How often you have to do HIPAA training depends on factors such as material changes to HIPAA policies and procedures, the frequency of security awareness training, the outcomes of risk analyses and evaluations, and employers’ policies relating to refresher training. You may also have to do HIPAA training as a workforce sanction for a HIPAA violation or as part of a corrective action plan imposed by HHS’ Office for Civil Rights.
A common answer to the question of how often do you have to do HIPAA training is when you start working for a HIPAA covered entity and whenever your functions are affected by a material change in policies and procedures. However, there are many events that can trigger HIPAA training – notwithstanding that HIPAA compliance should be factored into security awareness training, and may be included in workplace training mandated by other federal regulations.
What HIPAA Says about How Often You Have To Do HIPAA Training
On the surface, HIPAA appears fairly relaxed about how often you have to do HIPAA training. The HIPAA training standard in §164.530(b) of the HIPAA Privacy Rule states covered entities must provide training “to each new member of the workforce within a reasonable period of time after the person joins the workforce”. If HIPAA training is required due to a material change to HIPAA policies and procedures, this must also be provided within a reasonable period of time.
With regards to the HIPAA training standard in §164.308(a) of the HIPAA Security Rule, the only reference to the frequency of training is that members of the workforce should receive “periodic security updates”. This is despite the standard requiring the implementation of a security awareness and training program – the word “program” implying that security awareness training for all members of the workforce should be frequent and ongoing rather than a one-off event.
When you look below the surface, there are other standards and implementation specifications that can trigger the provision of HIPAA training. There are also standards that affect who has to do HIPAA training. It can be beneficial to discuss these standards first to establish that, in most cases, both HIPAA training standards – and, by association, how often you have to do HIPAA training – apply to business associates’ workforces as well as covered entities’ workforces.
Why Do Business Associates’ Workforces Have To Do HIPAA Training?
The Omnibus HIPAA Final Rule made some significant changes to the applicability of the HIPAA Administrative Simplification Regulations (45 CFR Parts 160, 162, and 164). The first change was to apply the standards of the HIPAA Administrative Simplification Regulations to business associates “where provided” (§160.102). This means if any standard is applicable to a service being provided by a business associate, the business associate has to comply with it.
To ensure the applicability of HIPAA Privacy Rule standards to business associates “where provided” was not overlooked, the applicability standard at the beginning of the HIPAA Privacy Rule (§164.500(c)) was also amended “with respect to the Protected Health Information of a covered entity”. Effectively, if a business associate has access to a covered entity’s Protected Health Information, they must safeguard the information as if they were the covered entity.
Using this interpretation of the applicability standard, most (*) business associates must develop policies and procedures designed to comply with the HIPAA Privacy Rule, train members of the workforce on the policies and procedures, apply workforce sanctions for any violation of the HIPAA Privacy Rule, and design security awareness training programs to protect against uses or disclosures of Protected Health Information (PHI) not permitted by the HIPAA Privacy Rule.
(*) The exception to this interpretation is when a business associate provides “no view services” to a covered entity where PHI is encrypted by the covered entity, and the covered entity maintains the decryption key.
What Events Can Trigger HIPAA Training Other Than Material Changes?
Other than initial HIPAA training, material change training, and security awareness training, many standards, implementation specifications, and events that can trigger the provision of HIPAA training. How often the standards and implementation specifications apply, and how often the triggering events occur, can affect how often you may have to do HIPAA training.
Internal reports of HIPAA violations
Covered entities (and business associates where provided) are required by §164.530(c) of the HIPAA Privacy Rule to safeguard PHI from any intentional or unintentional use or disclosure, and by §164.306(a) of the HIPAA Security Rule to ensure workforces comply with security policies and procedures. Covered entities cannot be in all places at all times, so members of the workforce are often encouraged to report HIPAA violations to HIPAA Privacy or Security Officers.
Depending on the nature of the violations and the impact they have on the organization, colleagues, and patients/plan members, the most common remedy is HIPAA training. This may be provided solely to the individual member(s) of the workforce responsible for the violations, or – if an internal investigation identifies a widespread culture of non-compliance – HIPAA training could be provided to a team, department, operational unit, or the entire workforce.
External privacy complaints
A more likely reason why you may have to do HIPAA training is when a patient or plan member makes a privacy compliant to the HIPAA Privacy Officer. Privacy complaints may be attributable to impermissible disclosures of PHI, for disclosing PHI after a patient has requested privacy protections for that PHI, for failing to provide access to PHI within the time allowed, for failing to provide an accounting of disclosures, or for any other violation of individuals’ HIPAA rights.
Most privacy complaints originate due to accidental violations, oversights, and/or a lack of HIPAA knowledge. Therefore, unless a member of the workforce has a history of being responsible for privacy complaints, it is highly likely the member of the workforce will receive HIPAA training on the event that resulted in the privacy complaint. The training may be extended to a team if there is reason to believe the entire team requires HIPAA training.
Workforce sanctions
Covered entities and business associates are required not only to apply sanctions for workforce violations of their HIPAA privacy and security policies, but also for workforce violations of any HIPAA Privacy Rule standard or HIPAA Breach Notification standard (§164.530(e)). This means that a member of the workforce could be sanctioned for a HIPAA violation even if they have not received HIPAA training on the standard they have violated.
While this might appear to be unfair, the most common Tier 1 sanction for HIPAA violations is a verbal warning and HIPAA training. Only if the member of the workforce should have known (for example) that a disclosure was impermissible, will the covered entity or business associate apply more stringent sanctions. In such cases, the sanction could be a written warning or a suspension, or – if the HIPAA violation also violates §1177 of the Social Security Act – termination.
Risk analyses and evaluations
The Administrative Safeguards of the HIPAA Security Rule require covered entities and business associates to conduct risk analyses and periodic “technical and nontechnical evaluations” to establish the effectiveness of policies and procedures. If a technical issue is identified, this will most likely be resolved by the implementing additional physical or technical safeguards. A nontechnical issue will most likely be resolved by the provision of workforce HIPAA training.
There are no guidelines that stipulate the frequency of risk analyses and evaluations. However, the nature of HIPAA training will depend on the nature of the nontechnical issue identified in a risk analysis or evaluation. Depending on the nature of the nontechnical issue, it may also be the case that HIPAA training is provided to the entire workforce or to an individual member of the workforce, or by a covered entity to a business associate’s workforce.
Compliance reviews
HHS’ Office for Civil Rights can initiate compliance reviews for multiple reasons. It may be that a privacy complaint has been submitted directly to – or escalated to – the agency, that a whistleblower has alerted the agency to non-compliance within a covered entity, or that the agency has received a breach notification. Before launching an investigation or taking enforcement action, HHS’ Office for Civil Rights will request more information from the covered entity.
The Principles for Achieving Compliance (§160.304) and process for Compliance Reviews (§160.308) state that HHS’ Office for Civil Rights will, where possible, resolve complaints and other issues by voluntary compliance and only initiate an investigation if there is evidence of willful neglect. If a covered entity admits to the allegations and demonstrates it has resolved them through the provision of HIPAA training, HHS’ Office for Civil Rights will take no further action.
Corrective action plans
When a covered entity is unable to demonstrate it has resolved allegations of non-compliance, HHS’ Office for Civil Rights will enforce a corrective action plan. The agency imposes around six hundred corrective action plans per year according to its most recent annual Report to Congress – most of which require covered entities and business associates to retrain their workforces. This can be verified in the Archive section of the HHS Breach Report Portal.
Unlike the previous triggers that can affect how often you have to do HIPAA training, the HIPAA training required under a corrective plan is comprehensive. Therefore, rather than individuals having to do HIPAA training on one element of the HIPAA Privacy Rule or HIPAA Security Rule, the whole workforce may have to undergo HIPAA awareness training, HIPAA policy and procedure training, and HIPAA security awareness training for a period of up to three years.
Changes to technology
How often you have to do HIPAA training is not only attributable to adverse events. A covered entity or business associate may implement new technology to make your job easier to do, in which case it will be necessary to train you on the new technology. The training should include an explanation of how access controls are configured to protect against threats or hazards to electronic PHI, so you don’t attempt to circumnavigate the controls to “get the job done”.
Depending on the purpose of the technology, there may be other guidelines you need to follow. For example, if a new encrypted email solution is being implemented, you should be told not to include PHI in the subject line of an email. This is because email encryption solutions do not encrypt the metadata of emails so they can be searched and retrieved by email archives. There may also be other HIPAA email rules it is necessary to comply with.
Refresher HIPAA training
If none of the above events occur, employers can – but are not required to – implement a schedule of refresher HIPAA training. The primary advantage of refresher HIPAA training is that it ensures all members of the workforce are reminded of their compliance obligations and best practices for fulfilling them. It can also alert covered entities and business associates of non-compliant practices that have developed since any previous refresher HIPAA training.
Refresher HIPAA training for all members of the workforce ensures that workforce members who have not been involved in “enforced” HIPAA training (i.e., due to a complaint, sanction, or change to technology) are kept up to date with events that may not directly affect their functions, but which they should be kept informed about – for example, if a covered entity conducts an asset inventory to meet the requirements for HHS’ Cybersecurity Performance Goals.
When Might HIPAA Training be Included in Other Regulatory Training?
In addition to HIPAA training, most workforces in the healthcare and health insurance industries have other regulatory training requirements. Where possible, covered entities and business associates can reduce the training “burden” by integrating HIPAA training with (for example) OSHA bloodborne pathogen training. As bloodborne pathogen training is required “at least annually” (§1910.1030(g)(2)), this would be a good opportunity to integrate refresher HIPAA training.
Other regulatory training requirements into which HIPAA training could be integrated include CMS’ Emergency Preparedness Rule training and CDC’s National Healthcare Safety Network training. It is worth noting that qualified professionals in both the healthcare and healthcare industries may be able to take advantage of online HIPAA training integrated into other regulatory training in order to earn CEUs towards state licensing requirements.
Therefore, in answer to the question how often do you have to do HIPAA training, HIPAA training is required as often as necessary to prevent impermissible uses and disclosures of PHI and ensure the confidentiality, integrity, and availability of electronic PHI. However, you may want to do HIPAA training more often if it helps prevent you inadvertently violating HIPAA due to a lack of knowledge or if it benefits your career progression.
Image credits: Georgii, AdobeStock
