HIPAA Training Requirements

Training is required in order to comply with the rules of HIPAA.

Scribble line

Do you need HIPAA training?

Every organization that must comply with HIPAA must conduct employee training; if you work for such an organization, you must have regular HIPAA training.

What organizations have to comply with HIPAA? The short answer is any US-based organization that processes, stores, or transmits protected health information. Protected health information (PHI) is health-related data that is identifiable or health-related data that is combined with personally identifiable information (PII).

The long answer is a little more nuanced. Technically, PHI is created during the provision or delivery of a health care service. PHI always originates from one of three types of entities, which HIPAA calls Covered Entities:

  • health insurance companies;
  • health care providers; and
  • health care clearinghouses (basically companies that exchange health care insurance payments).

If you work for one of those types of organizations, you must comply with HIPAA and must receive HIPAA training.

In addition to Covered Entities, organizations that provide services or products to Covered Entities must comply with HIPAA. These organizations are called Business Associates. Examples are things like EHRs, telemedicine platforms, clinical communications tools, and other technology vendors with Covered Entity customers.

What training does HIPAA require?

HIPAA defines training requirements in two places, one within the Privacy Rule and one within the Security Rule; the two major sections of HIPAA are the Security and the Privacy Rule. In both definitions, the specific of the training are vague and largely interpretable. It’s important to remember that HIPAA applies to a wide variety of entities from individual medical providers to large insurance companies to modern technology companies. This is why the training required by HIPAA is vague. More on this later on.

Here is the specific language from HIPAA:

  • Privacy Rule - (1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.
  • (2) Implementation specifications: Training.
    • (i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows:
      • (A) To each member of the covered entity's workforce by no later than the compliance date for the covered entity;
      • (B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity's workforce; and
      • (C) To each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.
    • (ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.
  • Security Rule - (i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).

The two training sections are wordy but simple to interpret. HIPAA requires:

  • Training on compliance policies and procedures; and
  • Training on security awareness.

These are not the same, though in practice many organizations only have one HIPAA training and that training does not meet both of these requirements. Compliance training, or training on policies and procedures, is different from security awareness training. Policies and procedures define the why and how while security awareness should be the practice implementation (things like password hygiene).

HIPAA training should be conducted at onboarding for new employees, when changes are made to compliance policies and procedures, and on a regular cadence, with annual being the longest acceptable interval.

What does effective HIPAA training look like?

Most organizations do not offer effective HIPAA training to their workforces. Current approaches to HIPAA training are outdated, generic, infrequent, and do not practically apply to the day-to-day work of employees. Employees represent the largest threat to corporate systems data and are the most common cause of security incidents and data breaches. It has never been more important to get HIPAA training right.

At Day Zero, our team has created and taken part in HIPAA training across every category of Covered Entity and Business Associate. In order to be successful with training, and to limit the risk to organizations, HIPAA training needs to be built into the culture of the organization. In our experience, the following elements are essential aspects of effective HIPAA training.

  • Simple words. Technical jargon should not be used. Most employees don’t need to talk to auditors or interpret compliance frameworks. They need training they can understand.
  • Ongoing. Training starts at onboarding but should be continually delivered in snippets on a regular, at least monthly basis.
  • Specific to employee role. Training software developers on how to handle medical records are useless. Training doctors on secure development lifecycle is equally useless. Training customer support in designing compliance programs is useless. Specific training curriculum and snippets should be tailored to the specific roles of employees.
  • Engaging. Training should not be static. Employees should be asked to participate with feedback and fun quizzes.
  • Relevant to modern work. Work is done on computers in the office and on employee-owned phones at home. HIPAA training needs to take this into account and incorporate lessons that apply to all of these settings.
  • Day Zero offers HIPAA training that ensures all of the above. In addition, we provide metrics to continually gauge and improve compliance training. Our customers lean on us to build a culture of privacy across their entire workforce. We are 100% focused on making sure your employees are properly trained and you have the proof you need to comply with HIPAA.

Resources for HIPAA training

Below are some links to learn more about HIPAA training.