Despite its importance, the training guidelines outlined by HIPAA are vague. Training is, however, mandatory. The HIPAA Privacy Rule stipulates it as part of its Administrative Requirements, whilst the HIPAA Security Rule lists it as an Administrative Safeguard. Yet in both cases the wording is unspecific: training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule) and that CEs and BAs should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule).

Objectives of HIPAA Training

The uncertainty surrounding the wording of these stipulations undoubtedly complicates HIPAA compliance. Nevertheless, if HIPAA is violated and subsequent investigations determined it was at least in part due to a lack of training, the covered entity (CE) or business associate (BA) would be deemed negligent. Thus, they could be fined by the Office for Civil Rights (OCR).

To help ensure HIPAA compliance, CEs and BAs must rely on adequate risk assessments. These lay out the responsibilities and functions of each party that may come into contact with a patient’s Protected Health Information (PHI). After a risk assessment, the organisation should then establish a security awareness and training program for its employees.

From there, the content of each training program will depend on the nature of the organisation’s relationship with the PHI. Training may need to be conducted over a number of sessions to ensure their continued relevance. This is particularly important in light of new technological developments.

The organisation may also be required to run multiple sessions for different employee roles. Though this may be off-putting for the company involved, as it is undoubtedly costly and time-consuming, it is of critical importance. Too much information thrown at employees in a short time span will not only overwhelm them, but is likely to compromise on detail.

Advice on HIPAA Compliance Training

Though there are no official HIPAA training guidelines, here we offer advice on how best to train employees. These are not hard-and-fast rules, and may be inappropriate in some situations, but do offer managers a good guide on how to compile a HIPAA training course.

Do include all employees. Senior staff may consider it a waste of time to undergo such training, either due to experience or lack of contact with PHI. However, it is important that they are involved in training and may encourage others to take it seriously.

Do emphasise the consequences of a HIPAA violation. Not only does this include fines for the organisation, but is likely to have further consequences for those who caused the breach and their colleagues. Most importantly, there are likely to be consequences for the patient whose PHI was violated.

Do have short, regular training sessions. This will keep employees engaged, leaving them more likely to retain the information. These will occur in addition to the annual refresher sessions required by the Department of Health and Human Services.

Don’t include a lecture, however brief, about the history of HIPAA, its legal context, a timeline of its amendments etc.. This is likely to cause the trainees to lose focus. Instead, emphasise their roles in protecting a patient’s PHI.

Don’t read long passages of text from the HIPAA guidelines. Not only is it a waste of time, as employees could do this themselves, but it is not engaging.

Don’t forget to make a record of the training session and its attendees. This is necessary should a breach occur, as it shows that the organisation was following guidelines.