Both the Privacy Rule and the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) have provisions covering training for healthcare employees, but the text is a little vague, which means it is not abundantly clear how often HIPAA training is required.
HIPAA is meant to be flexible to ensure the legislation applies to healthcare organizations and business associates of all types and sizes, and to make sure that changes in technology and working practices do not require frequent updates to the legislation. This flexibility can lead to confusion and, unfortunately, the penalties for misinterpreting the requirements of HIPAA can be severe. In this post we will explain the sections of HIPAA text covering training and how often HIPAA training is required.
How Often is HIPAA Training Required?
HIPAA states, “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and that the training should be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.” Initial HIPAA training is required, “no later than the compliance date for the covered entity,” and “to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce.”
Further training is required when “functions are affected by a material change in the policies or procedures,” and this training must be provided “within a reasonable period of time after the material change becomes effective.” “Periodic” training must also be provided thereafter. It should be noted that training is required on the HIPAA Rules, and also as part of “a security awareness and training program” to meet the requirements of the HIPAA Security Rule.
“Within a reasonable period of time,” means within days or weeks rather than a month or more after starting work or a change in policies and procedures. “Periodic” means refresher training must be provided every two years at the latest, although the best practice is to provide refresher training on the HIPAA Rules and security awareness every year.
Providing regular HIPAA and security awareness training will help to prevent accidental HIPAA violations and privacy breaches by employees. Organizations that provide regular training to the workforce – and are able to prove they have provided that training – are likely to be viewed more favorably by regulators and are less likely to be fined for HIPAA violations by employees when errors lead to privacy breaches.
You Must Document Your HIPAA Training!
Workforce HIPAA training and security awareness training must be documented. In the event of an audit or compliance investigation, OCR and state attorneys general are likely to request proof that employees have received training, and certainly if a breach occurs due to the actions of an employee and when a complaint from a patient is investigated.
The HIPAA text does not state what documentation is required, so it is best to create a log that includes all employee names, the training they were provided, the course content, whether training was completed successfully, and the dates that training was provided. The log should include HIPAA training and security awareness training and you should include a copy of the course in your documentation, or links to the course if you provided online HIPAA training.