HIPAA training is an specific requirement of HIPAA. HIPAA requires that covered entities (CEs) and business associates (BAs) provide HIPAA training to members of their workforce who handle protected health information (PHI). This means administrative and clinical personnel need to be trained. Business associates — and any of their subcontractors — must have training. Basically, anyone who comes into contact with PHI must be trained.
HIPAA’s Privacy Rule and HIPAA’s Security Rule both have separate training requirements. Generally, HIPAA’s training requirements in both rules are rather sparse — not a lot of guidance is provided.
The HIPAA Privacy Rule, at 45 CFR § 164.530(b)(1), says that training must be “as necessary and appropriate for the members of the workforce to carry out their functions.” HIPAA thus doesn’t require that everyone be trained in the same way. It is also important to note that HIPAA training doesn’t mean training to make trainees experts on HIPAA. In fact, HIPAA doesn’t even state that trainees learn about HIPAA itself; instead, they must learn about how to carry out their organization’s obligations under HIPAA.
The Privacy Rule doesn’t provide much further guidance on the specific topics that should be covered.
I believe that common and important HIPAA privacy topics to train about include:
- identifying PHI
- the minimum necessary rule
- the rules about when and how PHI may be disclosed
- the importance of confidentiality
- avoiding snooping (even when one has access to PHI)
- the need to keep an accounting of disclosures
Patient rights and authorization are important topics for many employees at CEs, but employees at BAs will rarely need to know these topics. Basic information about BA obligations is important for employees at BAs.
The HIPAA Security Rule, at 45 CFR § 164.308(a)(5), requires organizations to “Implement a security awareness and training program for all members of its workforce (including management).”
The HIPAA Security Rule only specifies a few topics that need to be covered, including prevention, detection, and reporting of malware as well as login, authentication, and passwords. Organizations must implement “periodic security updates.”
As with HIPAA’s privacy training requirements, HIPAA’s security training requirements are also quite vague and lack much guidance. As with HIPAA privacy training, effective HIPAA security training requires organizations to go beyond HIPAA’s minimal guidance in order for the training to be effective. For HIPAA security training, people need to understand broadly that they play a big role in data security. People need to learn about phishing and other types of social engineering, the dangers from websites and email attachments, the use of portable devices, and what to do when something seems suspicious.
The HIPAA Privacy rule also contains security protections for regular PHI (the Security Rule only applies to e-PHI). I think it is important to discuss security for physical records too, including proper document retention and destruction.
HIPAA is ahead of the curve in that it requires training on privacy and security; many privacy and security laws lack any training requirements. However, HIPAA provides scant guidance about the topics that should be covered as well as how to design an effective training program. These matters are thus left to HIPAA-regulated organizations, and they are not as easy as one might think. I’ve seen a ton of examples of HIPAA training. Some training courses are far too long and detailed, and key points are lost in all the noise. Other training fails to cover essential information. And, HIPAA training is often slow and boring. In short, it’s great that HIPAA requires training, but that’s not enough. Training must be good.
Related HIPAA Resources
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.