HIPAA Training Requirements:
HIPAA regulations only provide some of the answers. HIPAA leaves much open to interpretation, and what must follow is a process of training that reduces risk covers what is considered a reasonable amount of training, over a reasonable range of topics accomplished in a reasonably repetitive manner – annual.
Both the HIPAA Privacy Rule and the HIPAA Security Rule have training requirements. The HIPAA Privacy Rule training requirement is at 45 CFR § 164.530(b)(1). The HIPAA Security Rule training requirement is an administrative safeguard at 45 CFR § 164.308(a)(5).
Who Needs to Have HIPAA Training
A common mistake we see in HIPAA training programs is that they are often too long and overload people with information they don’t need, and generally are too computer lingo technical.
Our training programs are broken down into short segments, generally no longer than 15 minutes. We do this for attention span, but also to allow training to occur during the work day in slow periods. What matters more than time is the content of the training and how effectively and memorably the information is taught.
For business associates, training is different, yet the same. A business associate needs to have the same “big picture” understanding of HIPAA requirements, while understanding they may not come into contact with PHI very often.
The most common and important HIPAA privacy topics to train about include identifying PHI, the minimum necessary rule, the rules about when and how PHI may be disclosed, the importance of confidentiality, avoiding snooping (even when one has access to PHI), and the need to keep an accounting of disclosures.
Patient rights and authorization are important topics for many employees at covered entities. Basic information about business associate obligations is important for employees at BAs. And training should also discuss the consequences of failing to follow the HIPAA Privacy Rule.
HIPAA Security Reminders
It doesn’t get much more vague than that.
You could argue that once a year, with HIPAA Awareness Training would suffice. Technically you would be correct.
Our solution is based on the fact that most people don’t absorb all of their training for long. So, rather than just “check that box”, we go the extra mile and put out monthly security reminders to all users.
Our Security Reminders cover current events, that pertain to computer security or HIPAA based events that occurred. We then discuss in our security reminder how the issue pertains to the medical office, and what was done correctly.
This ongoing refresher if HIPAA compliance helps solidify and enhance the annual HIPAA awareness training.