA. Consequently, a Covered Entity could tick the box of compliance by (for example) explaining the policies and procedures for responding to an individual´s request to access, correct, or transfer their Protected Health Information.
However, if an employee does not know what Protected Health Information is, that an individual could have more than one designated record set, or that identifiers maintained outside a designated record set are not Protected Health Information, there will likely be mistakes made in responding to the request, which may result in a complaint being made to HHS´ Office for Civil Rights.
A possibly more serious event can occur if a senior member of an IT team does not understand why certain technical safeguards are required and allows members of the team to take shortcuts with standards relating to access controls, automatic logoff, and transmission security. The failure to comply with any of these standards could result in a breach of unsecured PHI.
What Should HIPAA Training Consist Of?
Ticking the box of compliance without explaining what the policies and procedures relate to, why they are there, and what the consequences might be if shortcuts are taken could not only leave an organization exposed to the risk of HIPAA violations and data breaches, but also to the risk of financial penalties and corrective action plans being imposed by HHS´ Office for Civil Rights.
Therefore, although there is no “one-size-fits-all” training curriculum, HIPAA training for employees and other workforce members should include modules such as:
- Overview of HIPAA
- Privacy Rule Basics
- Individuals´ Rights
- Permissible Uses and Disclosures
- Security Rule Basics
- Workstation Safety Rules
- Protecting PHI from Cyber Threats
- Breach Notification Policies and Procedures
- Sanctions Policies and Procedures
- State Privacy and Security Laws (where applicable)
With a ground-level knowledge of HIPAA, trainees will be able to put Privacy Rule and Security Rule training into context. This will not only help with being compliant employees in their day-to-day roles, but also more aware of procedures not being conducted compliantly that they can raise with a supervisor or compliance officer. Ultimately, having a more compliant workforce will result in fewer complaints and investigations – saving organizations time and money.
The Frequency of Training is Also Important
Neither the Privacy Rule nor the Security Rule stipulate the frequency of HIPAA training for employees other than when “functions are affected by a material change in the policies or procedures”. This can create issues when employees do not undergo refresher training for years – during which time what were occasional shortcuts develop into a cultural norm of noncompliance.
Consequently, compliance experts work on the basis that refresher training on policies and procedures should be provided at least annually, while security and awareness training should be ongoing. However, this frequency does not guarantee any reduction in HIPAA violations or data breaches, so many organizations are reluctant to commit training resources to HIPAA compliance.
One way around this issue is to take advantage of off-the-shelf online training packages. While these packages cannot replace policy and procedure training because each organization has its own policies and procedures, off-the-shelf online training packages can provide employees with a foundation in HIPAA knowledge as well as being used to provide refresher training as required.
Most off-the-shelf training packages offer a degree of customization to suit organizations´ requirements, and one significant advantage of online training packages of this nature is that training can be delivered in short modules at a time to suit trainees – the completion of each module being recorded so administrators can monitor each employee´s training progress.
HIPAA Training for Employees: FAQs
Should employees and other members of the workforce have the same training?
These depends on their functions within the organization and their access to Protected Health Information. For example, if an employed nurse and a volunteer nurse have the same functions and the same access to Protected Health Information, they should receive the same HIPAA training. However, nurses and environmental services personnel would not have the same HIPAA training.
Who decides what HIPAA training for employees is necessary?
The person with responsibility for training members of the workforce is most often the HIPAA Privacy Officer. Although this person might not personally deliver the training (i.e., security and awareness training should be delivered by the HIPAA Security Office), they are responsible for deciding what training is necessary, and how frequently it should be provided.
What is a “material change in the policies and procedures”?
A material change is any change that affects how a Covered Entity operates. For example, there were many operational changes in healthcare facilities during the COVID pandemic which would have resulted in material changes to policies and procedures. However, unlike “basic” training, material training only needs to be provided to those who the operational changes affect.
Is there one part of HIPAA training that is more important than others?
While there is no part of HIPAA training that is any more important than another, it is important that employees have a basic foundation in HIPAA and HIPAA terminology to understand the training and put it in context. However, in some cases, it may be necessary to prioritize certain parts of HIPAA training depending on the outcome of a risk assessment.
How long does it take to do HIPAA training?
This depends on the content of the training. Ideally, each training session should last no longer than forty minutes due to the risk of information overload. This is why modular online training can be beneficial as each module rarely lasts longer than ten minutes, so trainees can take – or revisit – multiple training modules in each session.