The Health Insurance Portability and Accountability Act (HIPAA) Rules include provisions that require HIPAA training for employees. Here we explain the HIPAA training requirements for employees as mentioned in the legislation, and how the training requirements of HIPAA should be interpreted.
The HIPAA training requirements are detailed in the administrative requirements of the HIPAA Privacy Rule – 45 CFR § 164.530(b) – and the administrative safeguards of the HIPAA Security Rule – 45 CFR § 164.308(a)(5), with each covering different aspects of training, although little detail is provided in the HIPAA text as to the required content of training sessions.
What Should HIPAA Training for Employees Entail?
The content of training sessions is largely left to the discretion of each covered entity and business associate. Most healthcare organizations provide general HIPAA training for employees that introduces HIPAA, explains its importance, informs employees why compliance is necessary, and covers the consequences of HIPAA violations, with more detailed training provided for certain groups of employees.
Training should cover all aspects of HIPAA that are relevant to the role of each employee. In practice, that means a one-size-fits-all approach is best avoided. Physicians and nurses will require different training to administrative workers and receptionists, and it is best not to overload employees with information that is simply not relevant to their job. Training should cover core elements for all employees, with different modules for each category of employee appropriate to their work duties.
HIPAA training for employees is not about ensuring healthcare workers have an encyclopedic understanding of all aspects of HIPAA, rather the aim should be to teach the workforce how to complete their work duties in a HIPAA compliant way.
How Often Must HIPAA Training be Provided?
The HIPAA text does not include specific timeframes for providing HIPAA training for employees. The requirements for HIPAA training for the workforce are flexible and allow each covered entity and business associate to set their own training schedules.
The HIPAA training requirements are for training to be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.” Initial HIPAA training for employees must be provided “within a reasonable period of time after the person joins the covered entity’s workforce,” and when “functions are affected by a material change in the policies or procedures.”
Training should therefore be provided within days of an individual joining the company and ideally before a change in policies and procedures but certainly very soon after. HIPAA also calls for refresher HIPAA training to be provided “periodically”. The frequency of periodic refresher HIPAA training sessions is not specified, but the industry best practice is for refresher HIPAA training to be provided annually.
Other HIPAA Training Requirements
Providing initial HIPAA training for employees when they join the organization and periodic refresher HIPAA training sessions are requirements of the HIPAA Privacy Rule; but there are other HIPAA training requirements detailed in the HIPAA Security Rule.
The HIPAA Security Rule training requirements concern data security and require HIPAA-covered entities and their business associates to provide members of the workforce with security awareness training for its workforce, including management.
There are many threats to the confidentiality, integrity, and availability of PHI. Healthcare employees cannot be expected to be aware of these threats, so they must be explained. Training should teach employees how to recognize threats for what they are and how to act when such a threat is encountered.
As with the HIPAA Privacy Rule training requirements, security awareness training should be provided when employees join the organization and periodically thereafter. The best practice for security awareness training is also once a year, although the frequency should be guided by risk assessments. It may be more appropriate to provide short refresher security awareness training sessions more frequently to ensure security is kept fresh in the mind.
Employee HIPAA Training Summary
To comply with the HIPAA Rules, employee HIPAA training and security awareness training must be provided when an employee joins the company and thereafter every year, with further training following a change in policies and procedures.
It is best to split these training sessions and provide them in separate sessions, as combining the two will result in training courses being too long. Try to keep training sessions short to improve retention of the training course content. Sessions of no more than 40 minutes are best.
You must keep a record of training sessions as these will likely be requested by regulators in the event of an audit, compliance investigation, or following a data breach or complaint about potential HIPAA violations.