HIPAA has very in-depth training requirements which are often a source of many questions and confusion. Do they apply to my? What topics must be covered during training? Do business associates need to have HIPAA training? Which employees must be trained under HIPAA? How often must people be trained? How long should a HIPAA training course be?

HIPAA regulations only provide some of the answers. HIPAA leaves much open to interpretation, and what must follow is a process of training that reduces risk covers what is considered a reasonable amount of training, over a reasonable range of topics accomplished in a reasonably repetitive manner – annual.

Both the HIPAA Privacy Rule and the HIPAA Security Rule have training requirements. The HIPAA Privacy Rule training requirement is at 45 CFR § 164.530(b)(1). The HIPAA Security Rule training requirement is an administrative safeguard at 45 CFR § 164.308(a)(5).

HIPAA training regulations require that both covered entities and business associates provide HIPAA training to members of their workforce who handle PHI. This means that even small physician’s offices need to train their personnel on HIPAA. Doctors need to be trained. Nurses need to be trained. Business associates — and any of their subcontractors — must have training. Generally, anyone who comes into contact with protected health information (PHI) must be trained…really anyone who might come into contact, needs to have training.

A common mistake we see in HIPAA training programs is that they are often too long and overload people with information they don’t need, and generally are too computer lingo technical.

Our training programs are broken down into short segments, generally no longer than 15 minutes. We do this for attention span, but also to allow training to occur during the work day in slow periods. What matters more than time is the content of the training and how effectively and memorably the information is taught.

We break our training down into a few segmented areas. Everybody needs to have a “big picture” understanding of what is required, yet not everyone needs the same level of detail in the training.

For business associates, training is different, yet the same. A business associate needs to have the same “big picture” understanding of HIPAA requirements, while understanding they may not come into contact with PHI very often.

The most common and important HIPAA privacy topics to train about include identifying PHI, the minimum necessary rule, the rules about when and how PHI may be disclosed, the importance of confidentiality, avoiding snooping (even when one has access to PHI), and the need to keep an accounting of disclosures.

Patient rights and authorization are important topics for many employees at covered entities. Basic information about business associate obligations is important for employees at BAs. And training should also discuss the consequences of failing to follow the HIPAA Privacy Rule.