Paubox blog: HIPAA compliant email made easy

Who needs to take HIPAA training?

Written by Sara Uzer | June 09, 2023

Providing HIPAA training is crucial to securing sensitive data and reducing the risk of data breaches. However, there can be some confusion around which individuals must take HIPAA training. 

 

What does HIPAA say about training? 

According to HIPAA, HIPAA training is a requirement for all employees who access protected health information (PHI) in any capacity. This goes beyond doctors and nurses to include other healthcare staff such as administrators, front desk personnel, and clearinghouse employees. 

It also applies to business associates, which are third-party organizations that provide services to a healthcare provider. Some examples are billing companies, IT professionals, and even lawyers who handle PHI through their casework for clients.

 

HIPAA training basics

Two separate HIPAA rules outline guidelines for HIPAA training. 

Under the HIPAA Privacy Rule, all covered entities must provide employees training on “privacy policies and procedures, as necessary and appropriate for them to carry out their functions.” 

The rule states that new employees should receive HIPAA training “within a reasonable period of time” of joining a covered entity. In addition, reminder training should be held when “functions are affected by a material change in policies and procedures.”

The Security Rule, on the other hand, applies to both covered entities and business associates. They are required to implement a security awareness and training program for each of their employees—regardless of whether they handle PHI. 

In terms of frequency, the Security Rule advises covered entities to make training an ongoing process. It should also be provided in response to a shift in workplace policies, new technology, or updated guidelines released by the Department for Health and Human Services (HHS).

 

What topics should HIPAA training cover? 

HIPAA is purposefully vague about what topics to include in awareness training programs. This is because PHI involvement varies widely by role.

At a basic level, HIPAA training should include an explanation of what HIPAA is, why it is important, and the right way to put safeguards in place. 

Some crucial privacy topics to cover are identifying PHI, HIPAA compliant email, understanding the minimum necessary rule, and the rules for disclosing confidential information. 

On the security side, important subjects include recognizing malicious software, authentication guidelines, and best practices for password management. 

HIPAA training should also cover the repercussions of failing to abide by these rules. These consequences include a loss of trust in your organization and costly HHS penalties. 

Due to the lack of specific instructions for HIPAA training, covered entities should periodically conduct risk assessments. This helps clarify how each employee interacts with PHI and determines what type of training is most relevant and necessary. 

 

Everyone should be trained in handling PHI

According to HIPAA, all members of the workforce who access PHI must undergo HIPAA training.