HIPAA Training

HIPAA Overview

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Bill Clinton in 1996. HIPAA’s initial objective was to address the issue of healthcare coverage for individuals between jobs. Prior to HIPAA, workers that were temporarily out of work could find themselves without healthcare coverage. HIPAA introduced new protections for people in this situation, and still maintains this function to this day.

However, HIPAA is better known for introducing a “federal floor of privacy protections for individuals´ individually identifiable health information” and for standardizing how Covered Entities use, store, disclose, and share Protected Health Information (PHI). By introducing strict requirements for safeguarding PHI, HIPAA contributed towards a more robust data security framework for health plans, health care clearinghouses, and health care providers.

Why HIPAA Training for Employees is Vital

For a Covered Entity to be HIPAA-compliant, it is essential all members of the workforce are trained on the Covered Entities policies and procedures for safeguarding PHI. The training should be tailored “as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity”, and must be provided within a reasonable period of time after a new employee, joins the Covered Entities workforce (see 45 CFR § 164.530).

Further HIPAA training must also be provided whenever a material change in the Covered Entity´s policies and procedures affect an employee´s role. If the material change only affects a small group of the workforce, only those who the material affects need to undergo HIPAA training. However, if the material change affects all the workforce (i.e., there is a change in breach notification procedures), all employees will have to undergo refresher training.

While the above section of HIPAA applies only to Covered Entities, the Security Rule Administrative Safeguards (45 CFR § 164.308) apply to both Covered Entities and Business Associates. This standard requires Covered Entities and Business Associates to develop a security and awareness training program for their entire workforces to ensure compliance with policies and procedures relating to the safeguarding of electronic Protected Health Information (ePHI).

Although there is no training-related requirement for Covered Entities and Business Associates to provide refresher security and awareness training, both types of organizations are required to conduct frequent risk assessments. If a risk assessment identifies a need for further training, The Covered Entity or Business Associate is required to provide further training or document why training was not provided.

Overcoming Dissimilar Training Requirements

The definition of the term “members of the workforce” goes beyond public-facing medical employees or health plan administrators to include students, volunteers, contractors, and senior management who might never encounter PHI/ePHI in their day-to-day functions. Nonetheless, all members of the workforce are required to undergo HIPAA training for Covered Entities and Business Associates to be HIPAA compliant.

However, not every member of the workforce will need the same level of training to carry out their functions in compliance with HIPAA. For example, a hospital environmental services technician will need to understand what HIPAA is and how to report unauthorized disclosures of PHI, but they will not need a comprehensive understanding of (for example) patients´ rights, the HITECH Act, or the consequences of violating HIPAA beyond their employer´s Sanctions Policy.

Consequently, the best way to overcome dissimilar training requirements is via modules. Individual modules can be prepared to align with the organization´s HIPAA policies and procedures, and those which are relevant to different groups of the workforce can be presented as “necessary and appropriate” for member of the workforce to carry out their functions. This option is far more effective than providing too much information to staff who will never need it.

With this in mind, we have compiled three series of sample HIPAA training modules. The first – Basic HIPAA Modules – should be used to provide members of the workforce with a grounding in HIPAA. The second – Advanced HIPAA Modules – should be used to build on the basic training; and the third – “HIPAA Training for Students” – contains modules from both the Basic and the Advanced curricula along with student-specific modules.

Basic HIPAA Modules

The Basic HIPAA modules contain elements of HIPAA that will be mutual to many functions. Geared towards Covered Entities´ training obligations under the Privacy Rule, these modules might be used for introducing new employees to HIPAA – provided they are complemented with function-specific advanced modules – or as the basis for refresher training when material changes occur.

HIPAA Overview

The best way to introduce a HIPAA training course is to provide an overview of HIPAA, what it is, who the rules apply to, and why it is important employees comply with policies and procedures designed to safeguard PHI/ePHI from impermissible uses and disclosures.

HIPAA Definitions

When HIPAA is first introduced to new employees, its language can be confusing to trainees with no experience of US legislation. Therefore, it can be beneficial to explain the terminology that will be used during HIPAA training – especially what constitutes PHI/ePHI.

The HITECH Act

A knowledge of the HITECH Act will not be essential for employees to perform their day-to-day functions but understanding how the Meaningful Use and Promoting Interoperability programs evolved may help employees better understand policies based on Security Rule standards.

The Five HIPAA Regulatory Rules

Depending on the content of other modules, this is a good place to explain the Enforcement Rule and Breach Notification Rule. Ideally the three other main HIPAA rules – the Privacy Rule, the Omnibus Final Rule, and the Security Rule – should each have their own modules.

The Privacy Rule

It is essential all members of the workforce – regardless of their function – have a basic understanding of the Privacy Rule and concepts such as the Minimum Necessary Standard, patients´ rights, and seeking consent before disclosing PHI to third parties.

The Omnibus Final Rule

A module relating to the Omnibus Final Rule is important for Covered Entities to include as the Omnibus Final Rule enacted provisions of the HITECH Act to enhance existing security protections. The Rule also made Business Associates directly liable for violations of HIPAA.

The Security Rule

Although policies developed around the Security Rule may only apply to employees with access to ePHI, all employees should be given a foundation in Security Rule basics so they better understand mechanisms implemented to comply with the physical, administrative, and technical safeguards.

Patients´ Rights under HIPAA

Although patients´ rights may have already been covered in the Privacy Rule module, public-facing employees will require a deeper knowledge of what patients can request and how long Covered Entities and (potentially) Business Associates have to comply with access and correction requests.

HIPAA Disclosure Rules

A module relating to the disclosure rules will support the Privacy Rule model by providing further information about when it is okay to disclose PHI and when patient consent is required before disclosing PHI to families, friends, and other third parties.

The Consequences of HIPAA Violations

The consequences of HIPAA violations not only impact Covered Entities, Business Associates, and patients, but can also impact employees responsible for negligently or deliberately violating their employer´s HIPAA policies. Therefore, this module should expand on the HIPAA sanctions policy.

Preventing HIPAA Violations

In addition to training employees to be HIPAA-compliant, it can benefit Covered Entities and Business Associates to train staff on identifying and reporting potential threats to PHI that may result in a HIPAA violation and – importantly – on reporting HIPAA violations as soon as they occur.

Being a HIPAA Compliant Employee

This module could either be used as a summary of basic HIPAA training or as a refresher module following a material change in policies and procedures. Ideally it should contain best practices for HIPAA compliance, plus a list of do´s and don´ts tailored to the groups´ functions.

Advanced HIPAA Modules

While the basic HIPAA modules provide employees with a grounding in HIPAA, more advanced modules can help employees apply what they have learned in the basic modules to real-life situations. These modules are particularly relevant for employees with access to ePHI as many of them relate to Security Rule policies.

Timeline of HIPAA

Providing a timeline of HIPAA can reinforce the concept that HIPAA is constantly evolving to meet new challenges. This can prepare employees for subsequent “material change” refresher sessions, or for retraining when their roles and functions change.

Threats to Patient Data

This module should include both physical and online threats to patient data. So, in addition to warning employees about disclosing ePHI online, they should be alerted to safeguarding paper copies of PHI, positioning workstations out of public view, and ensuring mobile devices are secured.

Computer Safety Rules

Regardless of the HIPAA Rules, most Covered Entities and Business Associates will have policies relating to computer safety – not just the physical safety of workstations, but also the allowable uses of workstations for personal use to prevent viruses and malware.

HIPAA and Social Media

All employees need to be aware it is a breach of the HIPAA Privacy Rule to share any information about a patient on social media. Even unintentional disclosures can result in sanctions for non-compliance, while patients can bring a private course of action against the individual responsible.

HIPAA and Emergency Situations

In emergency situations, the Office for Civil Rights has the discretion to waive certain elements of HIPAA to support the flow of health information. This module should cover typical scenarios in which the HIPAA rules may be relaxed and how employees will be informed about any changes.

The Role of the HIPAA Officer

All Covered Entities and Business Associates are required to appoint a HIPAA Officer who is responsible for developing HIPAA policies and procedures. This module is a good opportunity for employees to meet the HIPAA Officer who will be the point of contact for questions and reports.

HIPAA Compliance Checklist

A good way to determine how much information has been absorbed during HIPAA training is to conclude each session with a HIPAA compliance checklist. Each checklist should be tailored to the subjects being taught during training in the context of trainees´ roles.

Recent HIPAA Updates

As mentioned in the HIPAA Timeline module, HIPAA is constantly evolving and any update to the regulations is likely to impact policies and procedures. While this may not result in a material change for all members of the workforce, it is still advisable to include this module in all refresher training.

Texas Medical Records Privacy Act and HB 300

HB300 extends the definition of a Covered Entity for organizations that create, use, maintain, or transmit the health information of a Texas resident – regardless of where the organization is located. Consequently, training on the Texas Medical Records Privacy Act may apply outside of Texas.

Cybersecurity Dangers for Healthcare Employees

Although cybercriminals seek to extract healthcare data when launching phishing and malware attacks, the personal data of healthcare employees can also be at risk. Making healthcare employees aware of cybersecurity dangers for their personal data can change the way they think about ePHI.

How to Protect ePHI from Cyber Threats

With the previous module in mind, a further module about how to protect ePHI from cyber threats is likely be more effective if employees can relate the online best practices provided in this module with the cybersecurity dangers mentioned in the previous module.

HIPAA Training for Healthcare Students

Healthcare students are most often supervised when they first perform practical roles. Nonetheless, it is important they are aware about HIPAA and not discussing patients, conditions, or treatments unless it is relevant to their medical training. Furthermore, the Department of Health and Human Services regards students as members of a Covered Entity´s workforce, so it is a requirement of HIPAA they undergo training within a reasonable period of time from when they start studying.

With this is mind, an ongoing HIPAA training course for healthcare students will likely consist of a selection of modules from each of the basic and advanced modules suggested above. In addition, Covered Entities may choose to add further modules that are relevant to ways in which students will more likely access, use, and disclose PHI/ePHI. Suggestions for these further modules are below.

  • Timeline of HIPAA
  • HIPAA Overview
  • Definitions and Lexicon
  • The HITECH Act
  • The Five HIPAA Regulatory Rules
  • HIPAA Privacy Rule
  • HIPAA Omnibus Final Rule
  • HIPAA Security Rule
  • Patients´ Rights under HIPAA
  • PHI Disclosure Guidelines
  • HIPAA and Social Media
  • Threats to Patient Data
  • Computer Safety Rules
  • The Consequences of HIPAA Violations
  • Preventing HIPAA Violations
  • HIPAA and Emergency Situations
  • The Role of the HIPAA Officer
  • Recent HIPAA Updates

EHR Access by Healthcare Students

Although students will be supervised when they first access ePHI, the risk exists they could repeat information they have seen verbally or via social media. Students need to be aware that any unauthorized disclosure of ePHI – regardless of how ePHI is accessed – is a violation of HIPAA.

ePHI in Student Reports and Projects

It is also a violation of HIPAA to reproduce any ePHI that has been accessed in medical training in reports, projects, and presentations unless the student has obtained the express written consent of the subject of the ePHI, or the ePHI has been deidentified.

Being a HIPAA Compliant Student

It is just as important that students adhere to HIPAA policies and procedures as it is healthcare professionals do. Therefore, this module should contain best practices for HIPAA compliance from a student´s perspective and a role-relevant list of do´s and don´ts tailored for students.

Advice for Providing HIPAA Training

HIPAA Privacy Officers are responsible for providing privacy training to Covered Entities´ workforces, while HIPAA Security Officers are responsible for providing security awareness training to the workforces of Covered Entities and Business Associates. Ideally. HIPAA Officers should work together to compile training courses that cover all aspects of HIPAA to prevent “double training”.

Thereafter, the issue exists of providing training that is “necessary and appropriate” and relate to employee functions. Provide too much training, and much of it could be lost among the volume of information that has to be absorbed. Provide too little training, and the risk exists of a HIPAA Violation for which the Covered Entity or Business Associate is liable for due to a lack of training.

Therefore, HIPAA Privacy and Security Officers may wish to review the following best practices to ensure HIPAA training is effective:

  • Keep training sessions short and focused. Training by modules can help with the design of a training session, but it is important not to cram too many modules into one session. Ideally sessions should last no longer than forty minutes.
  • In many circumstances, it will be impossible to train workforces on all relevant aspects of HIPAA within a forty-minute session. Therefore, training sessions should take place over a week, with annual refresher training provided annually.
  • Avoid sessions that only contain content related to the history of HIPAA and the regulatory Rules. While it may be important for context that these modules are included, few people want to sit through a history lesson that has little relevance to their roles.
  • Training on the Breach Notification Rule is a requirement of HIPAA, so it is important this module is included. It should also be possible to incorporate breach reporting and the consequences of HIPAA violations and failing to report them.
  • It is a stipulation of the Administrative Safeguards of the Security Rule that management is included in the security and awareness training program. Ideally, managers should be included at the same time as other employees, so the training program is seen as being taken seriously.

One final piece of advice for providing HIPAA training is to make sure the training is documented. This involves noting the date, the content of the training, and who attended. In the event HIPAA training includes a module on Texas Medical Records Privacy Act and HB 300, attendees are required to sign a document to state they have been trained on the Act. As with all HIPAA documentation, training records must be maintained for a minimum of six years.

HIPAA Training FAQs

Who needs to receive HIPAA training?

HIPAA training must be provided to all members of the workforce. This includes everyone from the C-suite down to environmental services technicians, contractors, volunteers, and students – regardless of the level of contact they may have with Protected Health Information.

Do I need to provide classroom-based training sessions?

There is no requirement to provide classroom-based training sessions. Computer-based training courses are the easiest to administer and are usually well received by employees. Whether you develop your own course or use a third-party training course, make sure it is modular. Short modules are best, as they are easier for employees to fit into busy workflows.

What are the HIPAA training documentation requirements?

In the event of an audit or compliance investigation, the HHS´ Office for Civil Rights will need to be provided with evidence to show training has been provided to employees, the frequency of training sessions, and what the training covered. You must maintain a training log and store it with your HIPAA documentation.

Have there been any HIPAA fines for training failures?

The HHS’ Office for Civil Rights has stepped up enforcement of HIPAA compliance in recent years and imposed two financial penalties on healthcare providers in 2020 for training failures. OCR settled one case for $1.5 million to resolve HIPAA violations including a lack of Privacy Rule training and a small healthcare provider was fined $25,000 for violations including the failure to provide security awareness training to employees.

How often is HIPAA training required?

HIPAA refresher training sessions should be provided every two years at a minimum, although it is a recognized best practice to provide refresher HIPAA training annually. Two years is a long time. It would be easy for some HIPAA requirements to be forgotten by employees.

HIPAA Violation Penalties

Most Common HIPAA Violations Causes