Is HIPAA Training Required?
HIPAA requires training for all covered entities and business associates. But what do the laws mean by training? How often is training needed? What should be included in training?
Truth is, other than when training is required, what that training must consist of is vague. I recommend training about once a year and when there are changes to the laws in order to stay current and as a good refresher.
I recommend training for therapists include: an explanation of the Privacy Rule, the Security Rule, the Breach Notification Rule, and HITECH Act provisions. Privacy training should describe protected health information (PHI), issues of sharing PHI, ideas for keeping PHI private, what to do if there is a privacy breach, and patients’ rights. Security training should go over administrative safeguards, physical safeguards, technical safeguards, business associates and business associate agreements, and reporting security breaches. While this is a lot for a ‘bare minimum’ training, this is required by HIPAA.
Remember, there are steep consequences for non-compliance. Lack of training has resulted in large fines from the US Health and Human Services, including a recent fine of $150,000 fine for a medical practice that did not train their employees on policies and procedures for breach notification. Not only is training important for the legal consequences, but it keeps a therapist practicing at the highest standards of confidentiality which will in turn ensure the clients’ trust.
(Thanks again to Erin Gilmer for this article!)