The content of HIPAA training for business associates’ workforces varies according to the nature of the service(s) being provided to or on behalf of a HIPAA covered entity, workforce members’ access to Protected Health Information, and whether Protected Health Information is further disclosed to a secondary business associate or subcontractor.
Since the effective date of the HIPAA Omnibus Final Rule in March 2013, business associates have been required to comply with all applicable standards, requirements, and implementation specifications of the HIPAA Administrative Simplification Regulations when a service being provided to or on behalf of a HIPAA covered entity involves the creation, receipt, storage, or transmission of Protected Health Information (in any format).
In the context of HIPAA training for business associates, the word “applicable” in the previous paragraph does a lot of heavy lifting because there are many types of business associates. Some may replicate the services provided by a HIPAA covered entity – in which case many HIPAA Administrative Simplification Regulations might apply. Others may only provide “no view” services – in which case only HIPAA Security Rule standards apply.
Between the two extremes, there are some business associates who may have to train some workforce members on advanced HIPAA policies (i.e., disclosures to public health authorities), while other workforce members only require training on HIPAA compliance basics such as permissible uses and disclosures of PHI and when the minimum necessary standard applies to connect HIPAA compliance with security awareness training.
How to Determine Workforce HIPAA Training Requirements
Because the objective of HIPAA training for business associates is to train members of the workforce how to safeguard the privacy and security of Protected Health Information created, received, stored, and/or transmitted for or on behalf of a HIPAA covered entity, business associates should map how Protected Health Information enters and leaves the organization, and how it is used or disclosed while in the organization’s possession.
A risk analysis should be conducted to identify vulnerabilities and reasonably anticipated threats and hazards to the privacy and security of Protected Health Information – including those attributable to human error or intentional misuse. Thereafter, appropriate administrative, technical, and physical safeguards must be implemented to reduce the identified vulnerabilities, threats, and hazards to a reasonable and acceptable level.
The safeguards must be supported by policies and procedures with respect to Protected Health Information designed to ensure workforce members comply with the administrative, technical, and physical safeguards. Then, when a policy or procedure applies to a workforce member’s functions, the workforce member must be trained on the policy or procedure. Further privacy and policy training must be provided when required by a material change or other event.
Security Awareness HIPAA Training for Business Associates
With regards to security awareness HIPAA training for business associates, the training has to be provided in accordance with the General Requirements of the HIPAA Security Rule (§164.306). Among other standards, the General Requirements require security awareness HIPAA training to protect against reasonably anticipated uses or disclosures of Protected Health Information that are not required of permitted by the HIPAA Privacy Rule.
In order for all members of a business associate’s workforce to comply with the General Requirements of the HIPAA Security Rule – including those with no access to Protected Health Information – it is necessary for all members of the business associate’s workforce to understand what is considered Protected Health Information and what uses or disclosures of Protected Health Information are permitted by the HIPAA Privacy Rule.
The easiest way to provide the knowledge required for workforce members to comply with the General Requirements is for business associates to subscribe members of the workforce to an online HIPAA Basics training course. These short introductory courses cover the subjects necessary for workforce members to understand why Protected Health Information has to be safeguarded and the real consequences of HIPAA violations and data breaches.
Why HIPAA Training for Business Associates is Important
At present, HIPAA training for business associates is important to ensure that the HIPAA covered entities for whom they provide a service do not suffer operational disruptions due to the non-availability of Protected Health Information (i.e., during a ransomware attack), to ensure that Protected Health Information is not misused to commit medical identity theft, and to ensure the terms of Business Associate Agreements are upheld.
However, in future years, it may be necessary for business associates to annually verify compliance with certain standards and implementation specifications – including that “security measures work as designed and that workforce members know how to implement them”. The new proposals imply that HIPAA training for business associates will come under increased scrutiny by HIPAA covered entities and HHS’ Office for Civil Rights.
As these proposals may also affect a business associate’s eligibility to provide a service to or on behalf of a covered entity, it is advisable to ensure all members of the workforce have the required HIPAA knowledge to support security awareness HIPAA training and to understand HIPAA policies and procedures. As mentioned previously, the easiest way to provide the knowledge required is to subscribe to an online HIPAA Basics training course.