HIPAA Training

5 Essential Things to Know

Five Essential HIPAA Training Questions

1. What kind of training does HIPAA require?
HIPAA requires covered entities (CEs) and business associates (BAs) provide HIPAA privacy and security training to workforce members who handle protected health information (PHI). As a result, administrative staff, clinical personnel, business associates and subcontractors need to be trained. Basically, anyone in contact with PHI must be trained.

2. How often must HIPAA training be offered?
The HIPAA Privacy Rule requires training upon hiring and when there is a material change in policies and procedures. Therefore, the HIPAA Security Rule requires security awareness training for all workforce members, with periodic security training updates. Most organizations train all employees annually on HIPAA privacy and security awareness.

3. How long must HIPAA training be?
HIPAA doesn’t specify a training length. However, I recommend training be anywhere from 10 to 40 minutes for privacy and 10 to 40 minutes for security. Finally, what matters most is effective, memorable training content – not the length.

4. What are the key topics HIPAA training should cover?
The most common and important HIPAA privacy topics include identifying PHIthe minimum necessary rule, the rules about when and how PHI may be disclosed, the importance of confidentiality, avoiding snooping, along with the accounting of disclosures.  Patient rights and authorization are important topics for many employees at covered entities. Basic information about business associate obligations is important for employees at BAs. Security topics include phishing, passwords, social engineering and physical access. Training should also discuss the consequences of failing to follow the HIPAA Privacy Rule.

5. Does HIPAA training really matter?
Yes! People must know how to protect PHI in their jobs.  Also, HIPAA training should not just convey rules but also education -it must be understood, remembered, and followed. In fact, there can be severe consequences for organizations who violate HIPAA rules. Great, engaging training wins the day!

This article is by Professor Daniel J. Solove, a law professor who has authored 10+ books and has often been a keynote at the HIPAA Summit. Through his company, TeachPrivacy, Professor Solove provides HIPAA training to healthcare providers and plans, as well as companies.

Do you have other questions about HIPAA training? Are you interested in short HIPAA training? Would you like to provide your team with fun HIPAA vignettes, games, and cartoons?  Contact us!  

    First Name

    Last Name



    Please tell us about your training needs

    Professor Solove’s newsletter covers his latest writings, events, and training. It is sent weekly.
    You can unsubscribe at any time. Click to see a sample issue.
    Would you be interested in subscribing?
    YesNoAlready Subscribed