Help: FAQs, tutorials, videos, page index and more
Medical Billing and Coding, ICD-10-CM, ICD-10-PCS, CPT, HCPCS, etc.
Viewing:  Jan 24, 2018

HIPAA Training Requirements

By:  Wyn Staheli
Published:  August 1st, 2017

There are some commonly asked questions regarding HIPAA training requirements.

  • Which employees need HIPAA training?
  • What topics must covered entities address in employee training?
  • How often should I be holding HIPAA training?
  • How long should HIPAA training be?
  • What exactly do I need to document?

To answer these questions, we begin by reviewing the official text of both the HIPAA Privacy and the Security Rules to understand what is required by law. Interestingly, they are worded differently on this subject:

HIPAA Privacy Rule
45 CFR § 164.530(b)(1)

45 CFR §164.530 Administrative requirements.

(b)    (1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.

(2) Implementation specifications: Training.

(i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows:

(A) To each member of the covered entity’s workforce by no later than the compliance date for the covered entity;

(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce; and

(C) To each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.

(ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section. 

HIPAA Security Rule
45 CFR § 164.308(a)(5)

45 CFR § 164.308 Administrative safeguards

(a) A covered entity or business associate must, in accordance with §164.306:

(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. . . .

(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).

    (ii) Implementation specifications. Implement:

(A) Security reminders (Addressable). Periodic security updates.

(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.

(C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.

(D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.

Keep in mind that when the Security Rule says "Addressable" it means that the item must be addressed. It is NOT optional. It should be carefully evaluated to see how the requirements fit into your organization and then your organization's policy regarding that requirement must be documented in your HIPAA Compliance Manual. For example, item a.5.ii.A "Security reminders" states "periodic security updates." Your documentation should state how often security reminders/updates are performed.

Q: Which employees need HIPAA training?

A: EVERYONE! Anyone who comes into contact with protected health information (PHI) needs to be trained - this includes healthcare providers, ancillary staff, administrators, and business associates - literally EVERYONE!

Q: What topics must covered entities address in employee training?

A: The Privacy Rule states; "A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information...as necessary and appropriate for the members of the workforce to carry out their functions.” Your workforce needs to know how to protect the PHI that they come into contact with during their workday. They need to understand what health information is protected, how to protect it and what to do when there are possible violations of privacy.

The Security Rule says that training needs to cover security awareness, which includes security reminders; procedures for guarding against, detecting and reporting malicious software; procedures for monitoring log in attempts and discrepancies; and password management. These are the bare minimum topics that must be covered.

Recent OIG settlement reports of HIPAA violations and breaches, clearly indicate that HIPAA Privacy and Security requirements are still not clearly understood or followed. It is essential that employees understand all applicable HIPAA policy and procedures established by your organization (preferably not in one sitting) so that there are no misunderstandings and your organization knows what they need to do to ensure compliance.

The following are some important topics which should be included as part of ongoing HIPAA training:

  • Handling problems with and understanding the issues associated with malware, ransomware, mobile device security, phishing, and email attachments
  • Understand your "Record Retention and Destruction" policy
  • Text messaging
  • How to properly use social media while protecting PHI
  • How to properly secure mobile devices
  • State requirements for protecting patient information
  • How to properly handle PHI in emergency situations (your contingency plan)

Q: How often should I be holding HIPAA training for my employees?

A: Again, the Security and Privacy Rules are different. In plain English, the Privacy Rule requirements are:

  • People who are new to your organization MUST be trained on your HIPAA Policies and Procedures within a 'reasonable time' after  they are hired. That time can be chosen by the CE, but must be specified in their Policies and Procedures; reasonable is likely 30-60 days after their hire date, but that time is not specified in the law.
  • Whenever there is a change to the HIPAA laws, there will be a specified compliance date stated in the law. Training regarding the new law must happen before the deadline.
  • When there are changes to your office Policies and Procedures, as it relates to HIPAA and as it pertains to their responsibilities; there must be training regarding the change.

As for the Security Rule, it states that training needs to be "periodic," but doesn't provide any further guidance on WHAT that means. It is left up to the organization to make that determination.

We recommend that ongoing HIPAA training take place, preferably every 6 months (annually at the minimum); because let's face it, we are human and we tend to forget. We all need to be reminded of why HIPAA is important. Additionally, if the Department of Human Services (HHS) releases new guidelines or if HIPAA rules are updated, revised, or released; additional training must take place within the time frame outlined by HHS even if you just finished HIPAA training. Ongoing training should NOT be a re-hashing of the same information in the last training session. Mix it up, show some videos, do some role-play scenarios, use some examples from your organization to make it meaningful and memorable.

Q: How long should HIPAA training be?

A. The HIPAA Rule doesn’t specify any time requirements. Use good judgment and keep in mind that too short (10-15 minutes) is just as bad as too long (over an hour). It's actually better to break it up into short segments (less than an hour) because people will remember it better. For example, take some of the HIPAA components and have a 30 minute training on just those components. At another date, cover additional topics for another 30-45 minute session. These are just some examples to consider when planning your organization's ongoing HIPAA training.

Q: What exactly do I need to document?

A: HIPAA Rules don't specify what needs to be documented, only that it needs to be documented. Based on HIPAA audits, your HIPAA training documentation should be an easily accessible log which includes the following:

  • What - the topics that were covered
  • When - include the date and the duration of  the training
  • Who - which employees were active participants (testing and test scores are not required for the log but they can be helpful for the organization to find out what topics are still not understood)
  • How - include the type of training conducted (e.g., group, individual, webinar, live seminar)

Complete and Easy HIPAA Compliance includes a HIPAA Policies and Procedures template, an Employee Training Log and numerous other forms to help your organization achieve and maintain HIPAA compliance.

###

Article Tags:  (Click on a tag to see related articles.)


HIPPA Compliance Book

Complete & Easy HIPAA Compliance

A simple and practical guide to implementing HIPAA, HITECH, and Omnibus Final Rule components. Includes the forms and policies and information you need to meet compliance requirements. Plus over 50 customizable forms!


Publish this Article on your Website, Blog or Newsletter

This article is available for publishing on websites, blogs, and newsletters. The article must be published in its entirety - all links must be active. If you would like to publish this article, please contact us and let us know where you will be publishing it. The easiest way to get the text of the article is to highlight and copy. Or use your browser's "View Source" option to capture the HTML formatted code.

If you would like a specific article written on a medical coding and billing topic, please Contact Us.

Our contact information:

Find A Code, LLC
62 East 300 North
Spanish Fork, UT 84660
Phone: 801-770-4203 (9-5 Mountain)
Fax: 801-770-4428
Email:
Free 28 Day Trial
No Credit Card Required
Pricing
Starting at $4.95/month
Sign In
Welcome back!