HIPAA Training Requirements

August 1st, 2017 - Wyn Staheli
Categories:   HIPAA|PHI  

There are some commonly asked questions regarding HIPAA training requirements.

  • Which employees need HIPAA training?
  • What topics must covered entities address in employee training?
  • How often should I be holding HIPAA training?
  • How long should HIPAA training be?
  • What exactly do I need to document?

To answer these questions, we begin by reviewing the official text of both the HIPAA Privacy and the Security Rules to understand what is required by law. Interestingly, they are worded differently on this subject:

HIPAA Privacy Rule
45 CFR § 164.530(b)(1)

45 CFR §164.530 Administrative requirements.

(b)    (1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.

(2) Implementation specifications: Training.

(i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows:

(A) To each member of the covered entity’s workforce by no later than the compliance date for the covered entity;

(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce; and

(C) To each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.

(ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section. 

HIPAA Security Rule
45 CFR § 164.308(a)(5)

45 CFR § 164.308 Administrative safeguards

(a) A covered entity or business associate must, in accordance with §164.306:

(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. . . .

(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).

    (ii) Implementation specifications. Implement:

(A) Security reminders (Addressable). Periodic security updates.

(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.

(C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.

(D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.

Keep in mind that when the Security Rule says "Addressable" it means that the item must be addressed. It is NOT optional. It should be carefully evaluated to see how the requirements fit into your organization and then your organization's policy regarding that requirement must be documented in your HIPAA Compliance Manual. For example, item a.5.ii.A "Security reminders" states "periodic security updates." Your documentation should state how often security reminders/updates are performed.

Q: Which employees need HIPAA training?

A: EVERYONE! Anyone who comes into contact with protected health information (PHI) needs to be trained - this includes healthcare providers, ancillary staff, administrators, and business associates - literally EVERYONE!

Q: What topics must covered entities address in employee training?

A: The Privacy Rule states; "A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information...as necessary and appropriate for the members of the workforce to carry out their functions.” Your workforce needs to know how to protect the PHI that they come into contact with during their workday. They need to understand what health information is protected, how to protect it and what to do when there are possible violations of privacy.

The Security Rule says that training needs to cover security awareness, which includes security reminders; procedures for guarding against, detecting and reporting malicious software; procedures for monitoring log in attempts and discrepancies; and password management. These are the bare minimum topics that must be covered.

Recent OIG settlement reports of HIPAA violations and breaches, clearly indicate that HIPAA Privacy and Security requirements are still not clearly understood or followed. It is essential that employees understand all applicable HIPAA policy and procedures established by your organization (preferably not in one sitting) so that there are no misunderstandings and your organization knows what they need to do to ensure compliance.

The following are some important topics which should be included as part of ongoing HIPAA training:

  • Handling problems with and understanding the issues associated with malware, ransomware, mobile device security, phishing, and email attachments
  • Understand your "Record Retention and Destruction" policy
  • Text messaging
  • How to properly use social media while protecting PHI
  • How to properly secure mobile devices
  • State requirements for protecting patient information
  • How to properly handle PHI in emergency situations (your contingency plan)

Q: How often should I be holding HIPAA training for my employees?

A: Again, the Security and Privacy Rules are different. In plain English, the Privacy Rule requirements are:

  • People who are new to your organization MUST be trained on your HIPAA Policies and Procedures within a 'reasonable time' after  they are hired. That time can be chosen by the CE, but must be specified in their Policies and Procedures; reasonable is likely 30-60 days after their hire date, but that time is not specified in the law.
  • Whenever there is a change to the HIPAA laws, there will be a specified compliance date stated in the law. Training regarding the new law must happen before the deadline.
  • When there are changes to your office Policies and Procedures, as it relates to HIPAA and as it pertains to their responsibilities; there must be training regarding the change.

As for the Security Rule, it states that training needs to be "periodic," but doesn't provide any further guidance on WHAT that means. It is left up to the organization to make that determination.

We recommend that ongoing HIPAA training take place, preferably every 6 months (annually at the minimum); because let's face it, we are human and we tend to forget. We all need to be reminded of why HIPAA is important. Additionally, if the Department of Human Services (HHS) releases new guidelines or if HIPAA rules are updated, revised, or released; additional training must take place within the time frame as outlined by HHS even if you just finished HIPAA training. Ongoing training should NOT be a re-hashing of the same information in the last training session. Mix it up, show some videos, do some role-play scenarios, use some examples from your organization to make it meaningful and memorable.

Q: How long should HIPAA training be?

A. The HIPAA Rule doesn’t specify any time requirements. Use good judgment and keep in mind that too short (10-15 minutes) is just as bad as too long (over an hour). It's actually better to break it up into short segments (less than an hour) because people will remember it better. For example, take some of the HIPAA components and have a 30 minute training on just those components. At another date, cover additional topics for another 30-45 minute session. These are just some examples to consider when planning your organization's ongoing HIPAA training.

Q: What exactly do I need to document?

A: HIPAA Rules don't specify what needs to be documented, only that it needs to be documented. Based on HIPAA audits, your HIPAA training documentation should be an easily accessible log which includes the following:

  • What - the topics that were covered
  • When - include the date and the duration of  the training
  • Who - which employees were active participants (testing and test scores are not required for the log but they can be helpful for the organization to find out what topics are still not understood)

Complete and Easy HIPAA Compliance includes a HIPAA Policies and Procedures template, an Employee Training Log and numerous other forms to help your organization achieve and maintain HIPAA compliance.

###

Questions, comments?

If you have questions or comments about this article please contact us.  Comments that provide additional related information may be added here by our Editors.


Latest articles:  (any category)

Artificial Intelligence in Healthcare - A Medical Coder's Perspective
December 26th, 2023 - Aimee Wilcox
We constantly hear how AI is creeping into every aspect of healthcare but what does that mean for medical coders and how can we better understand the language used in the codeset? Will AI take my place or will I learn with it and become an integral part of the process that uses AI to enhance my abilities? 
Specialization: Your Advantage as a Medical Coding Contractor
December 22nd, 2023 - Find-A-Code
Medical coding contractors offer a valuable service to healthcare providers who would rather outsource coding and billing rather than handling things in-house. Some contractors are better than others, but there is one thing they all have in common: the need to present some sort of value proposition in order to land new clients. As a contractor, your value proposition is the advantage you offer. And that advantage is specialization.
ICD-10-CM Coding of Chronic Obstructive Pulmonary Disease (COPD)
December 19th, 2023 - Aimee Wilcox
Chronic respiratory disease is on the top 10 chronic disease list published by the National Institutes of Health (NIH). Although it is a chronic condition, it may be stable for some time and then suddenly become exacerbated and even impacted by another acute respiratory illness, such as bronchitis, RSV, or COVID-19. Understanding the nuances associated with the condition and how to properly assign ICD-10-CM codes is beneficial.
Changes to COVID-19 Vaccines Strike Again
December 12th, 2023 - Aimee Wilcox
According to the FDA, CDC, and other alphabet soup entities, the old COVID-19 vaccines are no longer able to treat the variants experienced today so new vaccines have been given the emergency use authorization to take the place of the old vaccines. No sooner was the updated 2024 CPT codebook published when 50 of the codes in it were deleted, some of which were being newly added for 2024.
Updated ICD-10-CM Codes for Appendicitis
November 14th, 2023 - Aimee Wilcox
With approximately 250,000 cases of acute appendicitis diagnosed annually in the United States, coding updates were made to ensure high-specificity coding could be achieved when reporting these diagnoses. While appendicitis almost equally affects both men and women, the type of appendicitis varies, as dose the risk of infection, sepsis, and perforation.
COVID Vaccine Coding Changes as of November 1, 2023
October 26th, 2023 - Wyn Staheli
COVID vaccine changes due to the end of the PHE as of November 1, 2023 are addressed in this article.
Medicare Guidance Changes for E/M Services
October 11th, 2023 - Wyn Staheli
2023 brought quite a few changes to Evaluation and management (E/M) services. The significant revisions as noted in the CPT codebook were welcome changes to bring other E/M services more in line with the changes that took place with Office or Other Outpatient Services a few years ago. As part of CMS’ Medicare Learning Network, the “Evaluation and Management Services Guide” publication was finally updated as of August 2023 to include the changes that took place in 2023. If you take a look at the new publication (see references below),....



Home About Terms Privacy

innoviHealth® - 62 E 300 North, Spanish Fork, UT 84660 - Phone 801-770-4203 (9-5 Mountain)

Copyright © 2000-2024 innoviHealth Systems®, Inc. - CPT® copyright American Medical Association