HIPAA is a hugely important legislative act that sets standards that healthcare organizations and their business associates must follow. It is essential for covered entities and business associates to provide HIPAA training for healthcare workers to ensure that every individual that comes into contact with protected health information (PHI) is aware of their responsibilities with respect to PHI.

What Does the Privacy Rule Say About HIPAA Training for Healthcare Workers?

The Privacy Rule – 45 CFR § 164.530(b) – requires HIPAA training for healthcare workers to be provided:

(A) To each member of the covered entity’s workforce by no later than the compliance date for the covered entity;

(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce; and

(C) To each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures… within a reasonable period of time after the material change becomes effective.

When Must HIPAA Training be Provided?

The HIPAA Privacy Rule states that training must be provided “within a reasonable period of time,” but what is considered reasonable? Ideally, training should be provided within a few days of a new hire and after a policy change, but it is acceptable to provide the training in the first few weeks. The speed at which training is provided should be guided by a risk analysis.

In addition to initial training and training when policies and procedures change, the workforce should be provided with refresher HIPAA training. Again, there is no timescale for providing refresher HIPAA training. The only requirement is for training to be provided periodically. This is accepted to be at least every two years, although the industry best practice is to provide refresher HIPAA training for healthcare workers once a year.

What Must HIPAA Training for Healthcare Workers Include?

The HIPAA text does not include a checklist of items that must be covered and there is no mention about the required length of training sessions. This can lead to confusion about how to train the workforce and be compliant.

The Privacy rule requires all members of the workforce to be trained on HIPAA policies and procedures with respect to protected health information, and this training must be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”

Employees do not need to understand every tiny detail of HIPAA, but they should have a good understanding of why HIPAA is important and what the legislation covers. They must know about all aspects of HIPAA that apply to their role and responsibilities, so training needs to be specific to different employee groups. The training provided to admin workers will need to cover different elements of HIPAA that the training for doctors and nurses.

The HIPAA Security Rule also calls for training to be provided, which must also be provided “within a reasonable period of time” from the data of hire and periodically thereafter, and also following a change in policies, procedures, or technology.

HIPAA Security Rule Training Requirements

The HIPAA Security Rule provisions covering training are detailed in the administrative safeguards. 45 CFR § 164.308 (5)(i) requires “Security awareness and training.” Covered entities and business associates must “Implement a security awareness and training program for all members of its workforce (including management).”

In contrast to the HIPAA Privacy Rule, there are implementation specifications covering security awareness training. These are all addressable provisions, which means they are not “required” but cannot be ignored. An alternative, equivalent measure can be implemented in their place, provided the decision is documented and valid reasons are provided.

Security awareness training should include security reminders – Periodic security updates; protection from malicious software – procedures for guarding against, detecting, and reporting malicious software; and password management – procedures for creating, changing, and safeguarding passwords.

Since the Security Rule was implemented, the threat landscape has changed considerably. While not specifically mentioned, all threats to PHI must be covered in training, especially how to identify and avoid phishing emails. It is also important to teach security best practices to ensure employees know how to use computers and other portable electronic devices securely and are trained how to handle and protect PHI.

Make Sure You Document all HIPAA Training for Healthcare Workers

HIPAA covered entities and business associates must document all HIPAA training for healthcare workers. This document or spreadsheet should detail which employees have been trained, when they received the training, and what training they have been given. The HIPAA training log is an essential part of your HIPAA documentation that will be requested by regulators in the event of an audit, data breach investigation, compliance review, or investigation of a HIPAA complaint. It serves as proof that you are compliant with the HIPAA training requirements.