Cybersecurity Training and HIPAA
Which Employees Require HIPAA Training?
The HIPAA Privacy Rule (45 CFR § 164.530) and the HIPAA Security Rule (45 CFR § 164.308) stipulate training should be provided to all members of the workforce not only the ones that have contact with ePHI or PHI. That means not only employees but also agency staff, consultants, contractors, volunteers, temporary interns all with a level of interaction with PHI and those that don’t have access to PHI should have training.
However, whereas the HIPAA Security Rule applies to Covered Entities and Business Associates, the HIPAA Privacy Rule only applies to Covered Entities. Therefore, Business Associates only need to implement a security awareness and training program as required by the Security Rule – ensuring that all members of the workforce receive HIPAA training regardless of their role or function.
We constantly say “more is better than less”
What HIPAA Training Should be Provided to Employees?
The HIPAA Privacy Rule requires each Covered Entity to develop policies and procedures designed to comply with the Rule´s standards and implementation specifications.
This implies the content of HIPAA training will depend on what policies and procedures the Covered Entity has developed, and what policies and procedures are relevant for each employee to carry out their functions in compliance with HIPAA. To mention a few, your HIPAA training should have these topics per § 164.308(a)(5).
- Security Reminders
- Protection from Malicious Software
- Log-in Monitoring
- Password Management
How can HIPAA Compliance Training for Employees be Provided?
These are the options:
Historically, HIPAA compliance training was classroom-based and led by an instructor – usually the HIPAA Privacy Officer or HIPAA Security Officer. However, classroom-based training can often be ineffective because there is so much to cover in HIPAA for this option; we believe you need to test all the attendees and keep records of their passed test results.
The other option, online technology for training sessions for patient-facing employees; covering areas of HIPAA such as the provision of Privacy Notices, Patients´ Rights under HIPAA, the Minimum Necessary Standard, using technologies such as EHRs compliantly, and the Breach Notification Rule.
Videos lessons enable users to stop the video, take notes and it also provides a visual explanation about HIPAA laws, which leads to more engagement and better retention. Unfortunately, HIPAA training videos can be impractical if not relevant to each employee’s role because of the extensive compliance topics to cover.
Therefore, we suggest a comprise mix-and-match modules online and on-site be a far more effective way for Covered Entities and Business Associates to comply with the HIPAA training requirements.
When should you provide HIPAA Training for Employees?
Covered Entities are required to provide training on HIPAA policies and procedures “within a reasonable period after a person joins the Covered Entity´s workforce” and whenever “functions are affected by a material change in the policies or procedures.” We recommend using HIPAA training as an onboarding tool.
Moreover, Covered Entities and Business Associates should incorporate HIPAA training for employees into risk analyses. This practice will help identify further training needed for all the workforce members to prevent unauthorized disclosures and uses of PHI.
We offer some of the most cost-effective HIPAA and cybersecurity training available anywhere. Call us to see how we can help.
If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.
For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.
The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for a weekly HIPAA Security Reminder to help stay compliant.