The HIPAA Privacy and Security Rules both require HIPAA training for employees. Providing regular employee HIPAA training will help to prevent accidental HIPAA violations by employees and, in the event of a breach or compliance investigation, the entities that train their workforce regularly on the HIPAA privacy and security requirements are more likely to escape a financial penalty for noncompliance.
What Does HIPAA Say About HIPAA Training for Employees?
Employee HIPAA training is an important part of HIPAA compliance, but relatively little text in the HIPAA Rules covers training. It is largely left to each covered entity and business associate to determine what training is appropriate and how often training should be provided.
The HIPAA training requirements for healthcare workers are covered in the administrative requirements of the HIPAA Privacy Rule – 45 CFR § 164.530(b). This provision calls for employee HIPAA training to be provided “to each member of the covered entity’s workforce by no later than the compliance date for the covered entity.” Initial HIPAA training for employees must be provided “within a reasonable period of time after the person joins the covered entity’s workforce,” and further training must be provided “to each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures.”
The HIPAA Security Rule training requirements for the workforce are detailed in the administrative safeguards – 45 CFR § 164.308(a)(5). This employee HIPAA training requirement calls for covered entities and business associates to “Implement a security awareness and training program for all members of its workforce (including management).” The Security Rule mentions security reminders for the workforce, protection from malicious software, and password management. While not specifically mentioned in the HIPAA text, OCR has said in guidance that employees must also be trained how to identify and avoid phishing emails.
HIPAA Training Content Guidelines
The content of HIPAA training sessions is left to the discretion of each covered entity and business associate. When developing a training course, consider providing an overview of HIPAA and explaining why the legislation was introduced and why it is important, but avoid going into great detail about all elements of the HIPAA Rules. HIPAA training for employees is necessary to allow every employee to complete their work duties in a HIPAA compliant way. It is not necessary for healthcare employees to have encyclopedic knowledge of all aspects of the HIPAA Rules. Tailor the training course for different members of the workforce and ensure it is relevant to each employee’s role.
Try to avoid long training sessions as you need to ensure that employees remain attentive. Training sessions should be restricted to no more than around 40 minutes, as this will help to improve knowledge retention. It is recommended to cover HIPAA training and security awareness training in separate training sessions.
HIPAA Refresher Training for Employees
In addition to providing HIPAA training for employees when they commence employment and following policy and procedural changes, refresher training on the HIPAA Rules and refresher security awareness training must also be provided. HIPAA calls for refresher training to be provided “Periodically.” The frequency of training is open to interpretation, but the industry best practice is to provide refresher HIPAA training sessions annually, and certainly no less frequently than every two years. Following any security breach, such as an individual falling for a phishing email, a refresher training session on security awareness is also recommended.
Document HIPAA Training for Employees
You must be able to prove that you have provided training on the HIPAA Rules and security awareness training all members of the workforce. The HHS’ Office for Civil Rights and state attorneys general will require access to your HIPAA training log in the event of an audit or compliance review.
Maintain a log that contains the date training was provided, who received the training, who provided the training, and the content and type of the training session. Keep the log with your HIPAA documentation and also keep a record of HIPAA training in each employee file.
