I was recently asked how often an employer is required to provide HIPAA privacy training to employees.
It does not appear that the regulations specify a certain training frequency or content.
Instead, the regulations generally state that a “covered entity” train all members of it’s workforce on the covered entity’s privacy policies and procedures, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.
What is a covered entity?
A covered entity is generally defined as a (i) health plan, (2) health care clearinghouse, (iii) health care provider that conducts certain types of transactions in electronic form, and (iv) endorsed sponsors of the Medicare prescription drug discount card.
Who does a covered entity have to provide HIPAA training to?
Specifically, the rules state that covered entities must:
- Provide training to each member of the covered entity’s workforce by the covered entity’s compliance date;
- Provide training to each new member of the workforce within a reasonable time after the person joins the workforce;
- Retrain each member of the workforce whose functions are affected by a material change in the covered entity’s privacy policies and procedures, within a reasonable time after the material change becomes effective; and
- Document that the training has been provided
What is considered a reasonable time?
“Reasonable time” is not defined. However, “workforce” is defined broadly to include employees, volunteers, trainees, and other persons under the direct control of a covered entity, whether or not they are paid by the covered entity. According to the HHS, an independent contractor may also be part of a covered entity’s workforce.
How often should you provide HIPAA Privacy Training?
As a best practice, it would probably be prudent to provide annual HIPAA training and training to new workforce members within three to six months of the date such individual joins the covered entity’s workforce.
This summary is intended to be informational and does not constitute legal advice. Hamby Benefits Law, LLC recommends that you consult with ERISA legal counsel to ensure that (i) your company’s HIPAA privacy training adequately and accurately informs employees of all necessary HIPAA requirements, and (ii) your company has procedures in place for regular HIPAA training and updates for new and current employee
Hall Benefits Law, LLC
Latest posts by Hall Benefits Law, LLC (see all)
- 5th Circuit Upholds Most No Surprises Act Provisions - December 11, 2024