The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Bill Clinton in 1996. HIPAA’s primary objective was to address the issue of healthcare coverage and portability for individuals between jobs. Prior to HIPAA, workers that were temporarily out of work or changed jobs could find themselves without healthcare coverage. HIPAA introduced new protections for people in this situation, and still maintains this function to this day.
However, HIPAA is better known for introducing a “federal floor of privacy protections for individuals´ individually identifiable health information” and for standardizing how Covered Entities use, store, disclose, and share Protected Health Information (PHI). By introducing strict requirements for safeguarding PHI, HIPAA contributed towards better patient privacy protections and a more robust data security framework for health plans, health care clearinghouses, and health care providers.
For a Covered Entity to be HIPAA-compliant, it is essential all members of the workforce are trained on the Covered Entities policies and procedures for safeguarding PHI. The training should be tailored “as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity”, and must be provided within a reasonable period of time after a new employee, joins the Covered Entities workforce (see 45 CFR § 164.530).
Further HIPAA training must also be provided whenever a material change in the Covered Entity´s policies and procedures affect an employee´s role. If the material change only affects a small group of the workforce, only those who the material affects need to undergo “refresher” HIPAA training. However, if the material change affects all the workforce (i.e., there is a change in breach notification procedures), all employees will have to undergo refresher HIPAA training.
The above HIPAA training standard applies to Covered Entities at all times and Business Associates when appropriate. However, the Security Rule Administrative Safeguards (45 CFR § 164.308) apply to both Covered Entities and Business Associates at all times. This standard requires Covered Entities and Business Associates to develop a security and awareness training program for their entire workforces to ensure compliance with policies and procedures relating to the safeguarding of electronic Protected Health Information (ePHI).
Although there is no training-related requirement for Covered Entities and Business Associates to provide refresher security and awareness training, both types of organizations are required to conduct frequent risk assessments. If a risk assessment identifies a threat or vulnerability that could be resolved by further training, the Covered Entity or Business Associate is required to provide further training or document why training was not provided.
The definition of the term “members of the workforce” goes beyond public-facing medical employees or health plan administrators to include students, volunteers, contractors, and senior management who might never encounter PHI/ePHI in their day-to-day functions. Nonetheless, all members of the workforce are required to undergo HIPAA training for Covered Entities and Business Associates to be HIPAA compliant.
However, not every member of the workforce will need the same level of training to carry out their functions in compliance with HIPAA. For example, a hospital environmental services technician will need to understand what HIPAA is and how to report unauthorized disclosures of PHI, but they will not need a comprehensive understanding of (for example) patients´ rights, the HITECH Act, or the consequences of violating HIPAA beyond their employer´s Sanctions Policy.
Consequently, the best way to overcome dissimilar training requirements is via modules. Individual modules can be prepared to align with the organization´s HIPAA policies and procedures, and those which are relevant to different groups of the workforce can be presented as “necessary and appropriate” for member of the workforce to carry out their functions. This option is far more effective than providing too much information to staff who will never need it.
With this in mind, we have compiled three series of sample HIPAA training modules. The first – Basic HIPAA Modules – should be used to provide members of the workforce with a grounding in HIPAA. The second – Advanced HIPAA Modules – should be used to build on the basic training; and the third – “HIPAA Training for Students” – contains modules from both the Basic and the Advanced curricula along with student-specific modules.
The Basic HIPAA modules contain elements of HIPAA that will be mutual to many functions. Geared towards Covered Entities´ training obligations under the Privacy Rule, these modules might be used for introducing new employees to HIPAA – provided they are complemented with function-specific advanced modules – or as the basis for refresher training when material changes occur.
The best way to introduce a HIPAA training course is to provide an overview of HIPAA, what it is, who the rules apply to, and why it is important employees comply with policies and procedures designed to safeguard PHI/ePHI from impermissible uses and disclosures.
When HIPAA is first introduced to new employees, its language can be confusing to trainees with no experience of US legislation. Therefore, it can be beneficial to explain the terminology that will be used during HIPAA training – especially what constitutes PHI/ePHI.
A knowledge of the HITECH Act will not be essential for employees to perform their day-to-day functions but understanding how the Meaningful Use and Promoting Interoperability programs evolved may help employees better understand policies based on Security Rule standards.
Depending on the content of other modules, this is a good place to explain the Enforcement Rule and Breach Notification Rule. Ideally the three other main HIPAA rules – the Privacy Rule, the Omnibus Final Rule, and the Security Rule – should each have their own modules.
It is essential all members of the workforce – regardless of their function – have a basic understanding of the Privacy Rule and concepts such as the Minimum Necessary Standard, patients´ rights, and seeking consent before disclosing PHI to third parties.
A module relating to the Omnibus Final Rule is important for Covered Entities to include as the Omnibus Final Rule enacted provisions of the HITECH Act to enhance existing security protections. The Rule also made Business Associates directly liable for violations of HIPAA.
Although policies developed around the Security Rule may only apply to employees with access to ePHI, all employees should be given a foundation in Security Rule basics so they better understand mechanisms implemented to comply with the physical, administrative, and technical safeguards.
Although patients´ rights may have already been covered in the Privacy Rule module, public-facing employees will require a deeper knowledge of what patients can request and how long Covered Entities and (potentially) Business Associates have to comply with access and correction requests.
A module relating to the disclosure rules will support the Privacy Rule model by providing further information about when it is permitted to disclose PHI and when patient consent is required before disclosing PHI to families, friends, and other third parties.
The consequences of HIPAA violations not only impact Covered Entities, Business Associates, and patients, but can also impact employees responsible for negligently or deliberately violating their employer´s HIPAA policies. Therefore, this module should expand on the HIPAA sanctions policy.
In addition to training employees to be HIPAA-compliant, it can benefit Covered Entities and Business Associates to train staff on identifying and reporting potential threats to PHI that may result in a HIPAA violation and – importantly – on reporting HIPAA violations as soon as they occur.
This module could either be used as a summary of basic HIPAA training or as a refresher module following a material change in policies and procedures. Ideally it should contain best practices for HIPAA compliance, plus a list of do´s and don´ts tailored to the groups´ functions.
While the basic HIPAA modules provide employees with a grounding in HIPAA, more advanced modules can help employees apply what they have learned in the basic modules to real-life situations. These modules are particularly relevant for employees with access to ePHI as many of them relate to Security Rule policies.
Providing a timeline of HIPAA can reinforce the concept that HIPAA is constantly evolving to meet new challenges. This can prepare employees for subsequent “material change” refresher sessions, or for retraining when their roles and functions change.
This module should include both physical and online threats to patient data. So, in addition to warning employees about disclosing ePHI online, they should be alerted to safeguarding paper copies of PHI, positioning workstations out of public view, and ensuring mobile devices are secured.
Regardless of the HIPAA Rules, most Covered Entities and Business Associates will have policies relating to computer safety – not just the physical safety of workstations, but also the allowable uses of workstations for personal use to prevent viruses and malware.
All employees need to be aware it is a breach of the HIPAA Privacy Rule to share any information about a patient on social media. Even unintentional disclosures can result in sanctions for non-compliance, while patients can bring a private course of action against the individual responsible.
In emergency situations, the Office for Civil Rights has the discretion to waive certain elements of HIPAA to support the flow of health information. This module should cover typical scenarios in which the HIPAA rules may be relaxed and how employees will be informed of any changes.
All Covered Entities and Business Associates are required to appoint a HIPAA Officer who is responsible for developing HIPAA policies and procedures. This module is a good opportunity for employees to meet the HIPAA Officer who will be the point of contact for questions and reports.
A good way to determine how much information has been absorbed during HIPAA training is to conclude each session with a HIPAA compliance checklist. Each checklist should be tailored to the subjects being taught during training in the context of trainees´ roles.
As mentioned in the HIPAA Timeline module, HIPAA is constantly evolving and any update to the regulations is likely to impact policies and procedures. While this may not result in a material change for all members of the workforce, it is still advisable to include this module in all refresher training.
HB300 extends the definition of a Covered Entity for organizations that create, use, maintain, or transmit the health information of a Texas resident – regardless of where the organization is located. Consequently, training on the Texas Medical Records Privacy Act may apply outside of Texas.
Although cybercriminals seek to extract healthcare data when launching phishing and malware attacks, the personal data of healthcare employees can also be at risk. Making healthcare employees aware of cybersecurity dangers for their personal data can change the way they think about ePHI.
With the previous module in mind, a further module about how to protect ePHI from cyber threats is likely be more effective if employees can relate the online best practices provided in this module with the cybersecurity dangers mentioned in the previous module.
Healthcare students are most often supervised when they first perform practical roles. Nonetheless, it is important they are aware about HIPAA and not discussing patients, conditions, or treatments unless it is relevant to their medical training. Furthermore, the Department of Health and Human Services regards students as members of a Covered Entity´s workforce, so it is a requirement of HIPAA they undergo training within a reasonable period of time from when they start studying.
With this is mind, an ongoing HIPAA training course for healthcare students will likely consist of a selection of modules from each of the basic and advanced modules suggested above. In addition, Covered Entities may choose to add further modules that are relevant to ways in which students will more likely access, use, and disclose PHI/ePHI. Suggestions for these further modules are below.
Although students will be supervised when they first access ePHI, the risk exists they could repeat information they have seen verbally or via social media. Students need to be aware that any unauthorized disclosure of ePHI – regardless of how ePHI is accessed – is a violation of HIPAA.
It is also a violation of HIPAA to reproduce any ePHI that has been accessed in medical training in reports, projects, and presentations unless the student has obtained the express written consent of the subject of the ePHI, or the ePHI has been deidentified.
It is just as important that students adhere to HIPAA policies and procedures as it is healthcare professionals do. Therefore, this module should contain best practices for HIPAA compliance from a student´s perspective and a role-relevant list of do´s and don´ts tailored for students.
HIPAA Privacy Officers are responsible for providing privacy training to Covered Entities´ workforces, while HIPAA Security Officers are responsible for providing security awareness training to the workforces of Covered Entities and Business Associates. Ideally. HIPAA Officers should work together to compile training courses that cover all aspects of HIPAA to prevent “double training”.
Thereafter, the issue exists of providing training that is “necessary and appropriate” and relate to employee functions. Provide too much training, and much of it could be lost among the volume of information that has to be absorbed. Provide too little training, and the risk exists of a HIPAA Violation for which the Covered Entity or Business Associate is liable for due to a lack of training.
Therefore, HIPAA Privacy and Security Officers may wish to review the following best practices to ensure HIPAA training is effective:
One final piece of advice for providing HIPAA training is to make sure the training is documented. This involves noting the date, the content of the training, and who attended. In the event HIPAA training includes a module on Texas Medical Records Privacy Act and HB 300, attendees are required to sign a document to state they have been trained on the Act. As with all HIPAA documentation, training records must be maintained for a minimum of six years.
HIPAA training must be provided to all members of the workforce. This includes everyone from the C-suite down to environmental services technicians, contractors, volunteers, and students – regardless of the level of contact they may have with Protected Health Information.
There is no requirement to provide classroom-based training sessions. Computer-based training courses are the easiest to administer and are usually well received by employees. Whether you develop your own course or use a third-party training course, make sure it is modular. Short modules are best, as they are easier for employees to fit into busy workflows.
In the event of an audit or compliance investigation, the HHS´ Office for Civil Rights will need to be provided with evidence to show training has been provided to employees, the frequency of training sessions, and what the training covered. You must maintain a training log and store it with your HIPAA documentation.
The HHS’ Office for Civil Rights has stepped up enforcement of HIPAA compliance in recent years and imposed two financial penalties on healthcare providers in 2020 for training failures. OCR settled one case for $1.5 million to resolve HIPAA violations including a lack of Privacy Rule training and a small healthcare provider was fined $25,000 for violations including the failure to provide security awareness training to employees.
HIPAA refresher training sessions should be provided every two years at a minimum, although it is a recognized best practice to provide refresher HIPAA training annually. Two years is a long time. It would be easy for some HIPAA requirements to be forgotten by employees.
HIPAA training has two primary purposes. The first is to familiarize members of the workforce with the HIPAA regulations and explain the policies and procedures that apply to their functions. The second purpose is to reduce susceptibility to online threats to mitigate the risk of data breaches attributable to malware downloads and phishing.
What you learn during HIPAA training depends on the results of a risk assessment conducted by your employer´s Compliance Officer. Most HIPAA training courses will follow the formats discussed above – i.e., general training and security awareness training, followed by role-specific HIPAA training – but this may depend on what training resources are available to your employer.
HIPAA training takes as long as it takes to ensure members of the workforce understand their compliance obligations. Many Covered Entities incorporate additional training into sanctions policies. Therefore, it may be the case that two employees in the same role receive different amounts of training due to one of the employees requiring additional training.
The HB-300 training requirements are that all members of a Covered Entity´s workforce receive training on the Texas Medical Records Privacy Act within 90 days of starting work for an employer. Refresher training has to be provided within a year of a material change to HB-300 policies, and – if there are no material changes – every two years.
It is important to be aware that HB-300 does not distinguish between Covered Entities and Business Associates in the same way as HIPAA. All businesses with access to PHI/ePHI are considered to be Covered Entities. Additionally, HB-300 protects the PHI of all Texas citizens regardless of where PHI is collected, received, maintained, or used. Therefore, a HIPAA Business Associate in (for example) California could be a Covered Entity under the Texas Medical Records privacy Act.
HIPAA training is a training course that explains what HIPAA stands for, what it protects, and how members of a workforce are expected to comply with it. While it is necessary to undergo HIPAA training, working in compliance with HIPAA is proven to be beneficial to patients and healthcare professionals. Therefore, although a mandatory requirement, it is worth doing.
According to the Privacy Rule, HIPAA training is only legally required when a member of the workforce first starts working for a Covered Entity, whenever there is a material change to policies and procedures, or when a risk assessment or sanctions policy identifies a need for further training. Ideally, HIPAA training should be provided at least annually.
HIPAA training is as good as a member of the workforce remaining in the same job. If they take on a new job, the new employer is required by law to provide HIPAA training. While this may at first seem like a waste of time, it is important to note that no two Covered Entities are identical, and the new employer will likely have different HIPAA-related policies and procedures.
The importance of HIPAA training can vary according to an individual´s role. Generally, HIPAA training is important because it explains about the privacy of PHI, when PHI can be used or disclosed, and how systems maintaining electronic PHI should be safeguarded against unauthorized access to mitigate the risk of data breaches and impermissible disclosures.
HIPAA – via the Administrative Simplification regulations – protects the privacy and secures the confidentiality of individually identifiable health information maintained by Covered Entities (generally in the healthcare and health insurance industries). The Privacy Act of 1974 governs the uses and disclosures of any personally identifiable information maintained by federal agencies.
Privacy and Security Officers are responsible for ensuring HIPAA training is provided – although they don’t necessarily have to provide training themselves. If, for example, the training involves a new piece of security software, it may be better for a member of the IT team to present the training because they will be able to answer any questions raised during the training.
A material change to policies might occur if the IT security team implements new technologies that can detect network intrusion. The new technologies may require new policies to be put in place or new procedures for when an intrusion is identified. Because most members of the workforce will have some level of access to network devices, it may be necessary to explain the new procedures to most members of the workforce in order to avoid inadvertent impermissible disclosures of PHI.
All senior managers have to attend security awareness training and it is a good idea to have senior managers present at policy and procedure training so they can better understand the “on the ground” challenges to HIPAA compliance. Specifically, it is practical to involve CIOs and CISOs in technology training, and CFOs in any HIPAA training that relates to finance, billing, and/or claims.
The “most important element” of HIPAA training will vary on a case-by-case basis and will usually be determined by a risk assessment or in response to a patient compliant or compliance investigation. However, it is important for all members of the workforce to understand what PHI is and why it has to be protected from impermissible disclosures and unauthorized access.
The frequency of mandated HIPAA training depends on factors such as material changes to policies and procedures, risk assessments, and OCR corrective action plans. In addition, as well as maintaining an ongoing security and awareness training program, it is recommended Covered Entities and Business Associates provide Privacy Rule refresher training at least annually.
Role-based training should teach individuals about the areas of HIPAA that are appropriate to their functions and the policies and procedures that are relevant to their functions. For example, while it is necessary to train nursing assistants on the Breach Notification Rule, it is not necessary to train nursing assistants on how to notify OCR and affected individuals when a breach occurs.
The Security Rule training requirements do not stipulate the frequency of security and awareness training, but they do state it is a “program” rather than a one-off event. Therefore, security and awareness training should be ongoing. In the event of a security incident, OCR investigators may request documentation showing the content and frequency of security and awareness training.
HIPAA training should be relevant to each member of the workforce´s functions; and while there are areas of the Privacy, Security, and Breach Notification Rules that are common to all HIPAA training courses, training programs should be designed so each member of the workforce can fulfil their functions in accordance with HIPAA and with the organization´s HIPAA-compliant policies.
Business Associates have the same HIPAA training obligations as Covered Entities to ensure workforces are capable of performing duties in compliance with HIPAA. However, while the training obligations are the same, it is likely a Business Associate will have a less diverse workforce than a Covered Entity and fewer topics to cover. Although this may not affect the frequency of HIPAA training, it will likely affect the depth of content.
You never complete HIPAA training. HIPAA is an evolving Act that can change frequently, plus the security and awareness training requirements of the Security Rule are ongoing. Additionally, if an employee of a Covered Entity changes jobs and goes to work for another Covered Entity, they will have to undergo HIPAA training again because the new employer´s policies and procedures may differ from their previous employer´s policies and procedures.
HIPAA training is necessary so that members of the workforce understand what PHI is and why it should be protected from impermissible uses and disclosures. Consequently, training should not only be about policies and procedures, but also why the policies and procedures exist and the consequences of violating the policies for patients, employers, and themselves.
At present, no states require that Covered Entities or Business Associates provide annual HIPAA training. However, in some states, local privacy and security laws exist that supersede HIPAA. These may have specific training requirements (i.e., Texas), while organizations providing services to the Defense Health Agency may be required to provide Privacy Act and HIPAA privacy training annually.
Under the federal regulation, new members of a Covered Entity´s workforce must complete HIPAA training “within a reasonable period of time after the person joins the Covered Entity’s workforce”. However, some states have more stringent requirements and stipulate a fixed time limit. Notably, the state of Texas classifies Business Associates the same as Covered Entities.
There are various online sources which offer certificates at the conclusion of HIPAA training. Some online training courses are role specific, whereas others may provide more general HIPAA training. Both types of courses can be beneficial to job seekers, as a willingness to independently take a HIPAA training course and demonstrate completion of the course indicates a compliant nature.
The content of handouts should reflect the area(s) of HIPAA being taught. Therefore, if (for example) the training session relates to obtaining an individual’s authorization prior to disclosing PHI, the handout should explain the difference between consent and authorization, uses and disclosures requiring an authorization, and what should be included in an authorization to ensure it is valid.
All HIPAA-related documentation must be maintained for a minimum of six years. For policies and procedures, the retention requirements require documentation to be maintained for six years from when the policy or procedure was last in force. Therefore, if a security and awareness training session relates to a specific policy (i.e., not sharing EHR passwords), a record of the training session will have to be maintained for a minimum of six years from when the policy is last in force.
Copyright © 2023 ComplianceHome