HIPAA Training for Employees

by

HIPAA training for employees is necessary for all employees of organizations that qualify as HIPAA covered entities or business associates, regardless of employees’ roles or their access to Protected Health Information. HIPAA training is also necessary for members of the workforce that do not qualify as employees (volunteers, students, directors, etc.).

A common oversight with regards to the HIPAA training requirements is to take them out of context of other HIPAA Administrative Simplification Requirements. A prime example of this oversight relates to the provision of a security awareness and training program as required by §164.308(a)(5) of the HIPAA Security Rule’s Administrative Safeguards.

The standard itself requires HIPAA covered entities and business associates to “implement a security awareness and training program for all members of the workforce (including management)”. However, the introduction to the Administrative Safeguards states “A covered entity or business associate must, in accordance with §164.306:”

§164.306 includes the General Requirements for compliance with the HIPAA Security Rule. The third General Requirement requires HIPAA covered entities and business associates to protect against any reasonably anticipated uses and disclosures of Protected Health Information (PHI) that are not permitted or required by the HIPAA Privacy Rule.

In order to for HIPAA covered entities and business associates to comply with this requirement, it is necessary for all members of the workforce to understand what PHI is and when it can be used or disclosed without violating the HIPAA Privacy Rule. Training on these topics is essential because it should not be assumed that employees without access to PHI will know what PHI is or why it must be protected.

The Benefits of General HIPAA Training for Employees

General HIPAA training for employees is training that covers the basics of HIPAA. Not only are topics such as PHI and permissible uses and disclosures covered, but also areas of compliance that are common to most, if not all, members of the workforce – for example, patients’ rights, snooping, email security, device protection, shadow IT, etc.

Some general HIPAA training courses also include an explanation of the terms used in HIPAA. This can be particularly beneficial for members of the workforce with little previous knowledge of HIPAA, as it will help them better understand the policies and procedures implemented by their employers to safeguard the privacy and security of PHI.

It can also be beneficial if general HIPAA training for employees covers topics such as why cybercriminals target PHI, how they exploit vulnerabilities to access PHI, and what happens to PHI once it has been accessed and stolen. Providing real life examples of medical identity theft may make employees more careful when using or disclosing PHI.

In most cases, general HIPAA training courses are available online and can be subscribed to by covered entities and business associates on behalf of their employees. This eliminates the need to redesign existing HIPAA training for employees and also means that the training can be re-used to provide refresher HIPAA training annually or as required.

Why Employees Should Take Responsibility for their HIPAA Knowledge

Although general HIPAA training for employees should be provided by employers to reduce avoidable HIPAA violations and data breaches, employers are burdened with multiple training requirements (CMS training, OSHA training, anti-harassment training, etc.) and may be reluctant to add further training to an already busy training schedule.

When general HIPAA training for employees is not provided, employees should take responsibility for their HIPAA knowledge – not only to protect against avoidable HIPAA violations and data breaches, but also to protect themselves from sanctions attributable to a lack of knowledge or understanding that can remain on personnel records indefinitely.

Employers are required by §164.530(e) of the HIPAA Privacy Rule to apply sanctions against members of the workforce who fail to comply with the HIPAA Privacy Rule – even if the violated standard has not be covered in HIPAA training. In most cases, the default sanction is further training, but repeated violations could result in a written warning or termination.

Employees can subscribe to a general HIPAA training course independently, but before doing so it is advisable to speak with your HIPAA Privacy Officer to ensure the content of the course is relevant to your employer’s policies and procedures. It is also advisable to select a course accredited by a recognized training assessor and – if necessary – that awards Continuing Education Units recognized by your professional licensing body.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]