The HIPAA Privacy Rule (the “Rule”) affects both covered entities and business associates. There are many aspects of the Rule and there continues to be confusion regarding training requirements. Our intention is to provide a simple explanation that will help you remain HIPAA compliant.
It is important to look at the sections of the Rule that address the training requirement. These are addressed in two key sections. This first is in the Administrative Requirements of the Privacy Rule (45 CFR §1654.530). The second is in the Administrative Safeguard of the Security Rule (45 CFR §164.308).
The Rule applies to covered entities, but it affects business associates based on the Business Associate Agreements that exist between the parties. Business Associates must demonstrate the same protection to protected health information (PHI) as the Covered Entity. Given these requirements it is safe to assume certain parts of the Rule essentially apply to both Covered Entities and Business Associates.
Administrative Requirements of the Privacy Rule
Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this Rule, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.
Implementation specifications: Training.
- A covered entity must provide training that meets the requirements of this section, as follows:
- To each member of the covered entity’s workforce by no later than the compliance date for the covered entity;
- Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce; and
- To each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with this section.
- A covered entity must document that the training as described in this section has been provided, as required by this paragraph of the Rule.
Our interpretation of the Rule:
1. All members of the workforce (as defined by the Rule to be employees, volunteers, students, and contractors) should receive HIPAA training appropriate for the function they have in the organization. It is important to tailor the training according to their job function.
a. Most workforce members will require some level of HIPAA Compliance training.
b. Health Information Management or Medical Records staff that manage the medical record may require Health Information Management Training.
c. Those who speak Spanish may benefit from a Spanish version of HIPAA Compliance training.
d. Business Associates will require their own specific training program.
e. Workforce members who are not usually exposed to PHI may only need HIPAA awareness training.
2. All members of the staff must be trained within a reasonable period after joining the workforce or whenever there is a material change in the Rule or the policies or procedures of the workforce. A covered entity should determine the timeline for completion of HIPAA training.
3. There is no clear indication on how often to provide training. You should consider factors such as recent changes in the Rule and modification of the policies and procedures in the organization. It is very likely some changes occur within a period of 1-2 years. Training at least every two years, or annually as a best practice is suggested.
Administrative Safeguards of the Security Rule
Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
Our Interpretation of the Security Rule:
The Standard from the Security Rule is brief but indicates there should be security awareness and training but does not specify how often. Individuals responsible for electronic PHI security should at least take a HIPAA IT Security training program every one or two years much like the Privacy Rule. Awareness training should be provided on a regular basis using methods such as email updates and alerts on current issues such as spam, hacking, cybertheft, etc.
Address your HIPAA training requirements
Remember that a standard compliance training program does not fit the requirements of every organization. When you consider your training requirements make sure all your workforce members are trained according to their needs. Make sure programs are easy to take and accessible to your workforce. Finally make sure you keep record of all those who have received training. If you ever have a breach one of the first questions you will receive from the Office for Civil Rights (OCR) is for documentation of training.
Get ready to address your HIPAA Training Requirements at HIPAA Associates – HIPAA Training.
US Department of Health & Human Services, Office for Civil Rights, July 26, 2013, Summary of the HIPAA Security Rule, HHS.gov, https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
Al Lopez is the Vice President of Operations for HIPAA Associates and is a medical doctor board certified in internal medicine, pulmonary, and anesthesia. He holds a degree as a medical coding specialist and certification in Healthcare Compliance.
Dr. Lopez has served as a Compliance Director and Privacy Officer for over ten years and has held various leadership roles within the hospital staff and private practice. His main interest is in HIPAA training and course design.