There’s no question that HIPAA is one of the most strict industry-specific laws in the United States.

I’m sure that if you serve a different vertical outside of healthcare, you’re willing to debate with me on the statement I just made. It would be a heated debate where you would bring up other big laws like SOX, OSHA and CMMC.

Yet I’m so confident in my stance for this hypothetical argument that I’ll tell you the main points ahead of time just in case one day we actually have it.

• The healthcare industry will have a worth of $808 billion by 2021 in the United States alone. (PolicyAdvice)

• Every person is a client of the medical industry. No one is immune to visiting the doctor.

• The Department of Health and Human Services (HHS) doled out over $13 million worth of civil penalties in 2020. (HIPAAJournal)

• One of the breaches that settled in 2020 affected 9.3 million people. (Defensorum)

Now that you know the facts and figures I would bring up during our argument, two things could happen. First, you’ll realize that my stance about HIPAA is the correct one. Second, you’re stalwart in your position and lose the argument.

Of course, I’m being facetious during all of this. The point I’m trying to make in these opening paragraphs is that the government takes HIPAA seriously.

Failing to stay attuned to and in line with its requirements leads to fines and, in some cases, immediate termination.

As a result, one of the most important aspects of a healthcare organization’s attempt to stay compliant with HIPAA is to train its employees. Compliance starts with the employees, after all.

If they don’t know what they should and/or shouldn’t do on a daily basis due to the laws that apply to the facility they represent, it’s only a matter of time before they’re in big trouble.

The next logical question then is, how often is HIPAA training required?

• Differences in Privacy and Security Rules

• Best Practice for New Hires

• Ongoing Module Sending

• Don’t Forget Refreshers

• Conclusion

First, I want to make it very clear that you shouldn’t feel ashamed if you don’t know the answer to this question.

Even if you’ve been a healthcare professional for decades, there’s no shame in not knowing the perfect frequency for sending HIPAA training. I’ll extend this positivity out even further and say that you shouldn’t feel bad if you don’t give your team any education on this law.

I’m not saying that it’s a good thing you don’t. It’s only a matter of time before you receive an audit from the HHS and a fine from it.

The fact that you’re here, reading this blog post, means you’ve noticed the larger emphasis placed on the law in recent years. As such, you’re starting to establish or refresh your compliance environment. You have to start somewhere.

This first section is a little dry but it’s necessary.

It would make sense for the law that places all of these mandates on your organization to include a section with black and white training requirements. It’s not that simple.

HIPAA exists in three main sections; Privacy Rule, Security Rule, and Breach Notification Rule.

The law touches on the training in both the Privacy Rule and Security Rule, yet both of the listed requirements within each is different from one another.

The Privacy Rule states that training on its safeguards and mandates should happen at a frequency of “a reasonable period of time after the person joins”.

Meanwhile, the Security Rule states that training on its different sections on a “periodic” frequency.

After looking at both rules, you’re probably more confused than when you started reading this blog post. They both make it apparent that educating your employees is a requirement.

Yet, how can the HHS place the expectation on you that you’re in compliance with HIPAA if they don’t tell you how often you should teach your employees about its requirements?

Seems pretty lazy, doesn’t it?

Although both rules seem vague in their training frequency requirements, it’s possible to navigate them in a way that satisfies them.

The Privacy Rule has the most specific request. It tells you that your employees should receive education the moment they join your team. That’s vital information to use in determining how often you should make HIPAA training required at your organization.

In other words, teaching your new employees the biggest regulation your organization needs to adhere to should become a part of your onboarding process.

The reality is that more than one-third of companies don’t have a formal onboarding program.

That statistic is a big deal.

By requiring that your new employees participate in HIPAA training, you’re directly improving your onboarding experience. The new team member gets a clear understanding as to what is and isn’t allowed at your organization on day one. Meanwhile, you’re further aligning your organization with the mandates set out by the HHS.

In other words, you have proof of continual efforts towards HIPAA compliance in case you get audited and your employee appreciates your onboarding process. That’s a win-win scenario.

After all, almost 70% of employees will stay with a company for three years if they experience great onboarding.

OK, if you followed the steps laid out in the section above you’re satisfying the Privacy Rule’s training requirement.

But that’s only 50%. Not a passing grade.

If an auditor comes along and takes a look at your current environment, they’re going to find that you don’t satisfy the Security Rule education mandate.

Yes, you teach all of your employees about the biggest law that affects your organization the moment they walk through your doors. However, compliance isn’t a “one and done” concept.

To reiterate, the Security Rule says that you need to implement updates on its requirements periodically, without giving you its exact details about how often.

If you looked up the word “periodically” in a thesaurus, it would list the following alternatives.

The first word listed in the thesaurus’ recommendations provides you with the answer you need to satisfy the Security Rule’s requirements.

In other words, although the law doesn’t flat out say that you need to make your employees re-take your HIPAA module every year, it’s almost implied.

Sure, my take on this is a little investigative. If it didn’t convince you, that’s fine. There’s another argument that further boosts the stance of providing HIPAA training annually.

The Identity Theft Resource Center (ITRC) found that human error was one of the top reasons attributed to healthcare organizations experiencing breaches.

Yet, most companies within this industry jam HIPAA concepts into one massive session. There’s a correlation there.

Most experts agree that providing ongoing efforts towards keeping your employees engaged with healthcare’s biggest law lessens the chances of facing a breach across the board.

When government agencies release the first draft of a law, it isn’t final. That’s an obvious statement but I needed to say it.

The point I’m trying to make is that if you compare HIPAA on its initial release date in 1999 to where it is now, you’ll notice a ton of changes.

To give you some examples of recent changes…

• In 2013, the Omnibus Rule goes into effect.

• In 2019, the HHS completely restructured its penalties for violations.

• In early 2020, there were temporary lifts on restrictions due to the COVID-19 pandemic.

• In December of 2020, the HHS proposed a series of major adjustments to the HIPAA Privacy Rule.

In other words, no law is stagnant and HIPAA isn’t an exception.

That means that sending exciting training modules to your employees on an annual basis isn’t enough either. You have to go a step further and send refreshing content and updates as well.

So what’s the answer to your question, “How often is HIPAA training required?”

It’s up to you. The law requires your organization to implement some sort of module, but it leaves it to you to determine how often to distribute the same.

If you’ve heard that it’s required to hold sessions annually, that’s nothing but a myth. Although, it’s one you should take into serious consideration because most experts in the field recommend that frequency.

Nonetheless, if you’ve reached this point you now have a good idea as to what a comprehensive HIPAA training program looks like.