The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was an important piece of legislation for the healthcare and healthcare insurance industries as it became the foundation for the Department of Health and Human Services (HHS) creating a “federal floor of privacy protections for individuals´ individually identifiable health information”.
The privacy protections consist of multiple “Standards” which HIPAA-Covered Entities must comply with – along with Business Associates who provide services on behalf of Covered Entities. The failure to comply with the Standards of the Privacy and Security Rule is itself a violation of HIPAA which can result in the HHS´ Office for Civil Rights applying financial penalties.
The Standards Relating to HIPAA Training
Some of the most important HIPAA Standards concern training employees, students, volunteers, and other members of the workforce. All members of a Covered Entity´s workforce must be trained on the policies and procedures the Covered Entity has developed with respect to Protected Health Information (PHI) for members of the workforce to “carry out their functions”.
While this requirement of Standard § 164.530 does not stipulate every member of the workforce must be trained on the Covered Entity´s policies and procedures, a Covered Entity would be in violation of HIPAA if any member of the workforce disclosed PHI without authorization or without the consent of the PHI subject (i.e. a current or former patient).
Therefore, it should be assumed every member of a Covered Entity´s workforce should be trained on some aspects of HIPAA, while those in public-facing roles and with more access to PHI will require comprehensive training relating to patients´ rights, disclosure rules, and the best practices for preventing HIPAA violations in the context of their roles and responsibilities.
By comparison, Standard § 164.308 is clear that Covered Entities and Business Associates must implement a security and awareness training program for all members of the workforce. No details are provided about what the security and awareness training program should consist of, so the content of each program should be developed according to the results of a risk analysis.
In addition to the above, it is a best practice to conduct periodic refresher training. HIPPA only requires refresher training when “functions are affected by a material change” – and then only for those who the material change impacts. Nonetheless, if a data breach occurs that could have been reasonably foreseen and prevented with refresher training, the Covered Entity or Business Associate will be considered liable rather than the negligent member of the workforce.
Modular HIPAA Training Resolves Most Training Issues
Compiling multiple training courses for different groups of the workforce can be time consuming and costly. Therefore, it is recommended Covered Entities and Business Associates prepare training modules that can be mixed and matched to provide “necessary and appropriate” training relevant to the roles and responsibilities of employees, students, volunteers, and others.
A further advantage of providing modular HIPAA training is that, when a policy is modified, functions are affected by a material change, or a HIPAA Rule is updated, only those modules impacted by the changes have to be amended, and only those groups who have been trained on the amended module(s) have to undergo refresher training.
With this in mind, we have suggested a selection of modules below divided into three groups. The first consists of basic modules that are suitable for employees with less exposure to PHI or as an introduction for members of the workforce who will go on to receive more advanced training. The second group consists of advanced modules suitable for targeted training and compliance with Standard § 164.308; while the third group includes additional modules targeted at students.
Basic Training Modules
All HIPAA training courses for new employees, volunteers, and students should begin with an overview of HIPAA to explain what HIPAA is, why it exists, and what relevance the Privacy and Security Standards have to their roles and responsibilities. This module should be presented to all employees, volunteers, and students regardless of their roles and responsibilities.
HIPAA Definitions and Terminologies
While it is a best practice to present HIPAA training modules in plain English so they are easier to understand, there will be occasions when it is necessary to explain concepts of using HIPAA terminology (i.e., Covered Entities, Business Associates, etc.). For this reason, it can be a good idea to present a module on HIPAA definitions so trainees understand the terminologies being used.
The HITECH Act
Most employees will not require an in-depth knowledge of the HITECH Act. Nonetheless, as this was the Act responsible for the Omnibus Final Rule and the Meaningful Use and Promoting Interoperability programs (which will affect the day-to-day functions of most healthcare workers), it can be a good idea to include this module in a basic training curriculum.
The 5 HIPAA Rules
Although there is no requirement to train the workforce on the Enforcement Rule, Covered Entities are required to provide training on the Breach Notification Rule. Thereafter, most policies and procedures will likely be based on the Privacy Rule, Security Rule, and Omnibus Final Rule, so it can be beneficial to explain these rules during the HIPAA training course.
The Privacy Rule
The Privacy Rule was the foundation for HIPAA inasmuch as it introduced Standards for patients´ rights, defined PHI, and qualified allowable disclosures of PHI that did not require consent. In addition, the Rule introduced concepts such as the Minimum Necessary Standard and the imposition of civil money penalties for non-compliance with HIPAA and HIPAA violations.
The Security Rule
A module about the Security Rule should be included in all security and awareness training programs as it includes the administrative, physical, and technical safeguards that both Covered Entities and Business Associates are required to comply with. These safeguards will naturally impact the policies and procedures workforces have to comply with.
The Omnibus Final Rule
The Omnibus Final Rule implemented multiple provisions of the HITECH Act to strengthen the privacy and security protections already in place. It also gave the HHS Office for Civil Rights´ increased powers to pursue regulatory action against Covered Entities and Business Associates who failed to comply with the requirements of HIPAA.
Patients´ Rights under HIPAA
This is an important module to include in a HIPAA training course as it explains the rights patients have to access PHI and request corrections. Patients also have the right to request an accounting of disclosures of PHI (who PHI has been disclosed to or shared with) and to request that information about privately paid for treatment is not shared with a health plan.
PHI Disclosure Guidelines
The patients´ rights to request an accounting of disclosures of PHI make it necessary for employees to understand when they can disclose or share PHI without consent and how it should be recorded. This module should also cover events when patients should be given the opportunity to object to PHI being disclosed or shared that are not covered by the PHI disclosure guidelines.
A common misconception about HIPAA is that there has to be a data breach for a HIPAA violation to occur. This misconception can be avoided by presenting a module on HIPAA violations, how they occur, and what their consequences are. The consequences should not only focus on civil penalties, imposed for non-compliance, but also on the consequences to employees and patients.
Preventing HIPAA Violations
After explaining what HIPAA violations are, it is a good idea to present a training module on preventing HIPAA violations. The module should include best practices that are relevant to trainees´ roles and general advice such as securing personal BYOD devices with PIN numbers and auto logout capabilities to prevent unauthorized access to PHI if a device is stolen or left unattended.
Being a HIPAA Compliant Employee
To round off an introductory HIPAA training course, Covered Entities and Business Associates can present a module reviewing the content of previous modules and opening the session for any questions. This will give trainers an indication of whether the training has been absorbed and if any refinements are required for future modules and training courses.
Advanced Training Modules
Timeline of HIPAA
A module expanding on the timeline of HIPAA can serve as a useful introduction to a refresher or advanced training course as it can be used to remind course attendees of the modules covered in basic training. This is also an easy module to update when a policy is modified, functions are affected by a material change, or a HIPAA Rule is updated.
Physical Threats to Patient Data
While the nature of cybersecurity threats to patient data are constantly evolving, employees need to be reminded there are also physical threats. Therefore, this module could be used to reinforce best practices such as positioning workstations out of public view, safeguarding paper copies of PHI, and ensure mobile BYOD devices are secured against unauthorized access and disclosures.
Computer Safety Rules
A module about computer safety rules can serve multiple purposes. For example, it can reinforce corporate policies about the personal use of workstations, downloading attachments from emails, and visiting websites likely to harbor drive-by malware downloads. Ideally, these policies should be presented in the context of HIPAA to advance individuals´ understanding of the rules.
HIPAA and Social Media
Employees, students, and volunteers need to be aware that posting any form of PHI on a social media account without patient consent is a violation of HIPAA. Employees, students, and volunteers need to be advised of what sanctions they will incur for a willful violation of HIPAA and alerted to the possibility of a patient bringing a private course of action against an individual.
HIPAA and Emergencies
In certain circumstances, HHS´ Office for Civil Rights has the discretion to waive enforcement action for violations of HIPAA. This most often happens during emergencies to remove barriers from the flow of public health information. Trainees need to be aware of how they will be informed about waivers to avoid being misled by misinformation in the public domain.
HIPAA Officers are responsible for developing the policies and procedures employees have to follow in order to be HIPAA-compliant. There should be at least one module presented by a HIPAA Office during each course so attendees can put a face to a name. Alternatively, a module should be dedicated to introducing the HIPAA Officers and explaining their roles and responsibilities.
HIPAA Compliance Checklist
At any time during advanced HIPAA training, it is a good idea to gauge how much information has been absorbed by attendees. Covered Entities and Business Associates can use a HIPAA compliance checklist either as a reminder module or in the form of a quiz to determine where further training may be required or where existing modules need to be presented differently.
Recent HIPAA Updates
Even if there have been no recent HIPAA updates, it can be beneficial to summarize what has been taught during basic training to keep HIPAA at the top of individuals´ minds. Like the HIPAA timeline module, this module is easy to update when HIPAA updates result in material changes to policies and procedures that impact the functions of the workforce.
Texas Medical Records Privacy Act and HB 300
HIPAA preempts state law except when state law places more responsibilities on Covered Entities or gives patients enhanced rights. The Texas Medical Records Privacy Act does both, and Covered Entities subject to this state law should ensure its employees are familiar with the differences between the Texas Medical Records Privacy Act and HIPAA.
Cybersecurity Dangers for Healthcare Employees
Cybercriminals are constantly finding new ways to probe for healthcare information that can be monetized or used to commit insurance fraud and identity theft. Although organizations should have mechanisms in place to safeguard ePHI from unauthorized disclosures, it is important healthcare employees understand why these mechanisms are in place and how to use them.
How to Protect ePHI from Cyber Threats
Beyond alerting healthcare employees to cybersecurity dangers, a module on how to protect ePHI from cyber threats can reinforce online security best practices such as password management and help build susceptibility against phishing. This module is not exclusively for healthcare employees, as it can benefit all members of a Covered Entity´s or Business Associate´s workforce.
Student Training Modules
Healthcare students are most often supervised when they first encounter PHI. Nonetheless, it is important they do not disclose patient identities or discuss individually identifiable health information with anybody unless it is crucial to their medical training. Consequently, it is important student training consists of a mixture of basic and modules, plus further modules directed at students. A suitable selection of student training modules would include:
- Timeline of HIPAA
- HIPAA Overview
- HIPAA Definitions and Terminology
- The HITECH Act
- The 5 HIPAA Rules
- The Privacy Rule
- The Security Rule
- The Omnibus Final Rule
- Patients´ Rights under HIPAA
- PHI Disclosure Guidelines
- HIPAA and Social Media
- Threats to Patient Data
- Computer Safety Rules
- HIPAA Violations
- Preventing HIPAA Violations
- HIPAA and Emergencies
- HIPAA Officers
- Recent HIPAA Updates
EHR Access by Healthcare Students
Healthcare students should only be permitted EHR access under supervision and only using login credentials assigned to them. Using somebody else´s password to access an EHR is a violation of HIPAA because it means system administrators cannot compile an audit trail if an unauthorized disclosure of PHI occurs.
Using ePHI in Student Reports and Projects
As part of their medical training, students are required to write reports and participate in projects. However, using ePHI in reports and projects without patient consent is a violation of HIPAA. Therefore, this module should be used to explain how to obtain consent from patients and/or how to deidentify PHI so it can be used in reports and projects without patient consent.
Being a HIPAA Compliant Student
In the same way as employees should be reminded of the importance of being HIPAA-compliant, students need to be made aware of best practices and the sanctions for violations of HIPAA. In some cases, violations of HIPAA can end a medical student´s career, so it is advisable for Covered Entities to alert students to this risk to avoid losing their investment in the student´s medical training.
How to Provide HIPAA Training Effectively
HIPAA training should be more than a box-ticking exercise because Covered Entities and Business Associates need workforces to be HIPAA compliant to be HIPAA compliant themselves. Consequently, the following is a selection of best practices that should help HIPAA Officers provide HIPAA training effectively.
- Avoid making training sessions too long as it is difficult to absorb and retain significant volumes of information.
- Schedule multiple training sessions if necessary – particularly when training new employees, students, and volunteers.
- Select modules relevant to the workforce group receiving HIPAA training, but also include background modules to give the training context.
- Incorporate how to report a possible violation in the training module on the Breach Notification Rule.
- Include management in as much training as possible. Not only is it a requirement of Standard § 164.308 managers are included in a security and awareness training program, but it also demonstrates that policies apply to all workforce members.
Finally, ensure that all HIPAA training is documented – not just the dates training was provided, but which modules were included and who to. This will make it easier to provide refresher training when a policy is modified, functions are affected by a material change, or a HIPAA Rule is updated. In addition, when training includes the module on the Texas Medical Records Privacy Act, the record of training has to be signed by each attendee and the document retained for a minimum of six years.
HIPAA Training FAQs
What is the timeframe for providing HIPAA training to new employees?
Standard § 164.530 stipulates training should be provided “within a reasonable period of time after the person joins the Covered Entity´s workforce”. Depending on the new employee´s previous experience, training should be provided as soon as possible to avoid inadvertent disclosures due to a lack of knowledge.
How long should HIPAA training take?
Although it may be simpler to schedule long training sessions, it is a best practice to limit training to forty minutes per session. If it is not possible to cover everything relevant to a group´s roles or responsibilities, training sessions should be run over several days or a week. Some experts also recommend keeping privacy and security training separate from each other.
To what extent should HIPAA training be role-based?
It is important to give all employees an overview of HIPAA so they have a good grasp of the scope of the legislation. Certain groups of employees will require additional training on aspects of HIPAA that are relevant to their job. A training course should include core elements for all employees, and optional modules that can be completed by individuals in specific roles.
Should privacy and security training include anything other than the HIPAA regulations?
Several states have introduced legislation covering the privacy and security of medical data. In addition to providing training on the requirements of HIPAA, training must also cover state laws, as appropriate. For instance, healthcare employees must be provided with Texas HB 300 training if they are based in or do business with Texas residents.
What are the most important elements of HIPAA training?
Healthcare employees must be able to identify PHI, know how to protect it, what disclosures are permitted, and be aware of the consequences of HIPAA violations. Training should explain the requirements of HIPAA, but it is also important to make sure those requirements are understood so they will be applied by employees after training. You should therefore evaluate understanding during or at the end of each training session.