Although training employees in HIPPA compliance is mandatory, the requirements laid out by the legislation regarding HIPAA training are vague. This is partly as a result of HIPAA covering a broad range of covered entities and their business associates.
Training of some sort is necessary under the Administrative Requirement of the HIPAA Privacy Rule and an Administrative Safeguard of the HIPAA Security Rule. However, neither provide very comprehensive guidelines. What is stated in these legislations is that training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule) and that covered entities and business associates should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule).
Unfortunately, this lack of certainty in terms of HIPAA training guidelines can make it quite confusing. However, despite this lack of clear rules, should a breach of Protected Health Information (PHI) occur and it is found that staff did receive adequate training, the covered entities and business associates may be issued a fine by the Office for Civil Rights (OCR). The OCR sits within the Department for Health and Human Services.
HIPPA Training Objectives
In order to prevent such a breach from happening, it is vital that risk assessments are conducted regularly by both the covered entities and business associates. These will cement the role of each employee regarding the handling of PHI. This can help ensure that each employee gets appropriate training in accordance to their role.
Covered entities should also tailor security awareness and training programs for the role of each employee, manager, associate etc. that deals with PHI. For more complex roles, more training sessions may be required.
Providing training can be time-consuming and costly, which often makes it off-putting. That being said, it is necessary. We recommend that training sessions are done in brief, frequent sessions rather than one long. With this method, employees are more likely to stay focussed and retain critical information.
How Often is HIPAA Training Required?
In terms of how often HIPAA training is required, the Privacy Rule and Security Rule both offer suggestions without offering specific timeframes. According to the Privacy Rule, HIPAA training is required for “each new member of the workforce within a reasonable period of time after the person joins the Covered Entity´s workforce” and also when “functions are affected by a material change in polies or procedures.”
On the other hand, according to Security Rule, HIPAA training is required “periodically”. Many businesses interpret “periodically” as an annual occurrence. However, this approach is not usually accurate or effective. HIPAA training should always be provided whenever there is a change in working practices or technology, or whenever new rules or guidelines are issued by the Department for Health and Human Services. Privacy and Security Officers should look at the following list when deciding whether HIPAA training is required:
- HHS and state publications should be monitored for advance notice of rule changes. The best way to do this is through subscribing to a news feed or other official communication channel.
- When new rules or guidelines are issued, a risk assessment should be conducted to determine how they will affect the organizations operations and if HIPAA training is required.
- HR and Practice Managers should have a system in place in which they receive advance notice of proposed changes in order to determine their impact on compliance with the HIPAA Privacy Rule.
- IT managers should also be liaised with to receive advance notice of hardware or software upgrades that may have an impact on compliance with the HIPAA Security Rule.
- Regular risk assessments should be conducted in order to identify how material changes in policies or procedures may increase or decrease the risk of HIPAA violations.
- Training programs should be designed so that they address how any changes will affect employees´ compliance with HIPAA and not only the changes themselves.
Of course, in the event of changes in working practices and technology, HIPAA training only must be provided to the employees whose roles will be affected by the changes. In addition to this, it is also advisable to include at least one member of senior management in the training sessions. The reason for this is that, even if they are not affected by the new policies or procedures, it shows the whole organization is taking its HIPAA training requirements seriously.
HIPAA Training Tips
To help covered entities and their business associates navigate through the confusing art of HIPAA compliance training, here is a simple list of best practices for employee training.
- Do keep the training sessions brief. This will increase the likelihood of employees retaining information and thus helping to prevent further breaches. N.B. ignorance is not considered a valid excuse for PHI breaches.
- Do keep the training sessions regular. Each session can focus on a different aspect of training, update staff on new developments or even just remind employees of the most important aspects of the regulation.
- Do keep employees in the loop in regards to the dangers of a PHI breach. These can include fines and legal action for the covered entity, and a loss of privacy for the patient affected. Such information can help portray the need for HIPAA compliance to the employees.
- Do keep all levels of management included in training. A refresher can be beneficial to everybody, and a lack of training provided to higher levels can look poorly on the covered entity in an audit.
- Don’t forget to record clearly when the training occurred, what information was handed out and who was involved. If the OCR carries out an investigation or an audit, this information will be crucial.
- Don’t just read passages from HIPAA during sessions. Explain legal jargon clearly and summarise important pieces of information. Try to make sure that participants both have knowledge of the required legislation but also understand how to enact it in their daily roles.
- Don’t go into the history of HIPAA, it is not necessary information and is likely to cause participants to lose interest before the session even begins. Having so much information thrown at you before you even get into the important information will discourage and possibly overwhelm employees.
Areas that should be Included in a HIPAA Training Course
Despite each HIPAA training course being tailored towards the roles of employees attending the course, there are some critical elements that should also be included. The following list is an example of what should be included in a basic HIPAA training course, although covered entities may need to show particular focus on some areas more than others. That being said, none of these areas should be ignored completely.
Areas to Cover in a HIPAA Training Course:
- BA Agreements
- Breach Notifications
- Disclosures of PHI
- Employee Sanctions
- HIPAA Definitions
- HIPAA Privacy Rule
- HIPAA Security Rule
- Patients´ Rights
- Potential Violations
- Safeguarding ePHI
- What is HIPAA?
- Why HIPAA is Important
HIPAA Compliance Training: Quick Summary
Due to the phrasing of the HIPAA legislation being so vague, it ultimately means that it is up to covered entities and their business associates how best to provide training to employees. So long as sufficient training is provided to allow employees understand how to prevent PHI breaches, it should be adequate to comply with HIPAA regulations. Training should always be tailored to the role of individual employees, which maximises efficiency while also increasing the likelihood of retention. The HIPAA Compliance training supplied here is a good platform from which a full training course can be developed.