Under the Administrative Requirements of the HIPAA Privacy Rule (CFR 45 § 164.530) Covered Entities are required to provide training on their policies and procedures with respect to Protected Health Information (PHI) as necessary and appropriate for members of the workforce to carry out their functions within the Covered Entity.
In addition, under the Administrative Safeguards of the HIPAA Security Rule (CFR 45 § 164.380) both Covered Entities and Business Associates are required to implement a security and awareness training program for all members of their workforces – including management – regardless of the level of access workforce members have to PHI.
However, because the HIPAA Rules are flexible and scalable to accommodate the range of types and sizes of organizations that must comply with them, there is no one-size-fits-all standardized program that could appropriately train employees of all organizations. Furthermore, the HIPAA training requirements not only apply to paid healthcare employees, but also to students, volunteers, and other members of the workforce such as contractors and environmental services technicians.
This can create an issue with how to comply with the HIPAA training requirements without investing significant resources, yet providing each member of the workforce with sufficient, relevant information to carry out their functions in compliance with HIPAA while safeguarding PHI. The solution to this issue is to provide HIPAA training in modular form so only relevant modules are presented to members of the workforce and they are not overwhelmed with information.
More about Modular HIPAA Training
Modular training helps Covered Entities and Business Associates comply with the HIPAA training requirements inasmuch as members of the workforce who only require a basic knowledge of HIPAA to carry out their functions can be trained quickly and efficiently, while members of the workforce with public-facing roles or extensive access to ePHI have the information they need to overcome compliance challenges in their day-to-day roles.
Modular training also allows different trainers to present different modules. For example, a module on the basics of the Privacy Rule could be presented by the HIPAA Privacy Officer, while a module on computer safety rules could be presented by the HIPAA Security Officer. Not only can an arrangement such as this ensure the modules are being presented by the personnel who know most about them, it also helps attendees put a face to a name.
In addition, modular training enables training sessions to be broken down into shorter sessions. When training goes on for too long, only a limited amount of information is retained. Therefore, it is better to schedule a specific number of modules per session for advanced training programs that might otherwise take five to six hours to complete. This not only assists with retention but is likely to encourage more engagement with regards to questions attendees raise from previous sessions.
Typical HIPAA Training Modules
Like the HIPAA training requirements, there are no one-size-fits-all training modules. Covered Entities and Business Associates should design each training module around a core template to reflect the roles and responsibilities of workforce groups – allowing for material changes in policies and procedures, refresher training, and any further training requirements identified in a risk analysis.
Because of HIPAA´s flexible and scalable approach to training, the typical HIPAA training modules listed below have been divided into basic, advanced, and student training modules. Generally, the basic training models reflect areas of the Privacy Rule, while the advanced training modules are more closely related to the requirements of the Security Rule. The list of typical HIPAA training modules for healthcare students reflects the need to amass a knowledge of HIPAA quickly.
Basic HIPAA Training Modules
All HIPAA training courses – whether they are for new employees, for material changes, or for refresher learning – should start with an overview of HIPAA to explain why attendees are there.
It is often difficult to avoid using HIPAA terminologies in training courses, so a brief module explaining what certain terms mean (i.e., Covered Entity) is a good idea for new employees.
The HITECH Act
A module on the HITECH Act may be relevant to introduce the Meaningful Use and Promoting Interoperability programs and because many HITECH provisions were enacted in the Final Rule.
Introduction to the HIPAA Rules
Compliance with HIPAA requires compliance with the individual HIPAA Rules. A module introducing the Rules is a good idea to familiarize trainees with their names and the distinctions between them.
The Privacy Rule
While it may be impossible to reduce the Privacy Rule to a single module, core concepts such as the Minimum Necessary Standard should be explained in basic training for all workforce members.
The Security Rule
A module on the Security Rule can be used to explain the need for a security and awareness training program as many of the implementation specification will influence policies and procedures.
The Final Rule
It is worth including a module on the Final Rule as this was when many of the provisions of the HITECH Act were enacted – including making Business Associates liable for HIPAA violations.
This is an important module to include for public-facing employees, administrators, and volunteers who may be asked for access to PHI by unauthorized persons – including patient family members.
Allowable Disclosures of PHI
Patients and OCR investigators have the right to request an accounting of disclosure of PHI. Therefore, a module on allowable disclosures of PHI is recommended for all workforce members.
A module on HIPAA violations can help dispel the misconception that only data breaches count as violations. Any violation is a violation, regardless of whether it results in harm or not.
Preventing HIPAA Violations
After explaining what HIPAA violations are, present a module on preventing HIPAA violations followed by a Q&A to test attendees´ retention of information shared in the previous module.
What is a HIPAA Compliant Employee?
A suitable way to conclude any basic HIPAA training course is to ask attendees what a HIPAA compliant employee is. This will help determine if further basic training is required.
Advanced Training Modules
A Timeline of HIPAA
A module on the timeline of HIPAA can be a useful introduction to a refresher or advanced training course to remind attendees of the Privacy, Security, and Final Rule modules covered previously.
Threats to PHI
This module should not only focus on cyber threats to PHI, but also on physical threats such as leaving workstations and paper copies of PHI unattended in public view.
Computer Safety Rules
Any module on computer safety rules used as part of a HIPAA training course should combine the organization´s acceptable use policies with those applicable to the HIPAA Security Rule.
HIPAA and Social Media
It is important workforce members are aware that sharing PHI on social media without patient consent is a violation of HIPAA. This module should reinforce the sanctions for social media misuse.
HIPAA and Emergencies
This module should explain the process for relaxations of HIPAA compliance and how the workforce will be advised of such relaxations to avoid being misled by misinformation in the public domain.
It is not necessary for HIPAA Offices to present the training modules, but it is important members of the workforce are informed who they are and what their roles and responsibilities are.
HIPAA Compliance Checklist
A HIPAA compliance checklist module can be used to set a quiz for training attendees to determine how much information they have retained and if any further training is necessary.
Recent HIPAA Updates
This is an easy module to compile and insert into a HIPAA Training session if there is a change to the Rules that affects the functions of members of the workforce.
Texas Medical Records Privacy Act and HB 300
Organizations that are Covered Entities under the Texas Medical Records Privacy Act are required by HB300 to include a module on the Act and to obtain attendees´ signatures they have attended it.
Cybersecurity Dangers for Healthcare Employees
Any employee that uses a computer is exposed to cybersecurity dangers and this module should be provided for all members of the workforce as part of a security and awareness training program.
How to Protect ePHI from Cyber Threats
As a follow-on from the previous module, this module can help Covered Entities and Business Associates remain cyber-secure in all their online operations – not just HIPAA-related ones.
Student Training Modules
In most cases, new employees will have had some degree of HIPAA training. However, medical students may never have heard of HIPAA previously and must quickly get up to speed on the requirements of the Privacy and Security Rules to avoid inadvertently disclosing PHI without authorization. Therefore, a medical student HIPAA training course should consist of a mixture of basic and advance modules, plus some directly applicable to medical students:
- HIPAA Overview
- The HITECH Act
- Introduction to the HIPAA Rules
- The Privacy Rule
- The Security Rule
- The Final Rule
- Patients´ Rights
- Allowable Disclosures of PHI
- HIPAA Violations
- Preventing HIPAA Violations
- Threats to PHI
- Computer Safety Rules
- HIPAA and Social Media
- HIPAA and Emergencies
- HIPAA Officers
- Recent HIPAA Updates
EHR Access by Healthcare Students
In addition to the above, medical students need to know not to disclose PHI they see on a patient´s EHR and why it is not okay to access an EHR using somebody else´s password.
Using ePHI in Student Reports and Projects
This module should be used to explain how to obtain consent from patients to use their PHI in reports and projects and/or how to deidentify PHI so it can be used without patient consent.
Being a HIPAA Compliant Student
Similar to the “Compliant Employee” module, a module asking what a HIPAA compliant student is will identify where further HIPAA training for medical students is required.
Advice on HIPAA Compliance Training
Though there are no official HIPAA training guidelines, there are several sources of HIPAA compliance training Covered Entities and Business Associates can use to help compile training modules and present them. The following advice on HIPAA compliance training has been provided by a selection of sources:
Do include all members of the workforce in training sessions where appropriate. Senior management may consider HIPAA training unnecessary for their roles and responsibilities, however it is a requirement of the HIPAA Security Rule that management is included in the security and awareness program, and the presence of senior management will demonstrate that the provision of training is taken seriously.
Do emphasize the consequences of HIPAA violations – not only the consequences for the Covered Entity or Business Associate where the violation has occurred, but also for patients (if their data has been used for insurance fraud or identity theft), and the individuals responsible for the breach and their colleagues. Even accidental violations can result in disciplinary action if the individual is found to have been negligent on multiple occasions.
Do have short, regular training sessions. They will keep employees engaged, leaving them more likely to retain information. Ultimately, the objective of HIPAA training is to create and maintain a HIPAA-compliant workforce. If the nature of training makes it impossible for employees to retain all relevant information, it increases the chances of a HIPAA violation occurring.
Don’t include a lecture, however brief, about the history of HIPAA, its legal context, a timeline of its amendments etc. This is likely to cause the trainees to lose focus. Instead, emphasize the legislative role in protecting PHI so that other training modules can be presented in context.
Don’t read long passages of text from the HIPAA Privacy and Security Rules. Not only is the terminology difficult to understand, a lot of Standards cross-reference with other Standards – making the text difficult to follow audibly.
Don’t forget to maintain a record of training sessions and attendees. This is necessary should a breach occur, as it shows that the organization was following HIPAA training requirements. The records should be maintained for a minimum of six years.
HIPAA Training: Summary
While it may be difficult at times to schedule training modules, it is imperative that training courses are provided and that they are taken seriously. HIPAA training ensures everyone will have a comprehensive understanding of HIPAA legislation, which will reduce the risk of violations and data breaches, help avoid potentially costly consequences, and mitigate increased scrutiny from OCR and state attorneys general.
Training is a requirement of HIPAA and evidence that training has been provided will need to be provided to regulators in the event of a HIPAA compliance audit or data breach investigation. It is therefore important to ensure that evidence that the workforce has been trained is maintained as proof that the HIPAA training requirements have been met.
HIPAA Training FAQs
How often must HIPAA training be provided?
HIPAA does not state how often training should be provided other than saying it needs to be provided when an employee joins the organization and when functions are affected by a material change in policies and procedures. The best practice is to provide modular refresher HIPAA training and security awareness training at least annually.
What should be included in HIPAA security awareness training?
Security awareness training should demonstrate cybersecurity best practices, explain the cyber risks to ePHI, and cover the main threats that employees are likely to encounter. Members of the workforce must be trained how to identify threats such as phishing emails and how to respond when a potential threat is encountered.
What HIPAA training documentation must I keep?
You must be able to provide evidence that training has been provided to the workforce, so it is essential to keep a training log. The log should detail the employees that have received training, when the training was provided, the type of training received, the content of the course, and the individual who provided the training. The log should be kept with other HIPAA documentation and employee files should be updated confirming that training has been provided.
Will the HHS’ Office for Civil Rights issue fines for inadequate HIPAA training?
As of 2020, no fines have been issued solely for HIPAA training failures, but inadequate training has increased the financial penalties imposed in multiple HIPAA compliance investigations. In 2020, two settlements were reached with HIPAA covered entities that included a financial penalty for the lack of HIPAA Privacy Rule and security awareness training.
Do volunteers require HIPAA training?
HIPAA training must be provided to anyone who accesses PHI, as well as to any members of the workforce who may encounter PHI in their role or accidentally. That means virtually all individuals in healthcare organizations will be required to have at least some HIPAA training including volunteers, interns, students, administration staff, hospital porters, physicians, and nurses.