Every organization that must comply with HIPAA must conduct employee training; if you work for such an organization, you must have regular HIPAA training.
What organizations have to comply with HIPAA? The short answer is any US-based organization that processes, stores, or transmits protected health information. Protected health information (PHI) is health-related data that is identifiable or health-related data that is combined with personally identifiable information (PII).
The long answer is a little more nuanced. Technically, PHI is created during the provision or delivery of a health care service. PHI always originates from one of three types of entities, which HIPAA calls Covered Entities:
If you work for one of those types of organizations, you must comply with HIPAA and must receive HIPAA training.
In addition to Covered Entities, organizations that provide services or products to Covered Entities must comply with HIPAA. These organizations are called Business Associates. Examples are things like EHRs, telemedicine platforms, clinical communications tools, and other technology vendors with Covered Entity customers.
HIPAA defines training requirements in two places, one within the Privacy Rule and one within the Security Rule; the two major sections of HIPAA are the Security and the Privacy Rule. In both definitions, the specific of the training are vague and largely interpretable. It’s important to remember that HIPAA applies to a wide variety of entities from individual medical providers to large insurance companies to modern technology companies. This is why the training required by HIPAA is vague. More on this later on.
Here is the specific language from HIPAA:
The two training sections are wordy but simple to interpret. HIPAA requires:
These are not the same, though in practice many organizations only have one HIPAA training and that training does not meet both of these requirements. Compliance training, or training on policies and procedures, is different from security awareness training. Policies and procedures define the why and how while security awareness should be the practice implementation (things like password hygiene).
HIPAA training should be conducted at onboarding for new employees, when changes are made to compliance policies and procedures, and on a regular cadence, with annual being the longest acceptable interval.
Most organizations do not offer effective HIPAA training to their workforces. Current approaches to HIPAA training are outdated, generic, infrequent, and do not practically apply to the day-to-day work of employees. Employees represent the largest threat to corporate systems data and are the most common cause of security incidents and data breaches. It has never been more important to get HIPAA training right.
At Day Zero, our team has created and taken part in HIPAA training across every category of Covered Entity and Business Associate. In order to be successful with training, and to limit the risk to organizations, HIPAA training needs to be built into the culture of the organization. In our experience, the following elements are essential aspects of effective HIPAA training.
Below are some links to learn more about HIPAA training.