HIPAA Training Requirements

August 1st, 2017 - Wyn Staheli
Categories:   HIPAA|PHI  
0 Votes - Sign in to vote or comment.

There are some commonly asked questions regarding HIPAA training requirements.

To answer these questions, we begin by reviewing the official text of both the HIPAA Privacy and the Security Rules to understand what is required by law. Interestingly, they are worded differently on this subject:

HIPAA Privacy Rule
45 CFR § 164.530(b)(1)

45 CFR §164.530 Administrative requirements.

(b)    (1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.

(2) Implementation specifications: Training.

(i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows:

(A) To each member of the covered entity’s workforce by no later than the compliance date for the covered entity;

(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce; and

(C) To each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.

(ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section. 

HIPAA Security Rule
45 CFR § 164.308(a)(5)

45 CFR § 164.308 Administrative safeguards

(a) A covered entity or business associate must, in accordance with §164.306:

(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. . . .

(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).

    (ii) Implementation specifications. Implement:

(A) Security reminders (Addressable). Periodic security updates.

(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.

(C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.

(D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.

Keep in mind that when the Security Rule says "Addressable" it means that the item must be addressed. It is NOT optional. It should be carefully evaluated to see how the requirements fit into your organization and then your organization's policy regarding that requirement must be documented in your HIPAA Compliance Manual. For example, item a.5.ii.A "Security reminders" states "periodic security updates." Your documentation should state how often security reminders/updates are performed.

Q: Which employees need HIPAA training?

A: EVERYONE! Anyone who comes into contact with protected health information (PHI) needs to be trained - this includes healthcare providers, ancillary staff, administrators, and business associates - literally EVERYONE!

Q: What topics must covered entities address in employee training?

A: The Privacy Rule states; "A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information...as necessary and appropriate for the members of the workforce to carry out their functions.” Your workforce needs to know how to protect the PHI that they come into contact with during their workday. They need to understand what health information is protected, how to protect it and what to do when there are possible violations of privacy.

The Security Rule says that training needs to cover security awareness, which includes security reminders; procedures for guarding against, detecting and reporting malicious software; procedures for monitoring log in attempts and discrepancies; and password management. These are the bare minimum topics that must be covered.

Recent OIG settlement reports of HIPAA violations and breaches, clearly indicate that HIPAA Privacy and Security requirements are still not clearly understood or followed. It is essential that employees understand all applicable HIPAA policy and procedures established by your organization (preferably not in one sitting) so that there are no misunderstandings and your organization knows what they need to do to ensure compliance.

The following are some important topics which should be included as part of ongoing HIPAA training:

Q: How often should I be holding HIPAA training for my employees?

A: Again, the Security and Privacy Rules are different. In plain English, the Privacy Rule requirements are:

As for the Security Rule, it states that training needs to be "periodic," but doesn't provide any further guidance on WHAT that means. It is left up to the organization to make that determination.

We recommend that ongoing HIPAA training take place, preferably every 6 months (annually at the minimum); because let's face it, we are human and we tend to forget. We all need to be reminded of why HIPAA is important. Additionally, if the Department of Human Services (HHS) releases new guidelines or if HIPAA rules are updated, revised, or released; additional training must take place within the time frame as outlined by HHS even if you just finished HIPAA training. Ongoing training should NOT be a re-hashing of the same information in the last training session. Mix it up, show some videos, do some role-play scenarios, use some examples from your organization to make it meaningful and memorable.

Q: How long should HIPAA training be?

A. The HIPAA Rule doesn’t specify any time requirements. Use good judgment and keep in mind that too short (10-15 minutes) is just as bad as too long (over an hour). It's actually better to break it up into short segments (less than an hour) because people will remember it better. For example, take some of the HIPAA components and have a 30 minute training on just those components. At another date, cover additional topics for another 30-45 minute session. These are just some examples to consider when planning your organization's ongoing HIPAA training.

Q: What exactly do I need to document?

A: HIPAA Rules don't specify what needs to be documented, only that it needs to be documented. Based on HIPAA audits, your HIPAA training documentation should be an easily accessible log which includes the following:

Complete and Easy HIPAA Compliance includes a HIPAA Policies and Procedures template, an Employee Training Log and numerous other forms to help your organization achieve and maintain HIPAA compliance.


Questions, comments?

If you have questions or comments about this article please contact us.  Comments that provide additional related information may be added here by our Editors.

Latest articles:  (any category)

Don't Let Your QPro Certification(s) Expire! Your Certifications Matter!
June 20th, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
Hello QPro Members, Just a friendly reminder!                                                                                        ...
How to Properly Report Monitoring Patients Taking Blood-thinning Medications
June 18th, 2019 - Wyn Staheli, Director of Research
Codes 93792 and 93792, which were added effective January 1, 2019, have specific guidelines that need to be followed. This article provides some guidance and tips on properly reporting these services.
A United Approach
June 14th, 2019 - Namas
A United Approach As auditors, we all have a different perspective when evaluating documentation. It would be unreasonable to think that we all view things the same way. In my opinion, differing perspectives are what makes a great team because you can coalesce on a particular chart, work it through and ...
Documentation of E/M services for Neurology (Don't Forget the Cardiology Element)
June 13th, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
According to Neurology Clinical Practice and NBIC, the neurologic exam is commonly lacking in documentation due to the extensive requirements needed to capture the appropriate revenue. With the lack of precise documentation, it results in a lower level of E/M than that which is more appropriate, which can cost a physician a lot ...
Medicare Now Reimburses for Remote Monitoring Services (G2010)
June 13th, 2019 - Aimee Wilcox, CPMA, CCS-P, CST, MA, MT, Director of Content
Medicare's 2019 Final Rule approved HCPCS code G2010 for reimbursement, which allows providers to be paid for remote evaluation of images or recorded video submitted to the provider (also known as "store and forward") to establish whether or not a visit is required. This allows providers to get paid for ...
Now is Your Chance to Speak Up! Tell CMS What You Think!
June 13th, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
CMS is asking for your input, we all have ideas on how we would change healthcare documentation requirements and get rid of the burdensome requirements and regulations if it were up to us, so go ahead, speak up! Patients over Paperwork Initiative is being looked at to help significantly cut ...
Spotlight: Anatomy Images
June 13th, 2019 - Brittney Murdock, QCC, CMCS, CPC
When viewing CPT codes, Find-A-Code offers detailed anatomy images and tables to help with coding. For example 28445 offers a table with information to assist classification of gustilo fractures: Click on the image preview from the code information page to expand the image.

About Codapedia & Find-A-Code Contact Us Terms of Use Privacy Policy Advertise with Us

Codapedia™/Find-A-Code™ - 62 E 300 North, Spanish Fork, UT 84660 - Phone 801-770-4203 (9-5 Mountain) - Fax (801) 770-4428

Copyright © 2009-2019 Find A Code, LLC - CPT® copyright American Medical Association