Office for Civil Rights Guidelines on Training
Privacy Rule Training Requirement
A statement from the Office for Civil Rights (OCR), The Administrative requirements of HIPAA (§ 164.530), gives clear guidance on requirements for training.
A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by the Privacy Rule.
“Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”
It is required that all members who access protected health information have HIPAA training to carry out their functions.
Security Rule Training Requirement
Statement from the OCR addressing the Security Rule requirement.
“Implement a security awareness and training program for all members of its workforce (including management).”
An ongoing training program addressing the Security Rule is required for all workforce members.
How Often is Training Necessary
HIPAA training is required by the Privacy Rule for “each new member of the workforce within a reasonable period of time after the person joins the Covered Entity’s workforce” and when “functions are affected by a material change in policies or procedures” – again within a reasonable period.
The Security Rule training standard indicates that security and awareness training programs should be ongoing.
HIPAA training should also be provided whenever there is a change in working practices or technology, whenever a risk assessment identifies a need for further training, or whenever new rules or guidelines are issued by the Department for Health and Human Services (HHS).
Based on these conditions and best practices an organization should offer training at least every other year if not more often.
- A covered entity must provide training to each member of the covered entity’s workforce no later than the compliance date for the covered entity.
- Each new member of the workforce must be trained within a reasonable period after the person joins the covered entity’s workforce.
- A covered entity must train each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures within a reasonable period after the material change becomes effective. This should happen
- A covered entity must document that the training has been provided.