HIPAA Training for Business Associates

Trying to find a simple answer to the question of, “Do the HIPAA Rules Require Business Associates” to train their employees is not easy. The HIPAA Security Rule explicitly impose a training requirement. Under the Security Rule, business associates must train their workforce. That’s clear-cut enough. However, we will find no affirmative requirement in the HIPAA Privacy Rule or Breach Notification Rule stating that business associates must train their workers. In these two rules do not explicitly state the BAs must train their workforce on the rules. This begs the question: is HIPAA training for business associates required under the HIPAA Privacy Rule or the HIPAA Breach Notification Rule?

HIPAA Training for Business Associates: The HIPAA Privacy Rule

A business associate is a person or entity who creates, receives, maintains or transmits PHI on behalf of (or for the benefit of) a covered entity (directly or through another business associate) to carry out covered functions or transactions of the covered entity.

On behalf of covered entities, business associates perform or assist in the performance of a function or activity involving the use or disclosure of individually identifiable health information. Such functions and activities may include:

Generally, business associates are required to enter into a business associate agreement with the covered entities on whose behalf the business associates perform services. A BAA will outline what BAs can and cannot do with the PHI they access, how they will protect that PHI, how they will prevent PHI disclosure and the appropriate method for reporting breaches of PHI should such a breach occur.

Do you have an effective HIPAA compliance program?

Find out now by completing the HIPAA compliance checklist.

Since business associates cannot use or disclose PHI in a manner that a covered entity could not either, business associates need to understand what PHI is in the first place. If business associates did not train their workforce on what PHI is, the workforce would be incapable of understanding what uses and disclosures of PHI are permitted, required, or prohibited. 

HIPAA training for business associates on the Privacy Rule begins with a business associate implementing certain of the policies and safeguards that the Privacy Rule mandates for covered entities. These policies and procedures include:

  • Policies and procedures setting forth rules governing uses and disclosure of PHI
  • Policies and procedures describing individuals’ rights regarding their PHI.

Once these policies and procedures are in place, HIPAA training for business associates can begin. Business associates should begin training their workforce by going over the basics of the HIPAA Privacy Rules. These basic principles include: 

  • Covered entities and their business associates may not use, access, or disclose PHI without the individual’s valid, HIPAA-compliant authorization, unless the use or disclosure fits within an exception.
  • Unless they have agreed otherwise, covered entities and business associates may use or disclose PHI without the individual patient’s authorization or consent, for the following purposes:
    • Treatment;
    • Payment; or 
    • Health care operations without the individual’s consent.

HIPAA Training for Business Associates: The HIPAA Breach Notification Rule

Since business associates cannot use or disclose PHI in a manner that a covered entity could not either, business associates need to understand what PHI is in the first place. If business associates did not train their workforce on what PHI is, the workforce would be incapable of understanding what uses and disclosures of PHI are permitted, required, or prohibited. 

The HIPAA Breach Notification Rule, located at 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Since business associates have an affirmative responsibility here – that of notification, business associates must know what a breach of unsecured protected health information (PHI) is in the first place. HIPAA training for business associates on the Breach Notification Rule, therefore, should consist of training on: 

    • The difference between unsecured PHI and secured PHI. Unsecured PHI is PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified in the HITECH Act. 
    • The definition of a “breach.”  A breach is an impermissible (i.e., not authorized) use or disclosure of PHI under the HIPAA Privacy Rule, that compromises the security or privacy of the protected health information. 
      • An impermissible use or disclosure of protected health information is presumed to be a breach, unless the business associate performs a breach notification rule risk assessment, whose results demonstrate a low probability that the protected health information has been compromised.
  • Business associate breach notification obligations: 
    • If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach.  A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any other available information required to be provided by the covered entity in its notification to affected individuals. 
    • While the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate.  Covered entities and business associates should consider which entity is in the best position to provide notice to the individual. This consideration may depend on various circumstances, such as:
  • The functions the business associate performs on behalf of the covered entity; and
  • Which entity has the relationship with the affected individual.