Frequency of HIPAA Privacy Training

HIPPA TrainingI was recently asked how often an employer is required to provide HIPAA privacy training to employees.

It does not appear that the regulations specify a certain training frequency or content.

Instead, the regulations generally state that a “covered entity” train all members of it’s workforce on the covered entity’s privacy policies and procedures, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.

 What is a covered entity?

A covered entity is generally defined as a (i) health plan, (2) health care clearinghouse, (iii) health care provider that conducts certain types of transactions in electronic form, and (iv) endorsed sponsors of the Medicare prescription drug discount card.

Who does a covered entity have to provide HIPAA training to?

Specifically, the rules state that covered entities must:

  • Provide training to each member of the covered entity’s workforce by the covered entity’s compliance date;
  • Provide training to each new member of the workforce within a reasonable time after the person joins the workforce;
  • Retrain each member of the workforce whose functions are affected by a material change in the covered entity’s privacy policies and procedures, within a reasonable time after the material change becomes effective; and
  • Document that the training has been provided

 What is considered a reasonable time?

“Reasonable time” is not defined.  However, “workforce” is defined broadly to include employees, volunteers, trainees, and other persons under the direct control of a covered entity, whether or not they are paid by the covered entity. According to the HHS, an independent contractor may also be part of a covered entity’s workforce.

How often should you provide HIPAA Privacy Training?

As a best practice, it would probably be prudent to provide annual HIPAA training and training to new workforce members within three to six months of the date such individual joins the covered entity’s workforce.

This summary is intended to be informational and does not constitute legal advice.  Hamby Benefits Law, LLC recommends that you consult with ERISA legal counsel to ensure that (i) your company’s HIPAA privacy training adequately and accurately informs employees of all necessary HIPAA requirements, and (ii) your company has procedures in place for regular HIPAA training and updates for new and current employee

The following two tabs change content below.

Hall Benefits Law, LLC

HBL offers employers comprehensive legal guidance on benefits in mergers and acquisitions, Employee Stock Ownership Plans (ESOPs), executive compensation, health and welfare benefits, healthcare reform, and retirement plans. We counsel a wide spectrum of clients including small, mid-sized, and large companies, 401(k) investment advisors, health insurance brokers, accountants, attorneys, and HR consultants, just to name a few. HBL is passionate about advising clients, and we are dedicated to our mission: to provide comprehensive, personalized, and practical ERISA and benefits legal solutions that exceed client expectations.

Latest posts by Hall Benefits Law, LLC (see all)