HIPAA Awareness Training: Privacy Rule Training and Security Rule Training
Before employers can develop an effective HIPAA awareness training program, they must meet the minimum training requirements imposed by the rules themselves – the Privacy Rule and the Security Rule.
The HIPAA Privacy Rule requires covered entities to train workforce members on its privacy policies and procedures that governing use and disclosure of PHI, as necessary and appropriate for the workforce members to perform their job roles. HIPAA Privacy Rule training is required for each new member of a covered entity’s workforce, within a reasonable period of time after the person joins the workforce. Privacy Rule training must also be provided to each member of the covered entity’s workforce whose functions are affected by a material change in the covered entity’s policies or procedures, within a reasonable period of time after the material change becomes effective.
Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.
The Department of Health and Human Services states that the Privacy Rule training requirement may be satisfied by a small physician practice’s providing each new member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies; whereas a large health plan may provide training through live instruction, video presentations, or interactive software programs.
The HIPAA Security Rule requires covered entities to provide security awareness and training to workforce members, including management. This can be done by implementing security reminders, in the form of periodic security updates; protection from malicious software, in the form of procedures for guarding against, detecting, and reporting malicious software; login monitoring, in the form of procedures for monitoring login attempts and reporting discrepancies; and password management, in the form of procedures for creating, changing, and safeguarding passwords.