The Complete Guide to HIPAA Training Requirements
With the passage of HIPAA (Health Insurance Portability and Accountability Act) in 1996, companies handling a patient’s medical information needed to protect it. If your company handles medical information, you must protect it from hackers or others who do not need to see it.
HIPAA spells out the type of information that needs protecting. Additionally, HIPAA discusses that employees need training to make sure they understand HIPAA and how to protect the data.
Even though training related to HIPAA compliance is a clear requirement in the act, the type of training to deploy is not as clear-cut. If you are unsure exactly what steps to take regarding your HIPAA training requirements, here are some of the most important questions and topics to understand.
Does My Organization Need HIPAA Training?
Ultimately, any organization that could come into contact with PHI (protected health information) must comply with HIPAA regulations. Any such organization also must undergo HIPAA training to help ensure compliance.
Because so many aspects of PHI now involve electronic health records, companies must include training on how to protect these digital records. Your organization must protect these records while they reside on your network, as well as when you send them to other organizations via email.
So how do you know if you are handling protected health information? PHI involves any old or current health information for a person. It also involves future health information for the patient that the organization will collect. Some specific examples of PHI include:
- Diagnosis: Any information related directly to the patient’s health or diseases, including test results and scans.
- History: Any information related to the health history of the patient, including past treatments and diagnosis.
- Personal information: Any information that identifies the patient, such as birthdate, address, phone number, photographs, fingerprints, and identification coding the organization uses.
- Payment information: Any account numbers or medical bills charged to the patient.
- Insurance information: Any information related to the patient’s health insurance coverage or reimbursement for claims.
It does not matter how much PHI you handle for a person. Even if your organization only handles one type of PHI, HIPAA training is a requirement.
Which Specific Organizations Need HIPAA Training?
Two types of entities must comply with HIPAA, called covered entities and business associates.
If your organization fits under either of these definitions, it must undergo HIPAA training to remain in compliance.
Covered Entities
Covered entities often are medical providers that generate and store health information for patients. Some specific types of covered entities include hospitals, nursing homes, doctor’s offices, dentist’s offices, and other healthcare providers.
Additionally, health insurance plans, clearinghouses for health care information, and government programs that deal with healthcare fit as covered entities under HIPAA. Any subcontractors that the covered entities work with must also follow HIPAA guidelines, if those subcontractors may handle PHI.
Business Associates
Business associates typically are those that deal with a patient’s healthcare information when working directly with a covered entity. Through this work, the business associate may need to store or make use of the patient’s health information once or multiple times. Because of the presence of this information, business associates must follow all HIPAA regulations, including undergoing training.
Some types of business associates can include medical transcriptionists, cloud storage service providers, medical billing providers, attorneys, manufacturers of medical devices, processors of insurance claims, consultants, and debt collection agencies.
Which Individuals Need HIPAA Training?
If you work for a company either directly or as a subcontractor, and if you handle PHI, you will need to undergo HIPAA training to remain in compliance with the act. If you could handle PHI when working for a particular company, even if you haven’t yet handled PHI, the act suggests that you should undergo training. In other words, you should always err on the side of caution when determining whether you need HIPAA training.
Which Topics Should Be Part of HIPAA Training?
HIPAA does not list any specific topics and materials to discuss during training sessions. You simply need to make use of topics that will allow your employees to remain in HIPAA compliance.
Multiple topics fit within HIPAA compliance guidelines, and any of these would be appropriate to include within training sessions. Your organization may want to provide an overview of every potential HIPAA topic. Perhaps you will choose to focus on a few specific topics that precisely fit the way you make use of PHI. Some key topics you may want to include as part of training include the following.
- HIPAA overview: Your employees should have a full understanding of what HIPAA requires and all the ways that HIPAA affects your organization. If employees understand where and when they may encounter data that could fall under HIPAA, they can focus on following protective measures at those times.
- PHI overview: Your employees should also fully understand what constitutes PHI. They need to be able to recognize PHI whenever they encounter it.
- Patients’ rights: Through training, your employees can understand patients’ rights involving PHI under HIPAA. Patients have the right to control their PHI. By viewing data through the eyes of the patient, it may be easier for your employees to understand when to take the required steps to protect the data.
- Safe use of hardware: If employees will be accessing PHI through the cloud or from a mobile device, rather than through local computer network storage, they need to know how to do so with maximum safety measures in place. For example, during training, you may want to help employees understand how to create settings on their mobile devices that provide the required level of protection for viewing and using PHI.
- Recognition of potential violations: Use training to give your employees information on spotting areas of weakness in the way your team is handling PHI. By having both administrators and employees watching out for weaknesses in your plan to protect PHI, it will be easier to spot potential problems before they create a data breach.
- How to report breaches: Should employees notice a potential exposure of PHI, they need to know how to report the problem. Training sessions should spend some time on giving employees a series of steps to follow to let the right person in the organization know about the problem as quickly as possible.
- Understanding PHI threats: It’s easy to think of a hacker breaching your network and stealing PHI as a HIPAA violation. However, the majority of threats to PHI within your organization don’t involve a hacker actively stealing the data. Instead, things like careless handling of data, exposure of login credentials, and giving PHI to employees who don’t have HIPAA training are far more common causes of HIPAA violations than a hacker attack. Use training to highlight all potential threats to PHI within your organization.
- Consequences of violations: Giving your employees a sense of the potentially major violations your company could face after a HIPAA violation can help them understand why they need to take the HIPAA training seriously.
What’s primarily important during HIPAA training is ensuring that your employees have a clear understanding of PHI and HIPAA. They also need to understand why protecting PHI is so important. Giving employees general guidance typically works better than giving them a series of specific topics to memorize as part of HIPAA training.
You probably cannot anticipate every potential HIPAA and PHI problem that your employees may encounter. Giving them the basic knowledge they need to recognize PHI and to understand why it’s important to protect the data allows them to make common-sense choices on how to proceed in an unusual circumstance related to HIPAA.
Which Training Requirements Fit Within the HIPAA Security Rule?
General mentions of HIPAA training requirements occur in both the HIPAA Security Rule and the HIPAA Privacy Rule.
Let’s start with the HIPAA Security Rule, which creates the standards that your organization needs to follow to protect a person’s electronic PHI. Any time that an entity creates, uses, stores, or receives PHI, it must follow the standards for guarding the integrity and confidentiality of the PHI, as spelled out in the Security Rule.
Training requirements listed in the HIPAA Security Rule specify that each organization handling PHI must create a training program that addresses security awareness for this data. Some of the rule’s key components for this type of training include:
- Protecting against malicious software
- Protecting login credentials for those handling PHI
- Monitoring those who log in and access PHI
- Delivering reminders about security measures
This type of training focuses on network security and how employees use your network.
However, the HIPAA Security Rule does not specify exactly what kinds of security your organization must use or must train on to be in compliance with the rule. Companies receive the ability to make use of training methods and networking setups that they prefer.
Which Training Requirements Fit Within the HIPAA Privacy Rule?
The HIPAA Privacy Rule also mentions training requirements. Again, like the Security Rule, the Privacy Rule is not specific regarding the methods the organization must use to remain in compliance. It gives your company some leeway in the types of hardware and software you use related to the network and to training.
The Privacy Rule focuses on the frequency and immediacy of the training. Some of these items include:
- Finishing all employee training by the date your organization promises to reach HIPAA compliance
- Delivering training within a certain amount of time after the hiring of a new employee
- Implementing training quickly after any changes to the HIPAA standards occur
- Performing training whenever employees need to be up to date on the standards
The HIPAA Privacy Rule also spells out tracking the methods by which your organization performs its training. You must be able to show proof that you are meeting the guidelines in this rule for training.
How Frequently Should HIPAA Training Occur?
Frequency of training is not specifically listed in either rule, other than the requirement that employees must be up to date on their knowledge of HIPAA.
Ongoing training refreshes employees on the standards and keeps HIPAA regulations at the front of mind for employees. Training every 12 to 24 months typically will keep employees feeling comfortable in their knowledge of HIPAA regulations.
With a regular training schedule in place, your company may be able to address any changes to HIPAA seamlessly. For example, if you train annually, you may be able to train on changes to the law during your regular training session. If you train every two or three years, though, you may need to hold a special, extra training session between your regular training sessions to handle changes to the law.
How Long Should HIPAA Training Sessions Last?
The rules under HIPAA do not list a specific number of hours that employees must spend in training to remain in compliance with the law. Instead, the rules simply require that people undergoing HIPAA training must spend enough time in training to have a full understanding of HIPAA regulations.
It can be tempting to try to hold lengthy training sessions to ensure employees have all the information they need. However, you have to be careful that training is not so long that employees lose interest. For example, companies that provide training videos for HIPAA typically spend 15 to 30 minutes on a single video when they present a particular idea around HIPAA.
What Are the Penalties for Inadequate HIPAA Training?
The act does not call for assessing penalties for organizations and companies that fail to provide the necessary training related to HIPAA compliance. However, you could receive significant consequences if you have violations that result in a loss of PHI and if those violations occurred because of inadequate training.
Should your organization suffer some sort of loss of PHI, the state attorneys general and the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) may investigate the situation. Depending on the type of violation of HIPAA regulations, the length of the violation, and the nature of the violation, your organization could receive one of four different tiers of penalty severity.
- Tier 1: Tier 1 violations involve a lack of knowledge. These are violations where your organization was unaware of the potential violation and had no chance to avoid the violation. Fines start at $100 per violation with a maximum fine of $25,000 per calendar year. (Fine amounts could be subject to change, based on an inflation adjuster.)
- Tier 2: Tier 2 violations involve reasonable cause. These are violations where your organization should have known about the potential violation. The violation likely was preventable with better compliance with HIPAA rules. Fines start at $1,000 per violation with a maximum fine of $100,000 annually.
- Tier 3: Tier 3 violations differ from Tier 2 in that they constitute willful neglect on the part of the organization, resulting in the violation. To remain in Tier 3, the organization needed to make an effort to correct the violation. Fines start at $10,000 per violation with a maximum fine of $250,000 annually.
- Tier 4: Tier 4 violations constitute willful neglect from the organization with no effort to try to correct the problem. Tier 4 fines are $50,000 per violation with a maximum of $1.5 million per year.
If the investigators decide that a purposeful decision to not engage in training resulted in the violation, they could say this violation consists of willful neglect. This could result in a Tier 3 or a Tier 4 violation, leading to large financial penalties.
Violation investigations happen more frequently than you may think. Over a roughly 20-year period from 2003-2022, OCR investigated nearly 300,000 HIPAA violations, or about 15,000 violations annually.