All staff members should have been trained on their obligations under HIPAA Rules, but how and when should awareness and knowledge of HIPAA be promoted and increased? How regularly should refresher courses or further training be given?
The various organizations subject to HIPAA Rules – covered entities, their business associates, and others – are required to follow those Rules and ensure their employees have been trained in their roles with respect to them. For best results, training should occur before staff deal with protected heath information (PHI).
Essential topics to include are the permitted ways in which PHI can be used and shared, protection of personal privacy, information security, any function-specific elements, HIPAA best practices, and the various internal policies related to securing data and private information.
Sanctions for violating HIPAA and related penalties which staff members may be liable for should be presented. Without sufficient training, staff members may inadvertently break privacy or security rules and violate HIPAA.
As HIPAA is subject to modifications or additions, and internal policies may evolve with technology or guidance, further training in matters relating to PHI should be given if material changes are made.
HIPAA Training is Not a Once-Off
New staff members obviously need training to begin their role. HIPAA’s Privacy Rule notes that new employees should be trained “within a reasonable timeframe”.
However, this should not be the only training they receive. To ensure staff members remember the Rules, regular refresher or retraining is needed and is even a necessity for HIPAA compliance.
The periodicity of retraining is not defined in the HIPAA Rules, only that it must be done “regularly”. Organizations can choose the frequency as suits their needs, but best practice is to retrain annually.
The HIPAA Privacy Rule does state that training should be given to “all members of [a covered entity’s] workforce on the policies and procedures with respect to protected health information […] as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity”.
General training may not cover the requirements for all staff. Specialized sessions may be needed for different departments or roles. HIPAA standard 45 CFR § 164.308(a)(5) mentions “Job-specific” and “security awareness” training. Both of these require more than a single session at the start of employment.
Conducting training events is only part of the battle – covered entities must guarantee that employees understand the information given, and that they remember it and apply it to their work. This being the case, we advise that you increase and promote HIPAA awareness during the whole year.
Promoting HIPAA Awareness
Raising awareness of HIPAA and the responsibility that goes with it can be done in a number of ways. To supplement mandatory yearly refresher courses, lighter approaches such as newsletters, email bulletins, posters, and quizzes can all be used to keep HIPAA on peoples’ minds.
Security awareness training can be greatly improved from this. While annual training may be a common practice, regular reminders of security aspects are very important and security awareness training is often given twice a year – with monthly cybersecurity reports provided. More pressing or urgent concerns can be shared on an ad hoc basis – for example a new virus or email scam – but it is important to use discretion when notifying employees of threats, as a large number of alerts can lead to threats being ignored.
When Should Retraining Occur?
As well as yearly retraining, it may be a good idea to implement additional HIPAA training sessions if security or privacy violations take place, or if an information breach occurs. Staff members directly involved in these incidents are obvious candidates for retraining, but the event can be harnessed and used to open training to all employees to avoid a repeat of the error. Where one staff member is found to be violating HIPAA Rules, it is likely that others are also confused on the matter, and may be committing the same violation.