Both the Privacy Rule and the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) have provisions covering training, but it is not abundantly clear how often HIPAA training is required.
HIPAA is deliberately flexible to ensure the legislation applies to covered entities and business associates of all types and sizes, and to make sure that changes in technology and working practices do not require frequent updates to the legislation.
This flexibility can lead to confusion and, unfortunately, the penalties for misinterpreting the requirements of HIPAA can be severe. In this post we will explain the sections of HIPAA text covering training and how often HIPAA training is required.
How Often is HIPAA Training Required?
The Administrative Requirements of the Privacy Rule state, “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information”. The training should be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity” and “to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce.”
Further Privacy Rule training is required when “functions are affected by a material change in the policies or procedures,” and this training must be provided “within a reasonable period of time after the material change becomes effective.” – “a reasonable period of time,” means within days or weeks rather than a month or more after starting work or a change in policies and procedures.
In addition, under the Administrative Safeguards of the Security Rule, both covered entities and business associates are required to implement a security awareness and training program for all members of the workforce. The inclusion of the word “program” implies the security awareness training is ongoing and not a one-off or periodic event. Furthermore, the training needs to be provided to all members of the workforce – not just those with access to ePHI.
Is the Mandated Frequency of HIPAA Training Enough?
Undoubtedly there are gaps in the HIPAA legislation that could lead to some members of the workforce failing to receive instruction on what PHI is, why it needs protecting, and when it can be used or disclosed. This could lead to many types of HIPAA violations due to a lack of training – an issue that should be identified by a risk analysis.
Because the requirement to conduct periodic risk analyses appears in the Security Rule, many covered entities and business associates only conduct risk assessments on threats to electronic PHI. However, members of the workforce could see or hear PHI that they inadvertently share via social media without consent – an impermissible disclosure of PHI that is a violation of HIPAA.
Consequently, it is recommended that covered entities and business associates consider threats to verbal and written PHI when conducting risk assessments that could be mitigated by further HIPAA training. Indeed, it can be beneficial to schedule HIPAA refresher training annually in addition to ongoing security awareness training and any training attributable to a material change.
You Must Document Your HIPAA Training!
Workforce HIPAA training and security awareness training must be documented. In the event of an audit or compliance investigation, OCR and state attorneys general are likely to request proof that employees have received training, and certainly if a breach occurs due to the actions of an employee and when a complaint from a patient is investigated.
The HIPAA text does not state what documentation is required, so it is best to create a log that includes all employee names, the training they were provided, the course content, whether training was completed successfully, and the dates that training was provided. The log should include HIPAA training and security awareness training and you should include a copy of the course in your documentation, or links to the course if you provided online HIPAA training.
How Often is HIPAA Training Required FAQs
Why might some members of the workforce fail to receive training on what PHI is?
A strict interpretation of the Privacy Rule training requirements implies training only has to be provided to members of the workforce when their functions involve uses and disclosures of PHI. This interpretation would mean employees such as environmental services and maintenance personnel might be excluded from Privacy Rule training – making it harder for them to comprehend security awareness training or misleading them into thinking only electronic PHI is covered by HIPAA.
Do the same HIPAA rules apply to volunteers and students as apply to full-time employees?
The HIPAA Rules apply to all members of a Covered Entity´s or Business Associate´s workforce regardless of their employment status. This is because HIPAA defines a workforce as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate”.
How can Covered Entities provide Privacy Rule training to all members of a workforce while providing policy and procedure training to some members of a workforce?
The best solution to this issue is to outsource basic HIPAA training for all members of the workforce, and then provide in-house training on policies and procedures. This would give all members of the workforce an understanding of HIPAA to avoid inadvertent disclosures, while those who are subsequently undergoing policy and procedure training will better understand why the policies and procedures exist – supporting better retention and compliance.
Why do members of a Business Associate´s workforce with no access to ePHI have to undergo security awareness training?
This is because if a person with no access to ePHI reveals their login credentials to a cybercriminal (i.e., via a phishing email), the cybercriminal may still be able to gain access to databases containing ePHI by using the person´s login credentials to navigate laterally through the Business Associate´s network. Consequently, it is just as important for people with no access to ePHI receive security awareness training as it is for people with access to receive security awareness training.
Whose responsibility is it to determine the frequency of HIPAA training?
The provision of HIPAA training is usually the responsibility of the Privacy Officer or Security Officer. However, there may be circumstances in which a supervisor or manager identifies a need for additional training and organizes it themselves. In these circumstances – and even though the training may have been provided informally – it is important the training is documented along with the reason(s) why it was provided (especially when the result of a risk analysis).