HIPAA Training Requirements:

HIPAA has very in-depth training requirements which are often a source of many questions and confusion. Do they apply to my? What topics must be covered during training? Do business associates need to have HIPAA training? Which employees must be trained under HIPAA? How often must people be trained? How long should a HIPAA training course be?

HIPAA regulations only provide some of the answers. HIPAA leaves much open to interpretation, and what must follow is a process of training that reduces risk covers what is considered a reasonable amount of training, over a reasonable range of topics accomplished in a reasonably repetitive manner – annual.

Both the HIPAA Privacy Rule and the HIPAA Security Rule have training requirements. The HIPAA Privacy Rule training requirement is at 45 CFR § 164.530(b)(1). The HIPAA Security Rule training requirement is an administrative safeguard at 45 CFR § 164.308(a)(5).

Who Needs to Have HIPAA Training

HIPAA training regulations require that both covered entities and business associates provide HIPAA training to members of their workforce who handle PHI. This means that even small physician’s offices need to train their personnel on HIPAA. Doctors need to be trained. Nurses need to be trained. Business associates — and any of their subcontractors — must have training. Generally, anyone who comes into contact with protected health information (PHI) must be trained…really anyone who might come into contact, needs to have training.

A common mistake we see in HIPAA training programs is that they are often too long and overload people with information they don’t need, and generally are too computer lingo technical.

Our training programs are broken down into short segments, generally no longer than 15 minutes. We do this for attention span, but also to allow training to occur during the work day in slow periods. What matters more than time is the content of the training and how effectively and memorably the information is taught.

best online hipaa training
We break our training down into a few segmented areas. Everybody needs to have a “big picture” understanding of what is required, yet not everyone needs the same level of detail in the training.

For business associates, training is different, yet the same. A business associate needs to have the same “big picture” understanding of HIPAA requirements, while understanding they may not come into contact with PHI very often.

The most common and important HIPAA privacy topics to train about include identifying PHI, the minimum necessary rule, the rules about when and how PHI may be disclosed, the importance of confidentiality, avoiding snooping (even when one has access to PHI), and the need to keep an accounting of disclosures.

Patient rights and authorization are important topics for many employees at covered entities. Basic information about business associate obligations is important for employees at BAs. And training should also discuss the consequences of failing to follow the HIPAA Privacy Rule.

Automated security reminders for hipaa

HIPAA Security Reminders

45 CFR 164.308(a)(5)(ii)(B) states that Security Reminders are “Periodic security updates.”
It doesn’t get much more vague than that.

You could argue that once a year, with HIPAA Awareness Training would suffice. Technically you would be correct.

Our solution is based on the fact that most people don’t absorb all of their training for long. So, rather than just “check that box”, we go the extra mile and put out monthly security reminders to all users.

Our Security Reminders cover current events, that pertain to computer security or HIPAA based events that occurred. We then discuss in our security reminder how the issue pertains to the medical office, and what was done correctly.

This ongoing refresher if HIPAA compliance helps solidify and enhance the annual HIPAA awareness training.