The Privacy Act Training and HIPAA

When a government agency gives medical care services, there may be instances in which staff members must undertake HIPAA and Privacy Act training. Moreover, as a rising number of states make their own privacy legislation, there may additionally be instances when personnel of state agencies necessitates HIPAA and Privacy Act training.

The Privacy Act of 1974 regulates the collection, usage, safe-keeping, and sharing of personally identifiable information (PII) retained by federal agencies. The Act allows U.S. citizens to have the right to ask for a copy of any data kept related to them and request that any mistakes be fixed, government agencies should just collect information “relevant and necessary” to achieve the reason for which it is being obtained, and sharing data among agencies is limited and authorized only under specified conditions.

People knowledgeable with the Health Insurance Portability and Accountability Act will see these privacy conditions as understandable because they tightly appear like Patients´ Rights under HIPAA, the Minimum Necessary Standard, and Business Associate Agreements. Without a doubt, there are a lot of commonalities between The Privacy Act and the HIPAA. Nevertheless, irrespective of the resemblances, independent HIPAA and Privacy Act training is demanded by legislation in situations where the two Acts are applicable.

The Legislation On Privacy Act and HIPAA Privacy Training

Privacy Act training is covered by Part 24 of the Federal Acquisition Regulation. Subpart 24.3 tells training should be given at the beginning and every year for any of the following workers:

  • those that gather, generate, use, process, hold, or discard personally identifiable information (PII)
  • those with access to systems where PII is maintained,
  • those who “design, develop, maintain, or operate” a system which gathers, generates, utilizes, processes, keeps, or discards personally identifiable information

HIPAA privacy training is determined by the Administrative Requirements of the HIPAA Privacy Rule. Based on 45 CFR § 164.530, a HIPAA Covered Entity needs to train all individuals of its staff regarding the policies and processes made to avoid the unauthorized disclosure of Protected Health Information when they commence doing work for the Covered Entity, each time there is a material modification to the policies and protocols, and if a requirement for refresher training is determined in a risk analysis.

The instances wherein both Acts apply to take place when a federal agency delivers medical services to either its workers, or contractors, or citizens. Examples of bureaus subject to the two Acts consist of NASA, the General Services Administration, and The Defense Department – nevertheless, while Privacy Act training is only needed for personnel who have access to PII, all workers of a Covered Entity must go through HIPAA privacy training.

HIPAA Privacy and Security Training

The HIPAA Security Rule furthermore calls for Covered Entities and Business Associates who deliver a service for a Covered Entity to have a security awareness and training plan. Nonetheless, as the healthcare market becomes even more digitalized, HIPAA privacy and security training is typically given concurrently. This is reasonable as opposed to have different HIPAA privacy and security training sessions for staff members who access PHI by way of EHRs.

The material of security awareness and training program will directly be related to the information of Privacy Act training just as electronic records made up of PII are covered by technical, physical, and administrative safety measures comparable to those found in the HIPAA Security Rule. Certainly, the language of the Privacy Act associated with the encryption of information, automated log-off, and the discard|removal} of electronic media are incredibly identical to the terms of HIPAA.

State Privacy Acts and HIPAA Privacy Rule Training

Considering that the Privacy Act concern just to government agencies, several states are releasing their own privacy laws that will be applicable to state and local government institutions and – in certain instances – private corporations. Therefore, staff of public health divisions, state-operated correction centers, and public school systems presently governed by HIPAA may as well ought to undertake state privacy act and HIPAA Privacy Rule training – in case training is required in the state´s regulation.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at