Training typically occurs within 30–60 days of hiring new personnel. Then, annual training is required to inform employees about significant changes to policies or procedures.
No additional training is needed for one year after completing the initial training. Following this timeframe, when covered entities’ policies or procedures are modified, employees trained before that point will require an additional 60 minutes of training, covering all relevant areas, including HIPAA privacy, security, and breach notification.
The training should be tailored to the type and amount of Protected Health Information (PHI) each employee can access. Covered entities must document all training activities for at least six years.
Scope of HIPAA Training for Non-Clinical Personnel
Many mistakenly believe HIPAA applies only to healthcare providers and clinical personnel. However, non-clinical staff with PHI access are also subject to HIPAA. These include:
-
IT personnel
-
Human Resources staff
-
Billing clerks
-
Front office employees
-
Maintenance staff
Risks of inadequate training:
-
HIPAA violations can result in penalties from $50,000 to $1.5 million annually.
-
PHI breaches may result in notifications to affected individuals and reputational damage.
This section covers:
-
Who requires HIPAA training
-
What to include in training
-
Timing of training
-
Documentation and retention requirements
Scope of HIPAA “Workforce”: Who Counts?
HIPAA defines “workforce” broadly, including all personnel involved with a Covered Entity (CE) or Business Associate (BA).
Definition:
“[A]nyone who executes material or physical services in the name of a covered entity (or business associate), including employees, trainees, students, and anybody else whose duties are supervised directly by the covered entity (or business associate).” [45 CFR § 160.103]
This includes:
-
Employees
-
Contractors
-
Interns
-
Volunteers
-
Temporary staff
Role-Based Training: Tailoring Content to Job Functions
One-size-fits-all HIPAA training is ineffective and inefficient. Training should be tailored to each employee’s role and level of PHI access.
Training Matrix by Role
| Role Category | Privacy Rule | Security Rule | Breach Notification | Role-Specific Topics | Duration |
|---|---|---|---|---|---|
| IT Staff | ✓ (Basic) | ✓✓✓ (Advanced) | ✓✓ (Detailed) | Technical safeguards, encryption, access controls | 90–120 min |
| HR Staff | ✓✓ (Detailed) | ✓ (Basic) | ✓ (Basic) | Employee health records, FMLA, ADA | 60–90 min |
| Administrative/Billing | ✓✓✓ (Advanced) | ✓ (Basic) | ✓✓ (Detailed) | Minimum necessary, patient rights, billing disclosures | 60–90 min |
| Facilities/Support | ✓ (Basic) | ✓ (Basic) | ✓ (Basic) | Recognizing PHI, proper disposal, incident reporting | 30–45 min |
Documentation Requirements
HIPAA compliance requires documenting employee training for at least six years [45 CFR § 164.530(j)].
Required Documentation Elements:
-
Who received training: Name and job title
-
When training occurred: Completion date
-
What was learned: Description of content or curriculum
-
Proof of understanding: Certificate of completion or acknowledgment
-
Assessment results: Quiz or test scores
Best Practices for Documenting Training
-
Use a Learning Management System (LMS) to track training completion electronically.
-
Ensure employees understand and retain the content.
-
Provide certificates of completion and store securely.
-
Maintain an up-to-date log of required and completed training.
-
Review training records regularly to identify additional needs.
Common Obstacles and Solutions
1. Non-Healthcare Staff Not Trained on PHI
-
Problem: Only clinical staff are trained.
-
Solution: Conduct a workforce assessment to identify non-clinical personnel with PHI access and require training.
2. One-Size-Fits-All Training
-
Problem: General training does not address role-specific risks.
-
Solution: Develop role-based education programs addressing HIPAA obligations for each function.
3. Inadequate Documentation
-
Problem: Training is provided, but documentation is insufficient.
-
Solution: Implement a solid documentation process and retain records for at least six years.
4. Only Onboarding Training Provided
-
Problem: Initial training only, no refreshers despite policy/system changes.
-
Solution: Provide annual refresher training and additional training as necessary when policies or systems are updated.
Conclusion
HHS requires all employees with PHI access to complete HIPAA training to maintain compliance.
Key points:
-
Non-clinical employees, including IT, HR, and administrative staff, must be trained.
-
Training must align with employee roles and PHI access levels.
-
Proper documentation and retention ensures compliance and protects both patients and the organization.
A comprehensive HIPAA training program reduces risks, maintains patient privacy, and safeguards your organization from penalties.
