Who Needs HIPAA Training?

by

Who needs HIPAA training is all members of a covered entity’s or business associate’s workforce – even if they have no access to Protected Health Information (PHI). This is because the General Requirements of the HIPAA Security Rule mandate that security awareness training must be designed to protect against uses and disclosures of PHI not permitted by the HIPAA Privacy Rule.

The HIPAA training requirements are sometimes interpreted as being two separate requirements inasmuch as workforce members with access to PHI must be trained on the organization’s policies and procedures in respect of PHI (as per the HIPAA Privacy Rule), while all workforce members must receive security awareness training and periodic security reminders (as per the HIPAA Security Rule).

The interpretation of the HIPAA Security Rule standard as being separate from the HIPAA Privacy Rule standard can lead to only members of the workforce with access to PHI receiving any HIPAA training, while security awareness training consists of “generic” best practices that have no relevance to HIPAA. However, the separation of standards violates the General Requirements of the HIPAA Security Rule.  

Why All Workforce Members Need HIPAA Training

All three HIPAA Security Rule Safeguards (Administrative, Physical, and Technical) and the policy documentation requirements must be complied with “in accordance with §164.306” –  the Security Standards General Rules. In the context of who needs HIPAA training, the most relevant of the General Rules is §164.306(a)(3) of the General Requirements which requires covered entities and business associates to:

“Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part”.

In this clause “such information” refers to electronic PHI and “subpart E“ is the HIPAA Privacy Rule. This means that security awareness training must be structured so that all members of the workforce are trained on uses and disclosures of PHI permitted or required by the HIPAA Privacy Rule. Effectively, unless an organization has “no-view access” to PHI, all members of its workforce need HIPAA training in order to comply with the HIPAA Security Rule.

HIPAA Basics Training Can Fulfil this Requirement

Because “policy and procedure” HIPAA training must consist of training members of the workforce on policies and procedures that are designed “taking into account the size and type of activities that relate to PHI undertaken by a covered entity or business associate”, there is no one-size-fits-all HIPAA training that complies with the HIPAA Privacy Rule training standard that could also be used to comply with the Security Rule training requirement.

However, off-the-shelf HIPAA “basics” training courses exist that cover HIPAA compliance essentials such as:

  • What is considered PHI under HIPAA.
  • What disclosures of PHI are permitted or required.
  • When consent, authorization, or attestation is required.
  • The minimum necessary standard – and when it applies.
  • Patients’ rights – including non-standard communications.

Some HIPAA basics training courses also explain why PHI is targeted by cybercriminals, how cybercriminals exploit vulnerabilities (both human and technical), and the real consequences of impermissible disclosures and data breaches. For example, the consequences are explained in terms of operational disruptions, medical identity theft, and loss of trust in the patient-provider relationship, rather than in terms of regulatory action and workforce sanctions.

The Benefits of HIPAA Basics Training for All Workforce Members

HIPAA basics training should not only be provided to workforce members who have no access to PHI and who otherwise would only receive generic security awareness training. HIPAA basics training should also be provided to new members of the workforce prior to “policy and procedure” training in order to help them better understand the organization’s policies and procedures and support compliance with the policies and procedures.

This in turn should reduce the number of HIPAA violations attributable to a lack of knowledge and data breaches attributable to a lack of care – reducing the need to provide further HIPAA training as a sanction, in response to a risk assessment, or following a privacy complaint. Organizations who would like to find out more about who needs HIPAA training and the benefits of HIPAA basics training are advised to speak with a HIPAA compliance professional.

Any workforce member who needs HIPAA training to address concerns that their understanding of workplace policies could be better can also independently subscribe to an off-the-shelf HIPAA basic training course. As there are many to choose from, it is advisable to evaluate those accredited by a recognized training assessor (i.e., AHIMA), those that provide a certificate of completion following a final test, and those which offer free trials of training modules.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]