The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Training for Healthcare Workers

The requirements relating to HIPAA training for healthcare workers have limitations which can expose individuals to sanctions for non-compliance. Consequently, it is recommended healthcare workers take responsibility for their HIPAA knowledge and how HIPAA applies in their roles.

If you are a healthcare worker, your employer should provide you with two types of HIPAA training – Privacy Rule training on HIPAA policies and procedures (required by 45 CFR § 164.530) and security and awareness training (required by 45 CFR § 164.308). Your employer should also provide you with refresher training if there is a “material change” to HIPAA policies and procedures.

These regulations do not go far enough to prevent healthcare workers unintentionally violating HIPAA due to a lack of knowledge or because non-compliant practices have been allowed to develop in the workplace. This article discusses the limitations of HIPAA training for healthcare workers, what the consequences can be, and what healthcare workers should do to avoid the consequences.

Privacy Rule HIPAA Training for Healthcare Workers

In order to meet the minimum regulatory requirements, an employer must provide Privacy Rule HIPAA training for healthcare workers “on the policies and procedures with respect to PHI […] as necessary and appropriate for members of the workforce to carry out their functions”. Consequently, the nature of the training could be limited to whatever policies and procedures your employer has developed and how relevant your employer thinks they are to your function.

Get the FREE
HIPAA Compliance Checklist

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

While it is likely that your employer´s Privacy Rule HIPAA training for healthcare workers covers topics such as patient interactions, Notices of Privacy Practices, permitted disclosures, and the minimum necessary standard, it may be the case your employer might not include patient access requests, incidental disclosures, and the difference between a HIPAA violation and a HIPAA breach – and who to report each type of event to.

Why the Lack of Refresher Training is an Issue

Even if no gaps exist in your initial HIPAA training for healthcare workers, there is no requirement – other than the material change requirement – for employers to provide refresher training. Consequently, if a healthcare worker works for only one employer, it is possible that they could work their whole career without any refresher training on HIPAA. During this time, it would be completely understandable if a healthcare worker forgot some of the initial training and violated HIPAA.

The lack of refresher training can also lead to the development of non-compliant practices. This can occur when shortcuts are taken “to get the job done” and the shortcuts are subsequently repeated more and more frequently until the non-compliant practices develop into a cultural norm. Typically, the only times non-compliant practices are reversed by training is in response to a patient complaint, an OCR investigation, or a compliance audit – by which time the violations have already occurred.

The Risk of Gaps in Security and Awareness Training

The Security Rule provision to “implement a security and awareness training program for all members of the workforce” has the potential to leave large gaps in the knowledge of any employee. This is because, to comply with the provision, employers can provide general security and awareness training. There is no requirement to make the training role specific or relevant to any employee´s function even though the content of training should be determined by a risk analysis.

Employers could argue that it is impractical to provide different security and awareness training programs for different groups of the workforce when much of the content is duplicated. However, there are some areas of Security Rule compliance that may be unique to healthcare workers (EHRs, ePHI on mobile devices, etc.) and they could be excluded from security and awareness training if they are not identified as risks or don´t apply to other groups of the workforce.

The Consequences of the Training Limitations

The consequences of the training limitations are that healthcare workers can violate HIPAA due to a lack of knowledge, the development of a cultural norm, or a gap in security and awareness training. In all cases, it is unlikely that your employer will take responsibility for a violation because it is a lot easier for them to point a finger at an individual and sanction them than it is to undergo an OCR investigation, revise policies, and provide material change training to the full workforce.

While this may seem unfair, there are precedents for employers sanctioning individuals for violations of HIPAA even though it was the employer´s fault for failing to monitor compliance and allowing a cultural norms of non-compliance to develop. It has also been reported that EHR passwords are frequently shared despite this being a clear violation of HIPAA. Even when this non-compliant practice is attributable to an employer´s failings, the individual is still in violation of HIPAA.

What Healthcare Workers Can do to Protect Themselves

The best way for healthcare workers to protect themselves from unintentional violations of HIPAA is to take responsibility for their HIPAA knowledge and how HIPAA applies in their roles. There are multiple online training courses available that provide a good foundation in HIPAA knowledge plus several that can provide a deeper insight into HIPAA so individuals have a clearer understanding of how to act in certain real-life circumstances and not succumb to non-compliant practices.

Online HIPAA training for healthcare workers helps put employer training into context, can be used as refresher training whenever necessary, and fill gaps in security and awareness programs. Additionally, because online HIPAA training is usually provided in a modular format, individuals can skip modules relating to topics they are familiar with and focus on those in which their knowledge is lacking – efficiently reducing the likelihood of unintentional HIPAA violations and sanctions.

HIPAA Certification for Healthcare Workers

A number of third-party compliance organizations offer online training courses that can help fill the gaps in HIPAA knowledge, and some of these offer a HIPAA certification for healthcare workers when the course is completed. Although a HIPAA certification for healthcare workers issued by a third-party organization is not endorsed by HHS´ Office for Civil Rights, there are benefits to enrolling in a course of this nature.

Firstly, a HIPAA certification for healthcare workers demonstrates a “good faith” effort to understand HIPAA and comply with its standards. A certification may also be looked upon favorably by an employer when a healthcare worker applies for promotion or seeks a new job. Additionally, being able to show a patient a HIPAA certification may mitigate any privacy concerns the patient has about disclosing sensitive personal health information to a healthcare worker.

Research has shown that when patients are confident their sensitive personal health information will remain private, they tend to be more forthcoming about their symptoms. The additional information enables physicians to make better informed diagnoses and treatment plans, which often results in better patient outcomes. Better patient outcomes raise workplace morale and improve employee retention, as well as improving patient satisfaction scores.

HIPAA Awareness Training for Healthcare Professionals

Third party HIPAA training courses do not only focus on compliance with the Privacy Rule. Modules exist that cover the basics of security and awareness training for healthcare professionals – including the risks of sharing EHR passwords and other login credentials. In many cases, the requirement to provide HIPAA awareness training for healthcare professionals can be fulfilled with a third party training course provided technical support is provided (by the employer) alongside the training.

Some third party HIPAA training courses also cover what to do in the event of a impermissible disclosure of PHI (this is usually included in modules relating to the Breach Notification Rule). As impermissible disclosures of PHI can be oral, paper, or electronic, these modules are particularly valuable when providing training in HIPAA for home care workers or refresher training to any segment of the workforce for whom impermissible disclosures is a potential HIPAA violation.

HIPAA Training for Healthcare Workers: FAQs

Why do gaps exist in the HIPAA training requirements?

The HIPAA Privacy and Security Rules cover many different types of organizations and many different roles within organizations. Not only would it be impractical for the Department of Health & Human Services to develop different standards for each role within each organization, but it would also be impossible for covered entities to try to comply with a vast range of standards.

For this reason, the HIPAA Privacy Rule effectively says covered entities should develop policies and procedures so the organization complies with HIPAA, and train members of the workforce as necessary and appropriate on the policies and procedures that apply to their roles.

While this implies that HIPAA training for healthcare workers should include everything a healthcare worker needs to know to be HIPAA compliant, this depends on how the healthcare workers´ employer has interpreted the Privacy Rule training standard and complied with the interpretation.

What happens if my employer fails to provide me with necessary and appropriate training?

This depends on the consequences. The failure to provide necessary and appropriate training may not result in a HIPAA violation, in which case nothing will happen. At the other end of the scale, if a patient complains to HHS´ Office for Civil Rights about an impermissible disclosure, and an investigation into the complaint finds your employer is at fault, they will be sanctioned.

However, there is a gray area in the middle of these two scenarios in which your employer provides you with the training necessary to tick the box of organizational compliance, but the training is not appropriate to your role. If a violation occurs, your employer could claim you are at fault for not applying the “necessary” training to your role – which is why it may be important for you to take responsibility for your HIPAA knowledge and how HIPAA applies in your role.

If my employer fails to provide me with proper HIPAA training for healthcare workers, who do I report it to?

Ideally, you should try to resolve the issue internally by raising your concerns with the HIPAA Privacy Officer. If the Privacy Officer is responsible for the failure to provide you with proper training, you can escalate your concerns to HHS´ Office for Civil Rights via the OCR Portal. Although you will not be able to report your concerns anonymously, HIPAA has whistleblower protections which your employer has to comply with or face severe sanctions.

Is it necessary for healthcare workers with no access to EHRs to undergo security training?

Regardless of their access to electronic PHI, it is necessary for all members of a covered entity´s or business associate´s workforce to undergo security awareness training. This is because anybody with access to your employer´s network could be a gateway for a cybercriminal to infiltrate the network – even if employees only connect to the network wirelessly to get a signal on personal mobile devices.

Why is sharing EHR passwords a HIPAA violation?

In the Technical Safeguards of the Security Rule, covered entities and business associates are required to “Assign a unique name and/or number for identifying and tracking user identity” and “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed”. This is so that, in the event of a change to or the deletion of a record, there is an audit trail of who accessed which record and when.

Sharing EHR passwords – or any passwords – violates these Security Rule standards because it will not be possible to determine which user changed or deleted a record. For a user perspective, the person to whom the password has been assigned may be blamed for an unauthorized change or deletion which is not their fault because they shared their password with somebody else to be helpful. Therefore, you should never reveal your password to anybody outside the security team.

What is HIPAA training for healthcare workers?

HIPAA training for healthcare workers is the training on HIPAA compliance provided by an employer to new members of a healthcare workforce. The training has to be on the policies and procedures developed by the employer to enable the workforce to function in compliance with HIPAA. However, when HIPAA training is provided to healthcare workers that do not have a basic understanding of HIPAA, it is difficult for them to retain the information.

For this reason, employers are advised to take advantage of off-the-shelf training programs that explain concepts such as “what is PHI”, “why does PHI need protecting”, and “how is HIPAA enforced” to ensure new members of the workforce have a basic understanding of HIPAA before being asked to understand concepts such as patients´ rights, disclosure authorizations, and the minimum necessary standard.

What is a HIPAA certification for healthcare workers?

A HIPAA certification for healthcare workers is a certificate presented to healthcare workers when they have completed a HIPAA training course. When provided by an employer, the certificate usually demonstrates the healthcare worker has completed the employer´s policy and procedure training as required by the Privacy Rule. When provided by a third-party compliance organization, the certificate demonstrates a point-in-time knowledge of the basics of HIPAA.

How long is training in HIPAA for home care workers good for?

Training in HIPAA for home care workers is good for as long as there is no material change in policies or procedures, until a need for further training is identified by a risk assessment or in response to a patient’s complaint, or when additional training is required as part of a sanction for non-compliance – either by the home care worker or by their employer. Nonetheless, compliance experts recommended refresher training is provided to home care workers annually.

In addition to policy and procedure training in HIPAA for home care workers, all members of a Covered Entity´s or Business Associate´s workforce are required to participate in a security and awareness training program. Organizing security and awareness training can be problematic for home care workers due to being away from the workplace for long periods of time. For this reason, online training that a healthcare worker can access remotely may be the best option.

When must HIPAA training for medical staff be completed?

HIPAA training for medical staff must be completed “within a reasonable period of time” if the training relates to Privacy Rule and Breach Notification Rule training (i.e., policies and procedures). Security and awareness HIPAA training should be ongoing and – as the threats to the confidentiality, integrity, and availability of electronic PHI are constantly evolving – this type of HIPAA training for medical staff is never completed.

It is important to be aware that HIPAA preempts state and federal laws unless a state or federal law have more stringent requirements – and this can sometimes be the case with regards to training timelines. For example, the state of Texas requires new members of the workforce to complete HIPAA and Medical Records Privacy Act training within 90 days, while personnel attached to the Defense Health Agency must complete their HIPAA training within 30 days.

How often should HIPAA medical training be repeated?

HIPAA medical training should be repeated as often as necessary to mitigate the risk of a HIPAA violation or data breach. Privacy Officers have the task of determining when it is necessary to repeat HIPAA medical training for policies and procedures, while Security Officers should repeat security and awareness training if – despite the initial training – members of the workforce persevere with poor online security habits.

Is there a difference between HIPAA training for medical employees and for administrative staff?

There can be a difference between HIPAA training for medical employees and for administrative staff. This is because Covered Entities have to develop policies and procedures “as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity”. As members of the medical team and members of the administrative team may have different functions, it is likely some different policies will apply to each group.

Can free healthcare compliance training replace the HIPAA training requirements for employers?

No. Free healthcare compliance training cannot replace the HIPAA training requirements for employers because employers are required to train members of the workforce on policies and procedures developed to comply with HIPAA. As each organization has its own threats and vulnerabilities – and unique policies and procedures to mitigate the threats and vulnerabilities – there is no healthcare compliance training that can replace the HIPAA training requirements.

There are some healthcare compliance training courses – both paid-for and free – that can support the HIPAA training requirements for employers by providing new members of the workforce with a foundation in HIPAA compliance. These tend to focus on common general areas such as why HIPAA was created, what it protects, and who enforces it, but do not include employers´ policies and procedures and therefore cannot replace the HIPAA training requirements for employers.

Who is responsible for providing HIPAA compliance training for nurses?

The responsibility of providing HIPAA compliance training for nurses is ultimately the nurses´ employer. The employer is required to appoint a HIPAA Privacy Officer whose duties include developing HIPAA-compliant policies and procedures and training members of the workforce on the policies and procedures relevant to their roles. Therefore, although HIPAA compliance training may be delivered by a Privacy Officer, it is the employer’s responsibility to make sure it is delivered.

What is a HIPAA policy for healthcare employees?

A HIPAA policy for healthcare employees is most often an umbrella term relating to all the HIPAA-related policies and procedure that healthcare employees are required to comply with. The term can also be used to describe the sanctions imposed on healthcare employees that violate HIPAA-related policies and procedures because these should be explained in a HIPAA sanctions policy document.

Who is responsible to see that all healthcare workers are familiar with HIPAA?

The responsibility to see that all healthcare workers are familiar with HIPAA rests with each individual healthcare worker. This is because, although employers and Privacy Officers are responsible for providing training on HIPAA-related policies and procedures, it is not their responsibility to ensure all healthcare workers understand the training – making it much harder for a healthcare worker who is not familiar with HIPAA to comply with the policies and procedures.

Unfortunately, if a HIPAA violation occurs due to a healthcare worker´s failure to understand their employer´s training (because the healthcare worker was not familiar with HIPAA), the employer will not accept liability for the violation and will blame the healthcare worker. Consequently, it is in every healthcare worker´s best interest to ensure they are familiar with HIPAA; and, if it is necessary to improve the familiarity with HIPAA, to take advantage of online HIPAA compliance training.

Where do I take HIPAA training for medical employees?

HIPAA training for medical employees should be provided by an employer within “a reasonable amount of time” of an employee joining the workforce. However, if you are concerned you have not yet received HIPAA training, you should bring this to the attention of your Privacy Officer and ensure your concerns are documented in order avoid being unjustly accused of a policy violation.

How long should documents relating to HIPAA training for a medical office be retained?

Documents relating to HIPAA training for a medical office should be retained for a minimum of six years after the policies to which the training relates are no longer in force. The retained documentation should include a copy of the policies, the content of the training, and any acknowledgements that training was received (acknowledgements are mandated in some states).

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.


Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist