HIPAA Training for Employees
The regulations relating to HIPAA training for employees are deliberately flexible because of the different functions Covered Entities perform, the different roles of employees, and the different level of access each employee has to Protected Health Information (PHI).
The degree of flexibility can create misunderstandings about which employees require training, what training should be provided, how training should be provided, and when training should be provided. This blog aims to clarify the regulations relating to employee training.
Which Employees Require HIPAA Training?
Both the HIPAA Privacy Rule (45 CFR § 164.530) and the HIPAA Security Rule (45 CFR § 164.308) stipulate training should be provided to members of the workforce; but whereas the Security Rule is clear that all members of the workforce should participate in a security awareness and training program, the Privacy Rule is more flexible:
“A Covered Entity must train all members of its workforce on the policies and procedures with respect to Protected Health Information required by this subpart [the Privacy Rule] and subpart D of this part [the Breach Notification Rule], as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity”.
Get the FREE
HIPAA Compliance Checklist
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
This standard could be interpreted as HIPAA employee training only needs to be provided “by function”. For example, training on policies relating to individuals´ rights only needs to be provided to members of the workforce who deal with access requests, amendment requests, and requests for an accounting of disclosures, but this is not the case.
All members of the workforce (including agency staff, volunteers, consultants, and contractors) need to be aware that individuals have rights and what those rights are, even if they are not involved in responding to individuals exercising their rights. Consequently, HIPAA employee training needs to be far more comprehensive than implied by the Privacy Rule standard.
HIPAA Staff Training for Business Associates
HIPAA staff training for Business Associates is sometimes limited to security awareness training. However, it is a mistake to believe this is all the HIPPA training for Business Associates required by HIPAA. For example, HIPAA staff training for Business Associates should include how to report any security incident (as required by §164.314) and the procedures for reporting security incidents and data breaches to Covered Entities (as required by §164.410).
It is also important to be aware that in the introduction to the Privacy Rule section §164.500(2)(c) states: “Where provided, the standards, requirements, and implementation specifications adopted under this subpart [the Privacy Rule] apply to a Business Associate with respect to the Protected Health Information of a Covered Entity.” This means it may also be necessary to provide Privacy Rule HIPAA training for staff of Business Associates in accordance with §164.530 (in italics above).
Finally, if a Business Associate processes “covered transactions” of behalf of a Covered Entity, it will also be necessary to provide HIPAA staff training on the Administrative Requirements (45 CFR Part 162). Although no Covered Entity or Business Associate has ever been fined for violating this part of HIPAA, the Centers for Medicare and Medicaid Services has the authority to enforce Corrective Action Plans on organizations that fail to comply with the transaction standards.
What HIPAA Training Should be Provided to Employees?
The HIPAA Privacy Rule requires each Covered Entity to develop policies and procedures designed to comply with the Rule´s standards and implementation specifications and “train all members of its workforce on the policies and procedures […] as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity”.
This implies the content of HIPAA training will depend on what policies and procedures the Covered Entity has developed, and what policies and procedures are relevant for each employee to carry out their functions in compliance with HIPAA. As a guide, this article on the HIPAA training requirements includes examples of HIPAA compliance training.
As mentioned above, HIPAA employee training needs to be more comprehensive than implied by the Privacy Rule standard. Similarly, security and awareness training should go beyond the basic security measures implemented to comply with the Security Rule. Employees must be educated about any threat to any system – not just systems that maintain Protected Health Information.
How Should HIPAA Compliance Training for Employees be Provided?
Covered Entities and Business Associates have several options when it comes to providing HIPAA compliance training for employees. Historically, HIPAA compliance training was classroom- based and led by an instructor – usually the HIPAA Privacy Officer or HIPAA Security Officer. However, classroom-based training can often be ineffective because there is so much to cover in HIPAA.
For example, a classroom-based training session for patient-facing employees would have to cover areas of HIPAA such as the provision of Privacy Notices, Patients´ Rights under HIPAA, the Minimum Necessary Standard, using technologies such as EHRs compliantly, and the Breach Notification Rule. It is a lot to cover in a single training session, and a lot for employees to remember.
HIPAA Training Video for Employees
A HIPAA training video for employees can be used as part of – or as an alternative to – classroom-based training. Videos enable instructors to break down and explain HIPAA visually, which can lead to more engagement and better retention. When used as an alternative to classroom-based training, videos can also overcome the problem of getting trainees in the same place at the same time.
An unfortunate issue with HIPAA training videos for employees is that it can be impractical to produce a different video that is relevant to each employee´s role because of the expense. Therefore, while a HIPAA training video can be of some benefit – for example, for providing an explanation of PHI – it is often not the best way to comply with the HIPAA training requirements.
Online HIPAA Training for Employees
Online HIPAA training for employees comprised of mix-and-match modules is a far more effective way for Covered Entities and Business Associates to comply with the HIPAA training requirements. The modules can be assembled into groups to be relevant to each employee´s role – or employee group roles – and each employee can complete the training individually at a time that minimizes disruption.
Online training not only makes it easier for a Covered Entity or Business Associate to provide initial training (i.e., when onboarding new employees), but also makes it easier to provide refresher training or HIPAA-mandated training whenever “functions are affected by a material change in the policies or procedures”, as individual modules are easier to update than complete training courses.
When Should HIPAA Employee Training be Provided?
Covered Entities are required to provide training on HIPAA policies and procedures “within a reasonable period of time after a person joins the Covered Entity´s workforce” and whenever “functions are affected by a material change in the policies or procedures”. There is no time period stipulated for when a security awareness and training program has to be provided.
In addition, Covered Entities and Business Associates should incorporate HIPAA employee training into risk analyses. This will help identify when further training is needed by members of the workforce to prevent unauthorized uses or disclosures of PHI that have developed through bad practices. If a need for training is identified, it must be provided “within a reasonable period”.
Two other occasions when HIPAA employee training should be provided is when a member of the workforce has violated HIPAA and additional training is a penalty in the organization´s sanctions policy, and when HHS´ Office for Civil Rights imposes a Corrective Action Plan following a compliance investigation which requires further HIPAA employee training.
HIPAA Training for Employees: FAQs
Why is HIPAA training important?
HIPAA training is important because members of a Covered Entity´s workforce have to understand how to protect PHI from unauthorized uses and disclosures. If a HIPAA violation occurs that could have been prevented with training, but no training has been provided, the Office of Civil Rights will consider the Covered Entity or Business Associate willfully neglectful when calculating the penalty.
The failure to provide training is a violation of HIPAA in itself. The training requirements in the Privacy Rule and Security Rule are both “standards” rather than “implementation specifications”, which means they have to be complied with. Some implementation specifications can be ignored if they are inappropriate or unnecessary, or if a suitable alternative is implemented instead.
Who is responsible for training all employees on HIPAA?
The HIPAA Privacy Rule stipulates a Covered Entity must designate a Privacy Officer who is responsible for the development and implementation of the Covered Entity´s HIPAA policies and procedures. This person is not necessarily responsible for providing training him or herself, but they are responsible for ensuring employees are trained on HIPAA.
Covered Entities and Business Associates are also required to designate a Security Officer under the Security Rule. This person can be the same person who has been designated the post of Privacy Officer; and like the Privacy Officer, the Security Officer does not have to personally provide HIPAA training, but they must ensure a security awareness and training program is implemented.
Who needs HIPAA training?
As mentioned above, training should be provided to all members of the workforce regardless of the level of interaction they have with PHI. This means that cleaners, maintenance teams, and gardeners must have a basic tuition in PHI so they know (for example) not to discuss a patient staying in a healthcare facility or how to identify PHI that has been inadvertently left unattended.
Significantly, the HIPAA Security Rule highlights that management should be included in security awareness and training. While managers might not have any more interaction with PHI than a gardener in their function, healthcare managers can often be targeted by cybercriminals for login credentials that will enable them to carry out business email compromise attacks.
How often is HIPAA training required?
HIPAA training for employees is required when a person joins a Covered Entity´s workforce, when there is a material change in policies and procedures that affects that person´s role, and when a risk analysis identifies a need for further training. Beyond these requirements, it is a best practice to provide periodic refresher training – especially with regards to security awareness.
Threats to patient data are constantly evolving. Cybercriminals are identifying new ways to infiltrate IT networks, while the existing methods of extracting data (phishing, malware, ransomware, etc.) are becoming more sophisticated. Therefore, periodic refresher training should be provided at least annually to educate workforces on the latest threats and how to defend PHI against them.
How long does HIPAA training take?
There are various schools of thought about the best way to provide HIPAA training for employees, and these can influence how long HIPAA training takes. For example, some Covered Entities may prefer day-long workshops, while others may opt for a 20 minute video. Neither extreme is ideal because employees either won´t retain the information or won´t receive enough information.
If Covered Entities and Business Associates implement modular online HIPAA training for employees, the time training takes will vary according to how many modules are included in the training course and whether the training is provided for each employee to complete individually in their own time or in a classroom setting. In a classroom setting, the optimal time is less than two hours.
Other than for providing an explanation of PHI, what else can HIPAA training videos for employees be used for?
Other than providing an explanation of PHI, HIPAA training videos for employees can be used to cover many common areas of HIPAA compliance. For example, HIPAA training videos are useful for explaining the background to HIPAA, the roles of Privacy and Security Officers, individuals´ rights, and – once employees understand what PHI is – permissible uses and disclosures of PHI.
What is HIPAA training for employees?
HIPAA training for employees is the training an employer is required to provide to new members of the workforce if the employer is subject to any provisions of the Health Insurance Portability and Accountability Act. In most cases, training focuses of the policies and procedures the employer has developed to protect the privacy of individually identifiable health information and to ensure the confidentiality, integrity, and availability of electronic Protected Health Information.
How long is staff HIPAA training valid?
The validity of staff HIPAA training depends on whether there are any material changes to policies and procedures, whether a risk analysis identifies a need for further training, or whether additional training is imposed as a sanction by an employer (against a member of staff) or by HHS´ Office for Civil Rights (against the employer) following a HIPAA violation.
Is there HIPAA training for office staff?
HIPAA training for office staff is as important as it is for any other member of the workforce. Indeed, office staff are more likely to be involved in HIPAA covered transactions (eligibility checks, claims processing, billing, etc.), and – in a healthcare environment – make appointments with patients and respond to requests for copies of PHI and accountings of disclosures.
How should office staff get HIPAA training?
Office staff get HIPAA training in the same way as other members of the workforce. This may be in a classroom environment or via a video training course. There may also be some one-on-one training if, for example, the role of a new employee is unique within the organization (i.e., managing accounting of disclosure requests) or if the employer is a small business.
When must new employee HIPAA compliance training be completed by?
New employee HIPAA compliance training must be completed “within a reasonable period of time” (according to the Privacy Rule) unless the new employee is working for an organization located in a state with more stringent HIPAA training requirements (i.e., in Texas, the limit is 90 days). It is important to note that the time limits only apply to Privacy Rule and Breach Notification Rule training as Security Rule training is ongoing.
How often should HIPAA compliance training be provided to employees?
After an employee’s initial HIPAA compliance training, further training should be provided whenever a need is identified by a risk analysis, whenever there is a material change to Privacy Rule policies or procedures, or whenever HIPAA compliance training is required as a sanction by an employer or HHS´ Office for Civil Rights. The HIPAA compliance training required by the Security Rule is ongoing, and should be provided periodically.
How often do non-employed members of the workforce need to have HIPAA training?
Non-employed members of the workforce need to have HIPAA training as frequently as employed members of the workforce if the same risks to the privacy of Protected Health Information exist. Clearly, a volunteer gardener is not going to require as much security awareness training as an employed claims processor. Nonetheless, it is a requirement of HIPAA that all members of the workforce – regardless of their employment status – participate in security awareness training.
How long must the documentation for staff HIPAA awareness training be kept?
The documentation for staff HIPAA awareness training must be kept for a minimum of six years. However, if the staff HIPAA awareness training is related to policies and procedures (i.e., notifying a Security Officer of a data breach), the documentation must be kept for a minimum of six years from the date the policies and/or procedures are last in force.
Are employees required to take HIPAA compliance training on Part 162 covered transactions?
Employees are required to take HIPAA compliance training on Part 162 covered transactions if “their functions within the Covered Entity” (or, in some cases, the Business Associate) relate to Part 162 covered transactions. Generally, the training will be the same as Privacy Rule/Breach Notification Rule policy and procedure training and Security Rule security awareness training, with additional training with regards to CMS reporting requirements.
Who is in charge of HIPAA training for employees?
The person in charge of HIPAA training for employees is usually the HIPAA Privacy Officer or the HIPAA Security Officer – although the actual training may more often be conducted by a member of the HR team with training experience. In some cases, a member of the IT team may conduct training if, for example, the organization is implementing a new security software solution.
Are state compliance training requirements different from HIPAA compliance training requirements?
State compliance training requirements can be different from HIPAA compliance training requirements inasmuch as some states have laws that preempt HIPAA (i.e., those requiring mandatory disclosures for child abuse) or laws that stipulate a timeframe within which compliance training must be completed. For example, the timeframe in Texas is 90 days.
Can employers be fined for not providing HIPAA training to employees?
Employers can be fined for not providing HIPAA training to employees if an employee violates HIPAA, the violation is reported to HHS´ Office for Civil Rights, and an investigation into the violation identifies a lack of training being the cause of the violation. However, rather than fine the employer, the agency will impose a Corrective Action Plan that includes monitored HIPAA training.
Is it necessary to have staff HIPAA refresher training every time a new technology is deployed?
It is necessary to have staff HIPAA refresher training every time a new technology is deployed if the new technology relates to the confidentiality, integrity, or availability of electronic PHI. However, rather than train every member of staff on the new technology, only those likely to use it or be affected by its capabilities will be required to undergo staff HIPAA refresher training.
If a material change to a policy occurs, but it only affects nursing personnel, is it necessary for office staff to have more training?
If a material change to a policy occurs, but it only affects nursing personnel, it may be necessary for office staff to have more training – if only to advise office staff that a material change to policy has occurred. Additionally, depending on the nature of the material change, it may only be necessary for those whose roles are affected by the material to have more training.
If a HIPAA staff training violation occurs, how does HHS´ Office for Civil Rights find out about it?
If a HIPAA staff training violation occurs, HHS´ Office for Civil Rights can find out about it in various ways. For example, the violation could be included in a complaint made to the agency by a patient, the agency might find out about a HIPAA staff training violation during an audit or compliance investigation, or it may be tipped off by a staff member concerned about a lack of training.
Why should security and awareness training go beyond the basic requirements of the Security Rule?
Security and awareness training should go beyond the basic requirements of the Security Rule because it is important for members of the workforce to understand what the threats are to the confidentiality, integrity, and availability of electronic PHI and what their roles are in mitigating the threats and their impact. Therefore, it is essential members of the workforce are encouraged to report a mistake that results in a security incident rather than try to hide the mistake.
Why do staff with no access to ePHI need security and awareness training?
Staff with no access to ePHI need security and awareness training because cybercriminals don´t necessarily know which members of staff have access to ePHI and will target everybody in the organization looking for a weak link. If any member of staff divulges their login credentials, a cybercriminal could access the network and move laterally through the network until they identify a database of individually identifiable health information.
Is HIPAA video training for employees better than classroom training?
HIPAA video training for employees can be better than classroom training in many use cases – but not in all. For example, it can be easier to recreate complex compliance scenarios on video than in a classroom environment, but classroom environments enable trainees to ask questions that other trainees might not have thought of – or may have thought of, but were too embarrassed to ask.
What are the benefits of online HIPAA training for employees?
The benefits of online HIPAA training for employees are primarily that employees can take training individually at a time that causes the least operational disruption and that employers can match modules to suit training needs. It is also easier to replace a single module than the entire course when there is a material change to policies and procedures which affects the content of the training.
Is there a one-size-fits-all HIPAA compliance training video? If not, why not?
There is no one-size-fits-all HIPAA compliance training video because different organizations have different compliance requirements. Therefore, different organizations will develop different policies and procedures to comply with HIPAA; and, because training must be provided on the policies and procedures, the content of each training course will be different.
However, there are benefits of training the basics of HIPAA compliance via video inasmuch as it is better for trainees to know what the Privacy, Security, and Breach Notification Rules are, what constitutes PHI, and what rights individuals have before taking policy and procedure training provided by their employers. HIPAA compliance training videos can help in this respect.
