HIPAA TRAINING REQUIREMENTS:
by Daniel J. Solove
HIPAA has extensive training requirements, and they are often a source of many questions and confusion. Whom do they apply to? What topics must covered entities train on? Do business associates need to have HIPAA training? Which employees must be trained under HIPAA? How often must people be trained? How long should HIPAA training be?
HIPAA only provides some of the answers to the questions above. In certain ways, HIPAA provides more specific guidance than many laws about what training is required. But in other ways, HIPAA leaves a lot open to interpretation. To complicate matters, HIPAA’s Privacy Rule and HIPAA’s Security Rule both have separate training requirements.
I will walk through the HIPAA training requirements and explain what is required and what isn’t. I will also provide information about what many institutions do for HIPAA training and my thoughts about best practices.
Where are HIPAA’s training requirements located?
Both the HIPAA Privacy Rule and the HIPAA Security Rule have training requirements. The HIPAA Privacy Rule training requirement is at 45 CFR § 164.530(b)(1). The HIPAA Security Rule training requirement is an administrative safeguard at 45 CFR § 164.308(a)(5). To see the full text of HIPAA’s training requirements, click here.
What types of organizations must provide HIPAA training?
HIPAA requires that both covered entities and business associates provide HIPAA training to members of their workforce who handle PHI. This means that even small physician’s offices need to train their personnel on HIPAA. Doctors need to be trained. Nurses need to be trained. Business associates — and any of their subcontractors — must have training. Basically, anyone who comes into contact with protected health information (PHI) must be trained.
How long must HIPAA training be?
HIPAA doesn’t specify any particular length for the training. Obviously, training for just a few minutes wouldn’t be sufficient, but training does not have to go on for hours.
A common mistake I see in training programs is that they are often too long and bombard people with a lot of information they don’t need. The human attention span is very short. I have not seen any data to support that very long training programs — ones that go on for 2+ hours — will achieve better comprehension of the material. In fact, this often backfires and results in people coming away remembering less.
I recommend that training be anywhere from 20 to 40 minutes for privacy and 20 to 40 minutes for security. What matters more than time is the content of the training and how effectively and memorably the information is taught.
What topics must HIPAA privacy training cover?
The HIPAA Privacy Rule says that training must be “as necessary and appropriate for the members of the workforce to carry out their functions.” HIPAA thus doesn’t require that everyone be trained in the same way. The Privacy Rule doesn’t provide much further guidance on the specific topics that should be covered in the training.
Many employees may have functions with only a limited involvement with patients or PHI. If an employee is not involved in providing notice to patients or in providing patients with access to their records, they don’t need training on these topics.
At business associates, employees will rarely be involved with administering patient rights (which is typically done by covered entities). Their training need not go into topics that aren’t relevant for their job functions.
The most common and important HIPAA privacy topics to train about include identifying PHI, the minimum necessary rule, the rules about when and how PHI may be disclosed, the importance of confidentiality, avoiding snooping (even when one has access to PHI), and the need to keep an accounting of disclosures. Patient rights and authorization important topics for many employees at covered entities. Basic information about business associate obligations is important for employees at BAs. And training should also discuss the consequences of failing to follow the HIPAA Privacy Rule — how people can be victimized by medical identity theft, how people can lose trust, how organizations can be penalized by HHS and other regulators for violations, and how employees can be penalized too — by their organizations, by civil and criminal penalties under HIPAA, and by state law.
What topics must HIPAA security training cover?
The HIPAA Security Rule provides:
(5) (i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
(ii) Implementation specifications. Implement:
(A) Security reminders (Addressable). Periodic security updates.
(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.
(C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.
(D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.
Training is thus required under the HIPAA Security Rule. The implementation specifications are all addressable, which means that they must be followed unless there is a documented reason for not doing so or a documented alternative measure that is substituted. It is a common misnomer that addressable implementation specifications are merely optional “suggestions.” They are not. If you don’t follow them or use an alternative, you’re going to need a good documented reason for the decision.
The standard (to have a security awareness and training program) is required, and the implementation specifications specify a few topics that need to be covered, which include malicious software, authentication, and passwords.
I believe that a lot more is needed. People need to understand broadly that they play a big role in data security. People need to learn about social engineering, including phishing, the dangers from websites and email attachments, the use of portable devices, and what to do when something seems suspicious.
The HIPAA Privacy rule also contains security protections for regular PHI (the Security Rule only applies to e-PHI). I think it is important to discuss security for physical records too, including proper document retention and destruction.
What else should HIPAA training cover?
I also believe that it is important to motivate, not just educate. It isn’t effective to just throw a bunch of do’s and don’ts at employees. They need to understand why the rules matter. HIPAA’s Privacy and Security Rules are designed to protect people. They are designed to reduce risks. A privacy or security incident can be devastating to an organization’s reputation; people can be harmed; millions of dollars can be lost. And many other employees at the organization will suffer a lot of stress and loss of sleep cleaning up the mess.
People should be taught that good privacy and security practices can help them personally too. These are things that can protect themselves and their families from harm.
It is also important to point out that HIPAA isn’t the only regulation that must be followed. In many cases, there are state laws that are stricter than HIPAA, and HIPAA does not preempt more protective state law. So employees must know that they need to pay attention to state law where relevant.
Among the most important things that HIPAA training should cover are: (1) contact the privacy or security officers with any questions or concerns ; (2) report anything suspicious or any possible violation immediately. The more people ask and the sooner they report troublesome things, the better.
How much should HIPAA training tell people about HIPAA?
A lot of training spends a lot of time talking about HIPAA. It goes into a long discussion of the history of HIPAA’s passage and development. It quotes specific HIPAA language and provisions. In my opinion, this stuff is not necessary and is often a waste of people’s time to cover. It is interesting to HIPAA lawyers, but most people would rather watch paint try or be poked by hot needles.
HIPAA itself states that the training is actually not about HIPAA but an organization’s “policies and procedures with respect to protected health information.” Of course, these policies and procedures are based on HIPAA, so the HIPAA rules must be covered. But HIPAA doesn’t require that people become experts on HIPAA. Instead, it requires that people understand what they are supposed to do and what they are not supposed to do. HIPAA requires training that is relevant for people’s jobs.
Basically, at the end of the training, people should be able to say: “Now I know what I need to do to protect PHI in my job.” They don’t need to know what HIPAA stands for or when it was passed.
To the extent that policies and procedures diverge from HIPAA (perhaps because of stricter state law requirements, or due to special additional requirements in certain contracts, or due to an organization’s own practices which might be stricter than HIPAA), employees should be trained about these divergences. Employees should be provided with an organization’s policies and procedures and be familiar with them.
How role-based should training be?
I have seen effective programs that are highly role-based as well as ones that are more general. For all employees, there is a basic body of common information. For example: understand what PHI is, maintain confidentiality, don’t snoop, use the minimum necessary amount of information, ask questions when in doubt, report anything suspicious, etc. Information for specific roles can then be added on. Keep in mind that as training becomes more role-based it also becomes more challenging to administer.
A fusion approach has worked well at many organizations, with a hub-and-spokes approach — a common course (the hub) with the key information that everyone should know and then spokes for various categories of specific roles.
What matters most is the overarching goal: People must know what they are supposed to do to protect PHI in their jobs. And it is important that training not just convey rules but also educate — it must be understood, remembered, and followed.
Why should HIPAA training do more than just convey rules?
Far too often, training is so focused on saying the right things that it fails to get employees to do the right things. In many training programs I’ve seen, there is an obsession with making sure that every conceivably relevant point be said. Just because something is said doesn’t mean it is learned.
Training must be understood. Information is worthless unless people understand it.
Training must be remembered. If people don’t remember the training, then what’s the point?
Training must be followed. Many incidents aren’t due to people not knowing what they did was careless or wrong; they are due to people just not caring enough about doing the right thing. People are busy; things are hectic; and following HIPAA can be inconvenient and cumbersome at times. As I said above, people don’t just need to be educated — they need to be motivated. Training must make people care.
How often is HIPAA training required?
The HIPAA Privacy Rule states that training must be provided to “each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce” and to “each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures . . . within a reasonable period of time after the material change becomes effective.” Basically, the Privacy Rule requires training upon hiring or whenever there is a material change in policies and procedures.
In practice, most organizations train all employees annually on HIPAA, and I strongly believe that this is the best practice. Memories fade quickly. Policies change and then the fact that these changes were made get forgotten. People need to be constantly reminded of what they must do because all it takes is one lapse and there will be an incident.
At some organizations, it might be harder to sell annual training to upper management, even with the tremendous risk reduction it offers. I recommend that employees at least receive an abridged version of the training each year. Otherwise, it will be forgotten.
The HIPAA Security Rule requires a security awareness and training program for all workforce members with an implementation specification that the program include periodic security updates. The Security Rule doesn’t define what “periodic” means or when and how often people must be trained. Nor does it define what the periodic security updates must consist of.
As with the Privacy Rule, I recommend annual HIPAA security training. The training need not focus directly on HIPAA, as HIPAA security training is not training on the HIPAA Security Rule, which sets forth the administrative, physical, and technical safeguards that must be in place at organizations. The training is about security awareness for the workforce — what people need to know for carrying out their role in protecting PHI.
Security awareness training is essential because humans are the biggest security risk. The risk is huge, and the costs are huge, so I recommend that organizations train often.
The periodic updates need not be comprehensive security training but can be training “bursts” that focus on a particular topic. They need not be in any particular form — they can be a module, a video, an email newsletter, a flyer or poster, or anything that conveys the message. I personally believe that short memorable messages spread out across the year can be immensely effective.
What documentation must be done with regard to HIPAA training?
It is very important that the training be documented, or else it’s like doing homework and forgetting to turn it in. HIPAA requires that training be documented. It doesn’t say much else on how training must be documented. In the event of an OCR investigation or audit, it is best to be able to produce the content of the training as well as when it was administered, to whom, and how frequently. You should also keep track of who completed it successfully and what successful completion entailed.
People’s individual scores on any quizzes in training need not be documented.
What are the consequences for inadequate HIPAA training?
There can be severe consequences:
First, HHS can issue a penalty of up to $1.5 million per provision of HIPAA violated. Suppose an organization has a data breach. OCR investigates. Training, risk analysis, and documentation are low hanging fruit to OCR — they are easy things to point to whenever there’s an incident. In most cases, some aspect of the breach involved human error, and if there was inadequate training, it is easy for OCR to tell the story that better training might have prevented the breach. The bottom line: Inadequate training = bigger fine!
Second, state attorneys general can enforce HIPAA too. Some state laws require training in HIPAA — you can be fined under Texas law up to $1.5 million for failing to follow HIPAA’s training requirement!
Third, because most privacy and security incidents involve human mistakes, training can reduce the risk of having such incidents. Incidents are very costly in terms of time, money, and reputation. Each member of the workforce is a risk. The more workforce members who are more careful, the lower the overall risk will be.
Fourth, inadequate training can be flagged in a HIPAA audit if an organization is audited.
Fifth, certain HIPAA violations can lead to civil or criminal penalties for employees. Employees might receive discipline at the organization, including termination. If they weren’t trained, that could cause a greater risk of litigation in the event of such termination. Doctors and nurses could be charged with ethical violations and might risk sanction or loss of license.
About Professor Solove and TeachPrivacy
This resource page was written by Professor Daniel J. Solove. Professor Solove is a law professor at George Washington University Law School and the leading expert on privacy and data security law. He has taught privacy law every year since 2000, has published 10 books and more than 50 articles, including the leading textbook on information privacy law and a short guidebook on the subject. His LinkedIn blog has more than 1 million followers. Click here for more information about Professor Solove.
TeachPrivacy provides privacy awareness training, information security awareness training, phishing training, HIPAA training, FERPA training, PCI training, as well as training on many other privacy and security topics. TeachPrivacy was founded by Professor Solove, who is deeply involved in the creation of all training programs because he believes that training works best when made by subject-matter experts and by people with extensive teaching experience.
Please Contact Us If You Are Interested In HIPAA Training
We can provide you with a login so you can evaluate the programs. Click here for our catalog.