The Health Insurance Portability and Accountability Act of 1996, also known as HIPAA, is a monumental law that was originally passed to increase the efficiency of the healthcare system. However, it is also full of broad, vague requirements and mandates for both covered entities and business associates to follow. You may know that HIPAA training is required by the law, but aren’t sure what exactly that means. We’ll try to help by looking at what the text of HIPAA actually has to say and what that means for your organization setting training standards.
What does HIPAA actually say about training?
The standards of training are actually mentioned separately under the Privacy and Security Rules, the exact text can be read here.
Within the Privacy Rule, the training must be completed by each employee by the organization’s date of reaching compliance with each new employee receiving training shortly after their hire date. Additionally, organizations should implement extra training in the event that there is an important change in policy. As all of this is being completed, covered entities. should document that the training was completed and meets the required standards.
The Security Rule on the other hand just states that a “security awareness and training program” should be introduced that addresses security reminders, protection from malicious software, log-in monitoring and password management. Each of these topics is considered “addressable” rather than “required”, which means that the law is allowing flexibility for organizations to use discretion in accomplishing that objective with their own security control choice.
Who needs to complete HIPAA training?
HIPAA requires both covered entities and business associates to have all their employees that have the potential to access protected health information (PHI) to complete regular HIPAA training. To put it as simply as possible - anyone who could come into contact with PHI during the course of their job should be trained in the protocols of HIPAA.
How often is HIPAA training required?
Although this is another area where the law is vague, it is important that training is recurring so that employees can be up-to-date with any changes to the law or company compliance policy as well as being refreshed in case of having forgotten information. The industry standard for HIPAA training is for it to be conducted annually so that any updates to the law can be included and employees are not able to forget the crucial information.
How long should HIPAA training be?
Just as with the training overall, HIPAA does not lay out any specific required length for the training. Adequate training must be long enough to portray all of the crucial information for the employee to understand the aspects of HIPAA. When videos or training are too long, they may lose the attention of the person taking the training which could result in a lack of information gain.
What are the consequences for inadequate training?
There is not a direct penalty or fine that is given out just for inadequate or non-existent HIPAA training. However, training is one of the key safeguards that should be used to prevent breaches in PHI. Therefore, if a breach does occur and an audit is then conducted of the organization where it is clear that training has not been prioritized, the fine may be bigger as this tells the OCR that the breach could’ve been prevented.
Training is a crucial part of HIPAA compliance as it brings all parties up to date on what steps need to be taken to guarantee the privacy and security of PHI. Training educates employees on the details of the act and helps them gain understanding of their role in compliance. Accountable’s mission is to break down the complicated and vague nature of HIPAA into an easy to follow framework - starting with our online HIPAA training. Watch all the training videos, pass the quiz and receive a training certificate - it’s just that easy!