HIPAA Training

HIPAA Training Overview

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Bill Clinton in 1996. HIPAA’s primary objective was to address the issue of healthcare coverage and portability for individuals between jobs. Prior to HIPAA, workers that were temporarily out of work or changed jobs could find themselves without healthcare coverage. HIPAA introduced new protections for people in this situation, and still maintains this function to this day.

However, HIPAA is better known for introducing a “federal floor of privacy protections for individuals´ individually identifiable health information” and for standardizing how Covered Entities use, store, disclose, and share Protected Health Information (PHI). By introducing strict requirements for safeguarding PHI, HIPAA contributed towards better patient privacy protections and a more robust data security framework for health plans, health care clearinghouses, and health care providers.

Why HIPAA Training for Employees is Vital

For a Covered Entity to be HIPAA-compliant, it is essential all members of the workforce are trained on the Covered Entities policies and procedures for safeguarding PHI. The training should be tailored “as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity”, and must be provided within a reasonable period of time after a new employee, joins the Covered Entities workforce (see 45 CFR § 164.530).

Further HIPAA training must also be provided whenever a material change in the Covered Entity´s policies and procedures affect an employee´s role. If the material change only affects a small group of the workforce, only those who the material affects need to undergo “refresher” HIPAA training. However, if the material change affects all the workforce (i.e., there is a change in breach notification procedures), all employees will have to undergo refresher HIPAA training.

The above HIPAA training standard applies to Covered Entities at all times and Business Associates when appropriate. However, the Security Rule Administrative Safeguards (45 CFR § 164.308) apply to both Covered Entities and Business Associates at all times. This standard requires Covered Entities and Business Associates to develop a security and awareness training program for their entire workforces to ensure compliance with policies and procedures relating to the safeguarding of electronic Protected Health Information (ePHI).

Although there is no training-related requirement for Covered Entities and Business Associates to provide refresher security and awareness training, both types of organizations are required to conduct frequent risk assessments. If a risk assessment identifies a threat or vulnerability that could be resolved by further training, the Covered Entity or Business Associate is required to provide further training or document why training was not provided.

Overcoming Dissimilar Training Requirements

The definition of the term “members of the workforce” goes beyond public-facing medical employees or health plan administrators to include students, volunteers, contractors, and senior management who might never encounter PHI/ePHI in their day-to-day functions. Nonetheless, all members of the workforce are required to undergo HIPAA training for Covered Entities and Business Associates to be HIPAA compliant.

However, not every member of the workforce will need the same level of training to carry out their functions in compliance with HIPAA. For example, a hospital environmental services technician will need to understand what HIPAA is and how to report unauthorized disclosures of PHI, but they will not need a comprehensive understanding of (for example) patients´ rights, the HITECH Act, or the consequences of violating HIPAA beyond their employer´s Sanctions Policy.

Consequently, the best way to overcome dissimilar training requirements is via modules. Individual modules can be prepared to align with the organization´s HIPAA policies and procedures, and those which are relevant to different groups of the workforce can be presented as “necessary and appropriate” for member of the workforce to carry out their functions. This option is far more effective than providing too much information to staff who will never need it.

With this in mind, we have compiled three series of sample HIPAA training modules. The first – Basic HIPAA Modules – should be used to provide members of the workforce with a grounding in HIPAA. The second – Advanced HIPAA Modules – should be used to build on the basic training; and the third – “HIPAA Training for Students” – contains modules from both the Basic and the Advanced curricula along with student-specific modules.

Basic HIPAA Modules

The Basic HIPAA modules contain elements of HIPAA that will be mutual to many functions. Geared towards Covered Entities´ training obligations under the Privacy Rule, these modules might be used for introducing new employees to HIPAA – provided they are complemented with function-specific advanced modules – or as the basis for refresher training when material changes occur.

HIPAA Overview

The best way to introduce a HIPAA training course is to provide an overview of HIPAA, what it is, who the rules apply to, and why it is important employees comply with policies and procedures designed to safeguard PHI/ePHI from impermissible uses and disclosures.

HIPAA Definitions

When HIPAA is first introduced to new employees, its language can be confusing to trainees with no experience of US legislation. Therefore, it can be beneficial to explain the terminology that will be used during HIPAA training – especially what constitutes PHI/ePHI.

The HITECH Act

A knowledge of the HITECH Act will not be essential for employees to perform their day-to-day functions but understanding how the Meaningful Use and Promoting Interoperability programs evolved may help employees better understand policies based on Security Rule standards.

The Five HIPAA Regulatory Rules

Depending on the content of other modules, this is a good place to explain the Enforcement Rule and Breach Notification Rule. Ideally the three other main HIPAA rules – the Privacy Rule, the Omnibus Final Rule, and the Security Rule – should each have their own modules.

The Privacy Rule

It is essential all members of the workforce – regardless of their function – have a basic understanding of the Privacy Rule and concepts such as the Minimum Necessary Standard, patients´ rights, and seeking consent before disclosing PHI to third parties.

The Omnibus Final Rule

A module relating to the Omnibus Final Rule is important for Covered Entities to include as the Omnibus Final Rule enacted provisions of the HITECH Act to enhance existing security protections. The Rule also made Business Associates directly liable for violations of HIPAA.

The Security Rule

Although policies developed around the Security Rule may only apply to employees with access to ePHI, all employees should be given a foundation in Security Rule basics so they better understand mechanisms implemented to comply with the physical, administrative, and technical safeguards.

Patients´ Rights under HIPAA

Although patients´ rights may have already been covered in the Privacy Rule module, public-facing employees will require a deeper knowledge of what patients can request and how long Covered Entities and (potentially) Business Associates have to comply with access and correction requests.

HIPAA Disclosure Rules

A module relating to the disclosure rules will support the Privacy Rule model by providing further information about when it is permitted to disclose PHI and when patient consent is required before disclosing PHI to families, friends, and other third parties.

The Consequences of HIPAA Violations

The consequences of HIPAA violations not only impact Covered Entities, Business Associates, and patients, but can also impact employees responsible for negligently or deliberately violating their employer´s HIPAA policies. Therefore, this module should expand on the HIPAA sanctions policy.

Preventing HIPAA Violations

In addition to training employees to be HIPAA-compliant, it can benefit Covered Entities and Business Associates to train staff on identifying and reporting potential threats to PHI that may result in a HIPAA violation and – importantly – on reporting HIPAA violations as soon as they occur.

Being a HIPAA Compliant Employee

This module could either be used as a summary of basic HIPAA training or as a refresher module following a material change in policies and procedures. Ideally it should contain best practices for HIPAA compliance, plus a list of do´s and don´ts tailored to the groups´ functions.

Advanced HIPAA Modules

While the basic HIPAA modules provide employees with a grounding in HIPAA, more advanced modules can help employees apply what they have learned in the basic modules to real-life situations. These modules are particularly relevant for employees with access to ePHI as many of them relate to Security Rule policies.

Timeline of HIPAA

Providing a timeline of HIPAA can reinforce the concept that HIPAA is constantly evolving to meet new challenges. This can prepare employees for subsequent “material change” refresher sessions, or for retraining when their roles and functions change.

Threats to Patient Data

This module should include both physical and online threats to patient data. So, in addition to warning employees about disclosing ePHI online, they should be alerted to safeguarding paper copies of PHI, positioning workstations out of public view, and ensuring mobile devices are secured.

Computer Safety Rules

Regardless of the HIPAA Rules, most Covered Entities and Business Associates will have policies relating to computer safety – not just the physical safety of workstations, but also the allowable uses of workstations for personal use to prevent viruses and malware.

HIPAA and Social Media

All employees need to be aware it is a breach of the HIPAA Privacy Rule to share any information about a patient on social media. Even unintentional disclosures can result in sanctions for non-compliance, while patients can bring a private course of action against the individual responsible.

HIPAA and Emergency Situations

In emergency situations, the Office for Civil Rights has the discretion to waive certain elements of HIPAA to support the flow of health information. This module should cover typical scenarios in which the HIPAA rules may be relaxed and how employees will be informed of any changes.

The Role of the HIPAA Officer

All Covered Entities and Business Associates are required to appoint a HIPAA Officer who is responsible for developing HIPAA policies and procedures. This module is a good opportunity for employees to meet the HIPAA Officer who will be the point of contact for questions and reports.

HIPAA Compliance Checklist

A good way to determine how much information has been absorbed during HIPAA training is to conclude each session with a HIPAA compliance checklist. Each checklist should be tailored to the subjects being taught during training in the context of trainees´ roles.

Recent HIPAA Updates

As mentioned in the HIPAA Timeline module, HIPAA is constantly evolving and any update to the regulations is likely to impact policies and procedures. While this may not result in a material change for all members of the workforce, it is still advisable to include this module in all refresher training.

Texas Medical Records Privacy Act and HB 300

HB300 extends the definition of a Covered Entity for organizations that create, use, maintain, or transmit the health information of a Texas resident – regardless of where the organization is located. Consequently, training on the Texas Medical Records Privacy Act may apply outside of Texas.

Cybersecurity Dangers for Healthcare Employees

Although cybercriminals seek to extract healthcare data when launching phishing and malware attacks, the personal data of healthcare employees can also be at risk. Making healthcare employees aware of cybersecurity dangers for their personal data can change the way they think about ePHI.

How to Protect ePHI from Cyber Threats

With the previous module in mind, a further module about how to protect ePHI from cyber threats is likely be more effective if employees can relate the online best practices provided in this module with the cybersecurity dangers mentioned in the previous module.

HIPAA Training for Healthcare Students

Healthcare students are most often supervised when they first perform practical roles. Nonetheless, it is important they are aware about HIPAA and not discussing patients, conditions, or treatments unless it is relevant to their medical training. Furthermore, the Department of Health and Human Services regards students as members of a Covered Entity´s workforce, so it is a requirement of HIPAA they undergo training within a reasonable period of time from when they start studying.

With this is mind, an ongoing HIPAA training course for healthcare students will likely consist of a selection of modules from each of the basic and advanced modules suggested above. In addition, Covered Entities may choose to add further modules that are relevant to ways in which students will more likely access, use, and disclose PHI/ePHI. Suggestions for these further modules are below.

• Timeline of HIPAA
• HIPAA Overview
• Definitions and Lexicon
• The HITECH Act
• The Five HIPAA Regulatory Rules
• HIPAA Privacy Rule
• HIPAA Omnibus Final Rule
• HIPAA Security Rule
• Patients´ Rights under HIPAA
• PHI Disclosure Guidelines
• HIPAA and Social Media
• Threats to Patient Data
• Computer Safety Rules
• The Consequences of HIPAA Violations
• Preventing HIPAA Violations
• HIPAA and Emergency Situations
• The Role of the HIPAA Officer
• Recent HIPAA Updates

EHR Access by Healthcare Students

Although students will be supervised when they first access ePHI, the risk exists they could repeat information they have seen verbally or via social media. Students need to be aware that any unauthorized disclosure of ePHI – regardless of how ePHI is accessed – is a violation of HIPAA.

ePHI in Student Reports and Projects

It is also a violation of HIPAA to reproduce any ePHI that has been accessed in medical training in reports, projects, and presentations unless the student has obtained the express written consent of the subject of the ePHI, or the ePHI has been deidentified.

Being a HIPAA Compliant Student

It is just as important that students adhere to HIPAA policies and procedures as it is healthcare professionals do. Therefore, this module should contain best practices for HIPAA compliance from a student´s perspective and a role-relevant list of do´s and don´ts tailored for students.

Advice for Providing HIPAA Training

HIPAA Privacy Officers are responsible for providing privacy training to Covered Entities´ workforces, while HIPAA Security Officers are responsible for providing security awareness training to the workforces of Covered Entities and Business Associates. Ideally. HIPAA Officers should work together to compile training courses that cover all aspects of HIPAA to prevent “double training”.

Thereafter, the issue exists of providing training that is “necessary and appropriate” and relate to employee functions. Provide too much training, and much of it could be lost among the volume of information that has to be absorbed. Provide too little training, and the risk exists of a HIPAA Violation for which the Covered Entity or Business Associate is liable for due to a lack of training.

Therefore, HIPAA Privacy and Security Officers may wish to review the following best practices to ensure HIPAA training is effective:

• Keep training sessions short and focused. Training by modules can help with the design of a training session, but it is important not to cram too many modules into one session. Ideally sessions should last no longer than forty minutes.
• In many circumstances, it will be impossible to train workforces on all relevant aspects of HIPAA within a forty-minute session. Therefore, training sessions should take place periodically, with annual refresher training provided annually.
• Avoid sessions that only contain content related to the history of HIPAA and the regulatory Rules. While it may be important for context that these modules are included, few people want to sit through a history lesson that has little relevance to their roles.
• Training on the Breach Notification Rule is a requirement of HIPAA, so it is important this module is included. It should also be possible to incorporate breach reporting and the consequences of HIPAA violations and failing to report them.
• It is a stipulation of the Administrative Safeguards of the Security Rule that management is included in the security and awareness training program. Ideally, managers should be included at the same time as other employees, so the training program is seen as being taken seriously.

One final piece of advice for providing HIPAA training is to make sure the training is documented. This involves noting the date, the content of the training, and who attended. In the event HIPAA training includes a module on Texas Medical Records Privacy Act and HB 300, attendees are required to sign a document to state they have been trained on the Act. As with all HIPAA documentation, training records must be maintained for a minimum of six years.

HIPAA Training FAQs

Who needs to receive HIPAA training?

HIPAA training must be provided to all members of the workforce. This includes everyone from the C-suite down to environmental services technicians, contractors, volunteers, and students – regardless of the level of contact they may have with Protected Health Information.

Do I need to provide classroom-based training sessions?

There is no requirement to provide classroom-based training sessions. Computer-based training courses are the easiest to administer and are usually well received by employees. Whether you develop your own course or use a third-party training course, make sure it is modular. Short modules are best, as they are easier for employees to fit into busy workflows.

What are the HIPAA training documentation requirements?

In the event of an audit or compliance investigation, the HHS´ Office for Civil Rights will need to be provided with evidence to show training has been provided to employees, the frequency of training sessions, and what the training covered. You must maintain a training log and store it with your HIPAA documentation.

Have there been any HIPAA fines for training failures?

The HHS’ Office for Civil Rights has stepped up enforcement of HIPAA compliance in recent years and imposed two financial penalties on healthcare providers in 2020 for training failures. OCR settled one case for $1.5 million to resolve HIPAA violations including a lack of Privacy Rule training and a small healthcare provider was fined $25,000 for violations including the failure to provide security awareness training to employees.

How often is HIPAA training required?

HIPAA refresher training sessions should be provided every two years at a minimum, although it is a recognized best practice to provide refresher HIPAA training annually. Two years is a long time. It would be easy for some HIPAA requirements to be forgotten by employees.

What is the purpose of HIPAA training?

HIPAA training has two primary purposes. The first is to familiarize members of the workforce with the HIPAA regulations and explain the policies and procedures that apply to their functions. The second purpose is to reduce susceptibility to online threats to mitigate the risk of data breaches attributable to malware downloads and phishing.

What do you learn during HIPAA training?

What you learn during HIPAA training depends on the results of a risk assessment conducted by your employer´s Compliance Officer. Most HIPAA training courses will follow the formats discussed above – i.e., general training and security awareness training, followed by role-specific HIPAA training – but this may depend on what training resources are available to your employer.

How long does HIPAA training take?

HIPAA training takes as long as it takes to ensure members of the workforce understand their compliance obligations. Many Covered Entities incorporate additional training into sanctions policies. Therefore, it may be the case that two employees in the same role receive different amounts of training due to one of the employees requiring additional training.

What are the HB-300 training requirements?

The HB-300 training requirements are that all members of a Covered Entity´s workforce receive training on the Texas Medical Records Privacy Act within 90 days of starting work for an employer. Refresher training has to be provided within a year of a material change to HB-300 policies, and – if there are no material changes – every two years.

It is important to be aware that HB-300 does not distinguish between Covered Entities and Business Associates in the same way as HIPAA. All businesses with access to PHI/ePHI are considered to be Covered Entities. Additionally, HB-300 protects the PHI of all Texas citizens regardless of where PHI is collected, received, maintained, or used. Therefore, a HIPAA Business Associate in (for example) California could be a Covered Entity under the Texas Medical Records privacy Act.

What is HIPAA training?

HIPAA training is a training course that explains what HIPAA stands for, what it protects, and how members of a workforce are expected to comply with it. While it is necessary to undergo HIPAA training, working in compliance with HIPAA is proven to be beneficial to patients and healthcare professionals. Therefore, although a mandatory requirement, it is worth doing.

How often is HIPAA training required?

According to the Privacy Rule, HIPAA training is only legally required when a member of the workforce first starts working for a Covered Entity, whenever there is a material change to policies and procedures, or when a risk assessment or sanctions policy identifies a need for further training. Ideally, HIPAA training should be provided at least annually.

How long is HIPAA training good for?

HIPAA training is as good as a member of the workforce remaining in the same job. If they take on a new job, the new employer is required by law to provide HIPAA training. While this may at first seem like a waste of time, it is important to note that no two Covered Entities are identical, and the new employer will likely have different HIPAA-related policies and procedures.

Why is HIPAA training important?

The importance of HIPAA training can vary according to an individual´s role. Generally, HIPAA training is important because it explains about the privacy of PHI, when PHI can be used or disclosed, and how systems maintaining electronic PHI should be safeguarded against unauthorized access to mitigate the risk of data breaches and impermissible disclosures.

What is the difference between HIPAA and the Privacy Act of 1974?

HIPAA – via the Administrative Simplification regulations – protects the privacy and secures the confidentiality of individually identifiable health information maintained by Covered Entities (generally in the healthcare and health insurance industries). The Privacy Act of 1974 governs the uses and disclosures of any personally identifiable information maintained by federal agencies.

Who is responsible for providing HIPAA training?

Privacy and Security Officers are responsible for ensuring HIPAA training is provided – although they don’t necessarily have to provide training themselves. If, for example, the training involves a new piece of security software, it may be better for a member of the IT team to present the training because they will be able to answer any questions raised during the training.

What is an example of a “material change to policies”?

A material change to policies might occur if the IT security team implements new technologies that can detect network intrusion. The new technologies may require new policies to be put in place or new procedures for when an intrusion is identified. Because most members of the workforce will have some level of access to network devices, it may be necessary to explain the new procedures to most members of the workforce in order to avoid inadvertent impermissible disclosures of PHI.

Which senior managers have to attend HIPAA training?

All senior managers have to attend security awareness training and it is a good idea to have senior managers present at policy and procedure training so they can better understand the “on the ground” challenges to HIPAA compliance. Specifically, it is practical to involve CIOs and CISOs in technology training, and CFOs in any HIPAA training that relates to finance, billing, and/or claims.

What is the most important element of HIPAA training?

The “most important element” of HIPAA training will vary on a case-by-case basis and will usually be determined by a risk assessment or in response to a patient compliant or compliance investigation. However, it is important for all members of the workforce to understand what PHI is and why it has to be protected from impermissible disclosures and unauthorized access.

How often do you have to do HIPAA training?

The frequency of mandated HIPAA training depends on factors such as material changes to policies and procedures, risk assessments, and OCR corrective action plans. In addition, as well as maintaining an ongoing security and awareness training program, it is recommended Covered Entities and Business Associates provide Privacy Rule refresher training at least annually.

How targeted must HIPAA training be for each individual?

Role-based training should teach individuals about the areas of HIPAA that are appropriate to their functions and the policies and procedures that are relevant to their functions. For example, while it is necessary to train nursing assistants on the Breach Notification Rule, it is not necessary to train nursing assistants on how to notify OCR and affected individuals when a breach occurs.

Is annual security and awareness training enough to fulfil the HIPAA requirements?

The Security Rule training requirements do not stipulate the frequency of security and awareness training, but they do state it is a “program” rather than a one-off event. Therefore, security and awareness training should be ongoing. In the event of a security incident, OCR investigators may request documentation showing the content and frequency of security and awareness training.

Does every staff member undergo the same HIPAA training?

HIPAA training should be relevant to each member of the workforce´s functions; and while there are areas of the Privacy, Security, and Breach Notification Rules that are common to all HIPAA training courses, training programs should be designed so each member of the workforce can fulfil their functions in accordance with HIPAA and with the organization´s HIPAA-compliant policies.

Should the frequency of HIPAA training be the same for Business Associates as for Covered Entities?

Business Associates have the same HIPAA training obligations as Covered Entities to ensure workforces are capable of performing duties in compliance with HIPAA. However, while the training obligations are the same, it is likely a Business Associate will have a less diverse workforce than a Covered Entity and fewer topics to cover. Although this may not affect the frequency of HIPAA training, it will likely affect the depth of content.

How long does it take to complete HIPAA training?

You never complete HIPAA training. HIPAA is an evolving Act that can change frequently, plus the security and awareness training requirements of the Security Rule are ongoing. Additionally, if an employee of a Covered Entity changes jobs and goes to work for another Covered Entity, they will have to undergo HIPAA training again because the new employer´s policies and procedures may differ from their previous employer´s policies and procedures.

Why do we need HIPAA training?

HIPAA training is necessary so that members of the workforce understand what PHI is and why it should be protected from impermissible uses and disclosures. Consequently, training should not only be about policies and procedures, but also why the policies and procedures exist and the consequences of violating the policies for patients, employers, and themselves.

Which states require the provision of annual HIPAA training?

At present, no states require that Covered Entities or Business Associates provide annual HIPAA training. However, in some states, local privacy and security laws exist that supersede HIPAA. These may have specific training requirements (i.e., Texas), while organizations providing services to the Defense Health Agency may be required to provide Privacy Act and HIPAA privacy training annually.

When must new members of the workforce complete HIPAA training?

Under the federal regulation, new members of a Covered Entity´s workforce must complete HIPAA training “within a reasonable period of time after the person joins the Covered Entity’s workforce”. However, some states have more stringent requirements and stipulate a fixed time limit. Notably, the state of Texas classifies Business Associates the same as Covered Entities.

What kind of HIPAA training can one take and get certified?

There are various online sources which offer certificates at the conclusion of HIPAA training. Some online training courses are role specific, whereas others may provide more general HIPAA training. Both types of courses can be beneficial to job seekers, as a willingness to independently take a HIPAA training course and demonstrate completion of the course indicates a compliant nature.

What information should be included in a HIPAA training handout?

The content of handouts should reflect the area(s) of HIPAA being taught. Therefore, if (for example) the training session relates to obtaining an individual’s authorization prior to disclosing PHI, the handout should explain the difference between consent and authorization, uses and disclosures requiring an authorization, and what should be included in an authorization to ensure it is valid.

How long must security and awareness training records on HIPAA be maintained?

All HIPAA-related documentation must be maintained for a minimum of six years. For policies and procedures, the retention requirements require documentation to be maintained for six years from when the policy or procedure was last in force. Therefore, if a security and awareness training session relates to a specific policy (i.e., not sharing EHR passwords), a record of the training session will have to be maintained for a minimum of six years from when the policy is last in force.