HIPAA Privacy and Security Training

by

HIPAA privacy and security training is sometimes treated as two separate units of the HIPAA training requirements inasmuch as HIPAA privacy training has to fulfil the requirements of the HIPAA Privacy Rule, while HIPAA security training has to fulfil the requirements of the HIPAA Security Rule. This is an incorrect interpretation of the HIPAA training requirements.   

The HIPAA training requirements are that workforce members with access to Protected Health Information (PHI) must receive training on policies and procedures relevant to their functions (HIPAA Privacy Rule §164.530), while all workforce members force must receive security awareness training regardless of their access to PHI (HIPAA Security Rule §164.308).

When the HIPAA privacy and security training standards are treated separately, some workforce members might never receive the training required to prevent avoidable data breaches. This is because gaps in their knowledge of the HIPAA Privacy Rule impedes their understanding of policies and procedures implemented to comply with the HIPAA Security Rule.

An example of this happened in June 2024, when employees of Mass General Brigham shared login credentials with third parties to support outsourcing activities. The shared credentials gave the third parties unauthorized access to more than 4,200 medical records – an event that should not have occurred with a greater understanding of the HIPAA Privacy Rule.

HIPAA Privacy and Security Training Should Be Inseparable

The notion that HIPAA privacy and security training should be inseparable is not an idealistic best practice. It is mandated by the General Requirements of the HIPAA Security Rule (§164.306(a)) which, among other standards, stipulate “Covered entities and business associates must [….] protect against any reasonably anticipated uses or disclosures of [electronic PHI] that are not permitted or required under [the HIPAA Privacy Rule]”.

To reinforce the notion that HIPAA privacy and security training should be inseparable, the opening line of the Administrative Safeguards of the HIPAA Security Rule (the section of the HIPAA Security Rule that contains the Security Rule training standard) reads: “A covered entity or business associate must, in accordance with §164.306” […] “Implement a security awareness and training program for all members of its workforce (including management)”.

This means any HIPAA regulated entity that provides “policy and procedure” privacy training to qualifying members of the workforce, and separate “generic” security awareness training to all members of the workforce, is in violation of HIPAA if the separate generic security awareness training is not designed to protect against  any reasonably anticipated uses or disclosures of electronic PHI that are not permitted or required under the HIPAA Privacy Rule.

In order to comply with HIPAA, all members of the workforce would have to receive some HIPAA privacy training to understand what electronic PHI is, and what uses and disclosures of electronic PHI are permitted or required under the HIPAA Privacy Rule. If some members of the workforce do not know what is considered PHI under HIPAA or what disclosures are permitted, they are unable to comply with the HIPAA Security Rule training requirements.

How to Overcome Potential HIPAA Training Violations

The HIPAA training requirements have existed for more than twenty years, and most HIPAA regulated entities have long-established HIPAA training programs. When these programs separate HIPAA privacy and security training, not only would it be difficult to revise the programs, but it would also be impractical to retrain all members of the workforce on security best practices that take into account the General Requirements of the HIPAA Security Rule.

One way to overcome the issue of separate HIPAA privacy and security training – and avoid potential HIPAA training violations – is to provide all members of the workforce with an online HIPAA basics training course. Courses of this nature explain basics such as PHI, permissible uses and disclosures, and the minimum necessary standard so members of the workforce can connect HIPAA security training with HIPAA privacy training in order to reduce avoidable HIPAA violations.

Because these courses cover basics rather specific policies and procedures, it is possible for HIPAA regulated entities – or members of their workforces – to subscribe to the courses via a choice of online vendors. When doing so, it is advisable to ensure the chosen course is accredited by a recognized training assessor (i.e., AHIMA), and that the course has an end-of-study exam that ensures members of the workforce have absorbed the content of the course.

Note: Proposals were announced in January 2025 that would require all members of a HIPAA regulated entity’s workforce to receive role-based HIPAA security training that takes into account the General Requirements of the HIPAA Security Rule. It is not known when – or if – the proposals will be finalized. In the best possible scenario, the proposals could be finalized in late 2025, and compliance with the new HIPAA training requirements mandatory six months later.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]