HIPAA Training Requirements

Although the Health Insurance Portability and Accountability Act stipulates employee training is mandatory, neither the Privacy Rule not the Security Rule provide guidelines regarding the HIPAA training requirements. This can be a significant obstacle to Covered Entities working towards HIPAA compliance.

Businesses in the healthcare and health insurance industries (Covered Entities) and businesses providing services to Covered Entities (Business Associates) need their employees to know about maintaining the security, confidentiality and integrity of Protected Health Information (PHI). If PHI is accessed or disclosed without authorization, Covered Entities and Business Associates could be in violation of HIPAA.

Therefore training employees is essential. However, although HIPAA stipulates “necessary and appropriate” training should be provided for employees to “carry out their functions [in compliance with HIPAA]”, and that a security awareness and training program should be implemented, no light is shed on what the security awareness and training programs should consist of.

This leaves many Covered Entities and Business Associates in the dark. Naturally, training will be provided to employees who work with computer systems in order to mitigate the threats from malware, ransomware and phishing; but how will it be possible to know whether or not the training is sufficiently “necessary and appropriate” to comply with the HIPAA training requirements?

How to Resolve the HIPAA Training Requirements Issue

The way to resolve the HIPAA training requirements issue is to conduct a risk assessment on each employee with regard to how they “carry out their functions”. In some ways, an employee risk assessment is similar to that an IT manager would conduct on a computer network in terms of identifying how PHI is created, maintained and shared.

The employee risk assessment should be followed by a risk analysis, which – like a risk analysis on a computer network – should identify any areas in which PHI could be accessed or disclosed without authorization. Once any potential weaknesses and vulnerabilities have been identified, a schedule can be compiled that addresses the employee´s specific HIPAA training requirements.

The task may seem daunting at first for a Covered Entity with thousands of employees, but many employees will have similar HIPAA training requirements. Security awareness training – addressing similar weaknesses and vulnerabilities – can be provided for groups of employees simultaneously in order to cut down on the workload and ensure disruption to the workflow is minimized.

Tips for Delivering Effective HIPAA Compliance Training

In order to fulfill the HIPAA training requirements, HIPAA compliance training has to be effective. The ultimate objective of security awareness training is for employees to “carry out their functions [in compliance with HIPAA]”; and, if the training is ineffective, this element of the HIPAA training requirements will not be satisfied. Furthermore, PHI will be at risk of unauthorized disclosure.

Therefore, when delivering HIPAA compliance training, businesses should keep the training sessions short and relevant. No employee will be able to absorb the entirety of the Privacy and Security Rules in a six-hour training session, nor will likely pay full attention during a speech on the motives of the HIPAA legislation. Other considerations businesses may wish to bear in mind include:

  • Use whatever tools are at your disposal to make the training memorable. Interactive simulations and multimedia presentations can be accessed online, or purchased from a specialist HIPAA compliance company.
  • Ensure employees are made aware of the consequences of unauthorized disclosure – not just the financial consequences to the business, but also to themselves (via a sanctions policy), colleagues, and those whose PHI has been compromised.
  • Not only is it important that senior management is seen to be involved in the training, but it is a stipulation of the HIPAA training requirements that businesses “implement a security awareness and training program for all members of the workforce” (45 CFR §164.308).
  • It is important that all HIPAA compliance training is documented to meet the burden of proof it has been conducted (45 CFR §164.530). The documentation can be requested at any time by a Department of Health and Human Services inspector or an Office for Civil Rights auditor.

The consequences of failing to comply with the HIPAA training requirements can be substantial – particularly in the event of a breach of PHI, when the lack of effective HIPAA compliance training could be considered “willful neglect”. If a business subject to HIPAA law is unsure about its ability to deliver effective HIPAA compliance training, professional advice should be sought as a matter of urgency.