by Wyn Staheli
August 1st, 2017
There are some commonly asked questions regarding HIPAA training requirements.
- Which employees need HIPAA training?
- What topics must covered entities address in employee training?
- How often should I be holding HIPAA training?
- How long should HIPAA training be?
- What exactly do I need to document?
To answer these questions, we begin by reviewing the official text of both the HIPAA Privacy and the Security Rules to understand what is required by law. Interestingly, they are worded differently on this subject:
HIPAA Privacy Rule
Keep in mind that when the Security Rule says "Addressable" it means that the item must be addressed. It is NOT optional. It should be carefully evaluated to see how the requirements fit into your organization and then your organization's policy regarding that requirement must be documented in your HIPAA Compliance Manual. For example, item a.5.ii.A "Security reminders" states "periodic security updates." Your documentation should state how often security reminders/updates are performed.
Q: Which employees need HIPAA training?
A: EVERYONE! Anyone who comes into contact with protected health information (PHI) needs to be trained - this includes healthcare providers, ancillary staff, administrators, and business associates - literally EVERYONE!
Q: What topics must covered entities address in employee training?
A: The Privacy Rule states; "A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information...as necessary and appropriate for the members of the workforce to carry out their functions.” Your workforce needs to know how to protect the PHI that they come into contact with during their workday. They need to understand what health information is protected, how to protect it and what to do when there are possible violations of privacy.
The Security Rule says that training needs to cover security awareness, which includes security reminders; procedures for guarding against, detecting and reporting malicious software; procedures for monitoring log in attempts and discrepancies; and password management. These are the bare minimum topics that must be covered.
Recent OIG settlement reports of HIPAA violations and breaches, clearly indicate that HIPAA Privacy and Security requirements are still not clearly understood or followed. It is essential that employees understand all applicable HIPAA policy and procedures established by your organization (preferably not in one sitting) so that there are no misunderstandings and your organization knows what they need to do to ensure compliance.
The following are some important topics which should be included as part of ongoing HIPAA training:
- Handling problems with and understanding the issues associated with malware, ransomware, mobile device security, phishing, and email attachments
- Understand your "Record Retention and Destruction" policy
- Text messaging
- How to properly use social media while protecting PHI
- How to properly secure mobile devices
- State requirements for protecting patient information
- How to properly handle PHI in emergency situations (your contingency plan)
Q: How often should I be holding HIPAA training for my employees?
A: Again, the Security and Privacy Rules are different. In plain English, the Privacy Rule requirements are:
- People who are new to your organization MUST be trained on your HIPAA Policies and Procedures within a 'reasonable time' after they are hired. That time can be chosen by the CE, but must be specified in their Policies and Procedures; reasonable is likely 30-60 days after their hire date, but that time is not specified in the law.
- Whenever there is a change to the HIPAA laws, there will be a specified compliance date stated in the law. Training regarding the new law must happen before the deadline.
- When there are changes to your office Policies and Procedures, as it relates to HIPAA and as it pertains to their responsibilities; there must be training regarding the change.
As for the Security Rule, it states that training needs to be "periodic," but doesn't provide any further guidance on WHAT that means. It is left up to the organization to make that determination.
We recommend that ongoing HIPAA training take place, preferably every 6 months (annually at the minimum); because let's face it, we are human and we tend to forget. We all need to be reminded of why HIPAA is important. Additionally, if the Department of Human Services (HHS) releases new guidelines or if HIPAA rules are updated, revised, or released; additional training must take place within the time frame outlined by HHS even if you just finished HIPAA training. Ongoing training should NOT be a re-hashing of the same information in the last training session. Mix it up, show some videos, do some role-play scenarios, use some examples from your organization to make it meaningful and memorable.
Q: How long should HIPAA training be?
A. The HIPAA Rule doesn’t specify any time requirements. Use good judgment and keep in mind that too short (10-15 minutes) is just as bad as too long (over an hour). It's actually better to break it up into short segments (less than an hour) because people will remember it better. For example, take some of the HIPAA components and have a 30 minute training on just those components. At another date, cover additional topics for another 30-45 minute session. These are just some examples to consider when planning your organization's ongoing HIPAA training.
Q: What exactly do I need to document?
A: HIPAA Rules don't specify what needs to be documented, only that it needs to be documented. Based on HIPAA audits, your HIPAA training documentation should be an easily accessible log which includes the following:
- What - the topics that were covered
- When - include the date and the duration of the training
- Who - which employees were active participants (testing and test scores are not required for the log but they can be helpful for the organization to find out what topics are still not understood)
- How - include the type of training conducted (e.g., group, individual, webinar, live seminar)
Complete and Easy HIPAA Compliance includes a HIPAA Policies and Procedures template, an Employee Training Log and numerous other forms to help your organization achieve and maintain HIPAA compliance.