All workers must be given training on HIPAA Rules, but when should you promote HIPAA awareness? How often should HIPAA re-training happen?
HIPAA-covered groups, business associates and subcontractors must comply with HIPAA Rules, and all workers must receive training on HIPAA. HIPAA training should ideally be supplied before any employee is given access to PHI.
Training should cover the permissible uses and disclosures of PHI, patient privacy, data security, job-specific information, internal policies covering privacy & security and HIPAA best practices.
The fines for HIPAA violations, and the consequences for individuals found have violated HIPAA Rules, must also be described. If workers do not receive training, they will not be aware of their responsibilities and privacy violations are likely to be applied.
Extra training must also be given whenever there is a material change to HIPAA Rules or internal policiesin relation to PHI, after the release of new guidance, or implementation of new technology.
HIPAA Training is More than a One-Time Event
Training at the beginning of an employment contract is essential, but training cannot be a one-time event. It is important to ensure workers do not forget about their responsibilities, so retraining is necessary and a requirement for ongoing HIPAA compliance.
HIPAA does not state how often retraining should occur, as this is left to the discretion of the covered entity. HIPAA only requires retraining to be conducted ‘regularly.’ The industry best practice is for retraining to take place yearly.
The HIPAA Privacy Rule Administrative requirements, listed in 45 CFR § 164.530, require all members of the workforce to receive training on HIPAA Rules and policies and procedures in relation to PHI. Training should be provided, as required, to allow staff to conduct their work duties and functions within the covered entity. One training program therefore does suit all entities. HIPAA training for the IT department is likely to be different to training provided to administrative staff. The Privacy Rule states that training must be provided for all new employees “within a reasonable timeframe”.
The HIPAA standard 45 CFR § 164.308(a)(5) included two types of training – Job-specific training and security awareness training, neither of which can be just a one-time event.
While it is vital to provide training for HIPAA compliance and security awareness, it is also crucial to ensure that training has been comprehended, that it is remembered, and to ensure HIPAA Rules are followed on a dailybasis. It therefore recommended that you promote HIPAA awareness all year long.
How to Promote HIPAA Awareness
There is no specific rule for HIPAA retraining and there are many ways that healthcare groups can promote HIPAA awareness. While formal training sessions can be carried out on a yearly basis, the use of newsletters, email bulletins, posters, and quizzes can all help to raise and manage awareness of HIPAA Rules.
Security awareness training is most important. Annual training on HIPAA is a good best practice, but it is important to promote HIPAA awareness in relation to security more frequently. It is a good best practice to give security awareness training biannually and issue cybersecurity updates on a monthly basis. Any specific threats to the workforce should be made publicas necessary – new phishing threats for instance. However, care should be taken not to flood employees with threat information, to avoid employees suffering from alert fatigue.
When is HIPAA Retraining Necessary?
Along with annual refresher training sessions, retraining on HIPAA Rules is recommended after any privacy or security violation and after a data breach has been suffered.
While the individuals involved should be retrained, it is a good best practice to take these incidents as a chance for training opportunity for all staff to ensure similar breaches do not take place in the future. If one worker makes a mistake with HIPAA, there is a chance that others have failed to understand HIPAA requirements or are making similar errors.