HIPAA training needs to be completed within “a reasonable period of time” after a person joins an organization’s workforce and thereafter whenever there is a material change to policies and procedures, whenever a need for training is identified, and whenever HIPAA training is imposed as a workforce sanction. All workforce members must also participate in an ongoing HIPAA security awareness training program.
There can sometimes be a grey area between how often does HIPAA training need to be completed and how often should HIPAA training be completed due to the HIPAA training requirements being interpreted in different ways by different organizations. For example, some organizations solely base the provision of HIPAA training around the two HIPAA training standards in the HIPAA Privacy Rule and HIPAA Security Rule.
The HIPAA Privacy Rule training standard states HIPAA privacy and policy training must be provided to new members of the workforce “within a reasonable time” and to existing members of the workforce when there is a material change to HIPAA policies and procedures that affects their functions. The HIPAA Security Rule training standard requires a security awareness a training program is provided for all members of the workforce.
Other organizations may also provide HIPAA privacy training whenever a need for training is identified, impose HIPAA training as a workforce sanction, incorporate HIPAA awareness into other mandated training (i.e., CMS’ emergency preparedness training), or schedule annual refresher training regardless of any other training provided during the year. HIPAA training might also be provided in response to a privacy complaint or data breach.
How Often Should HIPAA Security Awareness Training be Completed?
With regards to HIPAA security awareness training, this should be a program rather than a one-off event that is provided “in accordance with §164.306” (the General Requirements of the HIPAA Security Rule). The requirement to provide HIPAA security awareness training in accordance with §164.306 means that the content of HIPAA security awareness training should be HIPAA-centric rather than just purely generic.
The frequency of HIPAA security awareness training should be determined by a risk analysis and periodic evaluations – both of which are required by the Administrative Safeguards of the HIPAA Security Rule. It may also be determined by the introduction of new technologies or safeguards, while proposed changes to the HIPAA Security Rule suggest that annual role-based security training will become a future requirement for HIPAA compliance.
Many organizations already provide HIPAA security awareness training at least quarterly supported by monthly security reminders. In these cases, the proposed changes to the HIPAA Security Rule will have little impact on the frequency of HIPAA Security Rule training. It is more likely that the prosed changes – if finalized – will align the content of HIPAA security awareness training more closely with HHS’ Cybersecurity Performance Goals.
Summary of How Often Does HIPAA Training Need to be Completed
The proposed changes will do little to eliminate the grey area between how often does HIPAA training need to be completed and how often should HIPAA training be completed. However, they will mandate new workforce members must be provided with role-based security training within 30 days of having access to electronic information systems. This may help resolve the “reasonable period of time” issue with HIPAA Privacy Rule training.
Assuming that both HIPAA policy and procedure training and HIPAA security training is provided with 30 days, a summary of how often does HIPAA training need to be completed might look like this:
Required HIPAA Training
- Within 30 days: HIPAA policy and procedure training and HIPAA security training.
- When a new security technology or safeguard is implemented (proposed).
- Periodically and at least annually: Role-based security awareness training.
- Whenever there is a material change to HIPAA policies and procedures.
Additional HIPAA Training
- When a risk analysis or evaluation identifies a need for further HIPAA training.
- When non-compliance with a HIPAA standard is observed in the workplace.
- When additional HIPAA training is a sanction for a workforce HIPAA violation.
- When HIPAA awareness training is incorporated into other mandated training.
- In response to a privacy complaint, impermissible disclosure, or data breach.
- Annual HIPAA Privacy Rule refresher training (optional depending on other factors).
How to Reduce the Frequency of Privacy Rule Training
Most of the additional HIPAA training relates to HIPAA Privacy Rule issues. Because the events that can lead to the need for additional HIPAA training cover a multitude of scenarios, it is not possible to design a one-size-fits-all training program that can be used in response to all events. Therefore, in order to reduce the frequency of HIPAA Privacy Rule training, it is advisable to reduce the frequency of events that lead to the need for additional HIPAA training.
Reducing the frequency of events is not as impossible as it sounds because the majority of HIPAA violations, impermissible disclosures, and data breaches have an internal human element (80% according to Verizon’s DBIR Report). The reasons for the internal human element being so high include a lack of knowledge, a lack of understanding, and a lack of care (as evidenced by the web descriptions in the Archive section of HHS’ Breach Portal).
Therefore, by increasing HIPAA knowledge, workforce understanding of HIPAA training, and the level of care, the number of HIPAA violations, impermissible disclosures, and data breaches – and the frequency of HIPAA Privacy Rule training – should reduce. The way to achieve these objectives is through the provision of HIPAA basics training at the earliest possible opportunity when a new member of the workforce starts working for a HIPAA-regulated entity.
How Does HIPAA Basics Training Resolve These Issues?
One of the challenges of training new members of the workforce is disparities in the level of knowledge. Some may have no knowledge of HIPAA due to not having worked in the healthcare industry before, some will have a better understanding of HIPAA than others due to (for example) their professional training, while others may have had their understanding of HIPAA corrupted in a previous role with a non-compliant employer.
HIPAA basics training resolves the challenge of knowledge disparities by raising the knowledge levels of all new members of the workforce so that HIPAA policy and procedure training is better understood and HIPAA security awareness training is more relatable. It also explains the real consequences of HIPAA violations, impermissible disclosures, and data breaches to encourage new members of the workforce to take more care with Protected Health Information.
HIPAA basics training courses are widely available on the Internet and can be subscribed to by an organization or by individual members of the workforce who are concerned about their own levels of HIPAA knowledge. The courses are most often completed remotely to suit individual workflows, and award a certificate on completion of a final test that can be used by organizations to document the provision of training.
The concept of taking more HIPAA training to reduce how often does HIPAA training need to be completed may appear to be a paradox, but increasing workforce members’ knowledge and understanding of HIPAA at the earliest stage possible increases compliance with workplace policies and procedures. Organizations and individuals requiring more information about HIPAA basics training courses are advised to reach out to an accredited training provider.