HIPAA training is not required by law but by regulation. The HIPAA “law” passed by Congress in 1996 instructed the Secretary for Health and Human Services to make recommendations and adopt standards for safeguarding the privacy and security of individually identifiable health information. These evolved into the HIPAA Administrative Simplification Regulations – which include the HIPAA training requirements.
In the U.S., the most common types of legal instruments are laws, regulations, and Presidential measures. Laws are passed by both branches of Congress and signed by the President. Regulations are published by Federal agencies to clarify their interpretation of a law and how a law will be implemented. The President can use several measures to direct the actions of Federal agencies, including Executive Orders and Presidential Directives.
Federal agencies can also publish guidance or other policy statements. These further clarify how the agency understands and implements existing laws and regulations. Guidance and other policy statements describe suggested or recommended actions but are not mandatory requirements unless they are incorporated into a regulation or mandated under terms and conditions of an agreement, such as a funding agreement.
HIPAA is a Law – “Healthcare HIPAA” is a Set of Regulations
The primary objective of the Health Insurance Portability and Accountability Act (HIPAA) was to reform the health insurance industry. However, due to concerns that the costs of the reforms would be passed onto employers and employees – and that this would impact Federal tax revenues – Congress added a second Title to HIPAA to neutralize the costs by reducing fraud in the healthcare industry and simplifying the administration of healthcare transactions.
The second Title of HIPAA does not include any laws to simplify the administration of healthcare transactions. Instead, Congress instructed the Secretary for Health and Human Services (HHS) to adopt standards for electronic healthcare transactions and for data elements within the transactions, and to adopt standards to protect the security of individually identifiable health information created, received, maintained, or transmitted by a covered entity.
The Secretary was also instructed to make recommendations for the privacy of health information, which were to be promulgated into regulations if Congress did not pass separate privacy legislation within three years. Although the Secretary delivered the recommendations the following year, Congress did not act on them. When the self-imposed deadline passed in August 1999, and the first proposed HIPAA Privacy Rule was published three months later.
The HIPAA Privacy Rule joined the Transaction and Code Sets Rules and the HIPAA Security Rule in the HIPAA Administrative Simplification Regulations (“Healthcare HIPAA”), which also include the General Administrative Requirements, the General Provisions for Security and Privacy, and the HIPAA Breach Notification Rule. Because the HIPAA training requirements are included in “Healthcare HIPAA”, they are required by regulation rather than by law.
The Mandatory Requirements for HIPAA Training
The mandatory requirements for HIPAA training can be found in §164.530(b) of the HIPAA Privacy Rule and §164.308(a) of the HIPAA Security Rule. However, there are several other standards within both Rules that can influence the nature and frequency of HIPAA training. These include the outcomes of risk assessments, the introduction of new technologies or procedures, and sanctions for workforce violations of the HIPAA standards.
For this reason, the current guidance published by HHS’ Office for Civil Rights is that the mandatory requirements for HIPAA training should be the minimum training provided to workforce members. In addition, HIPAA covered entities and business associates are advised to provide annual refresher training (or incorporate HIPAA awareness into other mandatory training requirements) and ensure security awareness training is ongoing.
It can also benefit HIPAA covered entities and business associates to provide HIPAA basics training to new members of the workforce prior to providing policy and procedure training (§164.530(b)) and security awareness training (§164.308(a)). Training of this nature introduces new members of the workforce to Healthcare HIPAA, explains the terminologies and basic standards, and better prepares trainees to understand the content of mandatory training.
Individuals can also subscribe to a HIPAA basics training course to improve their own level of HIPAA knowledge and better understand the content of mandatory training. Courses that offer a certification of completion when passing a final test are currently highly in demand due to the hundreds of vacancies being advertised on online job sites that state HIPAA certification is a desired or necessary qualification. For this reason, it is best to subscribe to a HIPAA basics training course that is accredited by a recognized training assessor.