The Health Insurance Portability and Accountability Act (HIPAA) exists to protect patients and their health information. It applies to covered entities such as health plans, healthcare providers, and healthcare clearinghouses. More specifically, HIPAA laws and regulations apply to any organization that deals with electronically stored protected health information (PHI).
Eventually, the US Department of Health and Human Services (HHS) conducts audits of the organizations. As a covered entity, you need to prepare documentation in advance of these audits. These documents need to prove that you have received HIPAA training. Would a series of certified HIPAA training courses be enough to show that you are HIPAA compliant? Could a paper certificate be enough for the auditor?
There are a few things that you need to understand to address the questions above…
The laws that the HHS created regarding PHI
What the HHS says about HIPAA certificates and certified training
What type of information your HIPAA training should include
The value and validity of certificates
By learning about each of these, you’ll start to understand what certified HIPAA training means and what proper training looks like.
Table of Contents
Certified Training Doesn't Exist
Essentially, certified training courses don’t exist. What I mean by this is that the HHS doesn’t certify any specific programs. This is because HIPAA compliance isn’t tangible.
Therefore, "certified" training modules cannot guarantee compliance. Taking the training doesn’t make you or your team compliant with the laws. It simply makes sure you are familiar with them. You need to know that your actions are compliant when dealing with PHI.
If you see any businesses that claim their training will certify your organization for HIPAA compliance, be wary. Keep your guard up if you see any badge labeling a training as “certified” since the HHS doesn’t provide these endorsements. If you don’t know what I'm referring to when I say “badges”, take a look at the image below.
Notice how each of the badges is custom to the company that hosts them on their website. Companies give themselves this title by labeling their training as certified. They do this to reinforce the idea that they’re superior to their competition.
Let’s compare this to something you might be more familiar with. Many foods on grocery shelves have the label “natural”. These give the impression that those foods are healthier or provide more nutritional value than others. But really, these labels simply mean that they don’t use artificial or synthetic ingredients. The Food and Drug Administration’s policy for this type of label doesn’t address food production methods, such as the use of pesticides. There are no required inspections or certifications for producers. Therefore, just about any company can label certain products as “natural” even though they might not provide any added health benefits.
This is essentially the same as these certified HIPAA training badges. Any company can label itself as having “certified” training, but that doesn’t carry any special value. That isn’t to say that these programs aren’t effective. They very well may include all the necessary components to pass an audit.
I’m not trying to bash organizations that display these badges when advertising their programs. But it doesn’t necessarily mean that their training is any better than another organization’s program that doesn’t use this type of badge.
The main reason that companies display these is to create a sense of trust. A company looking to outsource their HIPAA training is more likely to trust one that claims it has a special certification, just like grocery shoppers are more likely to trust a food labeled as “natural.” These badges are a great marketing technique.
So when choosing a vendor to provide this training, you need to look into the components of their programs to ensure they meet the standards that will help you pass audits. Think of it as inspecting a nutrition label before you purchase the food labeled “natural.”
What HIPAA Training Should Cover
Alright, so if you can’t always trust training labeled “certified,” then you need to vet the programs before buying one. Or maybe you decide to create your own training so that you avoid these marketing ploys. Either way, there are certain components that training needs to include so that you can pass required audits.
Effective training is a balancing act. It needs to properly educate the viewer on the subject at hand, yet it must also be engaging so that employees remember what they learned.
Making sure they understand these topics can be difficult since HIPAA laws are dense and complicated. A few of the required topics include…
Privacy Rule
Security Rule
Enforcement Rule
Breach Notification Rule
Final Omnibus Rule
HITECH ACT
Training that’s easy to comprehend is just as important as the information itself. After all, it doesn’t matter if you include all of the necessary topics if it was too complex to even follow. Programs need to be interactive to help viewers retain the information so they don’t violate the laws. Engaging games like role-playing, HIPAA-RDY, and “spot the errors” can assist in the learning process.
Now that you know the importance of balancing the content and teaching methods, let’s go over some of the required topics more in-depth. Unfortunately, we can’t go over the entire law or you would be here for a while. That’s what your training programs are for anyway. But for the sake of this blog, we’ll cover the HIPAA Privacy Rule, Security Rule, and Enforcement Rule.
HIPAA Privacy Rule
In December of 2000, the HHS published the HIPAA Privacy Rule. This law establishes national standards to protect patients’ medical records and PHI. These standards apply to health plans, health care clearinghouses, and healthcare providers that conduct electronic transactions.
The Rule states that organizations handling PHI need to implement appropriate safeguards to protect the PHI. It also sets limits and conditions on the uses and disclosures that professionals may make without the patient’s authorization.
The third part of the Rule discusses the patient’s rights over their PHI, including the right to obtain a copy of their health records, examine them, and request corrections. The patient may also direct a covered entity to transmit a copy of their health records to a third party.
When it comes to training, employees need to understand what this Rule’s standards and safeguards are and the rights that a patient has. With comprehensive and engaging training on this topic, staff will know how to protect the patient’s rights and avoid a violation of privacy.
HIPAA Security Rule
In February 2003, the HHS published a final HIPAA Security Rule. This Rule establishes national standards to protect electronic protected health information (ePHI). This includes anything created, received, used, or maintained by a covered entity.
The Security Rule requires organizations to use appropriate administrative, physical, and technical safeguards. In this way, these covered entities can ensure the confidentiality, integrity, and security of the ePHI.
So again, when implementing training, it must cover the details of these national standards and required safeguards. That way, your team can properly keep data secured.
HIPAA Enforcement Rule
The HIPAA Enforcement Rule went into effect in April 2003. This Rule contains provisions regarding compliance and investigations. It also deals with civil monetary penalties for Violations of the HIPAA Administrative Simplification Rules and procedures for hearings.
Throughout the Rule’s history, the HHS made several additions and edits. These additions include the HITECH ACT in October 2009 and the Omnibus Rule in January 2013. The Omnibus Rule implemented several provisions to the HITECH Act to strengthen the privacy and security protections for health information established under HIPAA.
Since the laws are ever-changing, organizations need to stay up-to-date on the law's provisions. This helps them maintain the best protection for their patient’s data.
Certification Value
Certification is different than the certified badges I was talking about previously. When I say certification, I’m referring to a document that an employee receives for completing a training program.
The HHS also notes on their website that certification for healthcare workers is different from that for covered entities. A business can’t have a HIPAA compliance certification, but an individual employee that took the training can.
The Office of Civil Rights doesn't offer official documentation for demonstrating adequate knowledge of the HIPAA laws and regulations. This is because HIPAA compliance is ongoing. One action or misstep can break compliance. Therefore, these certifications have no legal benefits but they do provide value in other ways.
Section § 164.530(b)(1) of HIPAA states that a covered entity must train all members of its workforce. Section § 164.530(b)(2)(i) clarifies this a bit further, explaining that new employees need training within a reasonable period of time after the person joins.
Now, “reasonable period of time” is very vague. This one statement can cause discrepancies during an audit of the covered entity since it’s up to the auditor’s interpretation of the law.
You can help the auditing process through the use of certifications. In this scenario, certificates show proof of compliance. Giving the auditor records of all the training sessions completed by each employee is important for this process. These records can also show how each employee performed in the training along with timestamps of when they completed it.
They also help instill confidence by giving a sense of accomplishment that leads to more certainty in day-to-day responsibilities. Why would that be important?
Many HIPAA violations occur due to employee actions and their knowledge of HIPAA regulations. Out of 1,000 business owners, almost 50% of them said that human error was the reason for a breach that they experienced.
Common violations include:
Medical record snooping
Employee gossiping
Using unencrypted emails to send sensitive information
Improper disposal of records
Eavesdropping on doctor-patient conversations
These are all violations that are preventable through proper knowledge and training. If employees know what behaviors can lead to a HIPAA violation, they are less likely to exhibit this behavior. Therefore, training certificates related to specific behaviors in healthcare will help the organization.
Additionally, certificates create value through continual improvement. Implementing annual training programs allows you to update your employees on any changes to the laws regarding PHI. Like I said before, the laws protecting patients and their health records are subject to change. Since certificates usually have an expiration date, employees need to retake training as needed. This ensures that your organization conducts frequent periodic training.
Conclusion
Certified HIPAA training is complex and involves many technicalities. While there are requirements that organizations need to follow, there are no true “certified” programs. The HHS doesn’t administer or endorse certifications since compliance is ongoing. Even if all employees take the training, a single action could lead to non-compliance and legal consequences.
Because of these misleading labels, organizations need to be careful when selecting a training vendor. A company that markets itself as certified doesn’t necessarily have a better program than another. It might even fail to include all the required components.
Since this can make some organizations skeptical of choosing a service, they could create their own program instead. Whether they do this or still decide to outsource training to a third party, they need to ensure that it covers each requirement of the law through engaging lessons. That way, they know their employees are getting all the information about how to protect patient data and will retain those details.
Even though there also aren’t official certificates, using them still has benefits for the auditing process. They can indicate that everyone on your team completed the training and when they completed it. This helps prove that it was within a reasonable timeframe.
And including expiration dates for certificates ensures that your organization provides periodic training. That way, you always stay up to date with any changes in the law and remind employees about how to adhere to HIPAA regulations.