We get asked about HIPAA training all the time. While most companies know that HIPAA requires some form of training, the type of training, specific content to include in the training, and the frequency with which to conduct HIPAA training is often unknown or unclear.

The most common questions we get are some variation of the following:

• What training is required by HIPAA?
• How often do we need to do training?
• What has to be included in our training to meet HIPAA requirements?
• Can we write our own HIPAA training?
• Can we track training using Google forms?
  

There’s more detail below but the TLDR is that HIPAA requires 2 forms of training - security awareness and privacy - and both of those trainings should be given to new employees and then on a regular cadence, with annual being the longest cadence.

Types of training required by HIPAA.

HIPAA has two broad sections - the Privacy Rule and the Security Rule. HIPAA has training requirements in both the Privacy Rule and the Security Rule. The result is that HIPAA requires both privacy training and security training.

Privacy training

Paraphrasing the language in HIPAA, you are required to train all staff on policies and procedures to protect PHI (protected health information) as appropriate for job functions. In practicality, companies comply with HIPAA and pass HIPAA audits if they ensure their policies and procedures are written to meet the rules of HIPAA. Companies then need to implement those policies and procedures and be able to show proof of their implementation.

Since policies and procedures should map to the HIPAA rules, the way to meet this requirement is to train all staff on the salient points of the HIPAA Privacy Rule. The most important topics to cover are below:

• definition of PHI;
• allowable disclosures of PHI;
• entities under HIPAA (especially for employees of technology companies that act as business associates);
• minimum necessary data collection and usage; and
• data breaches and security incidents.
  

There’s more to the privacy rule and certainly more HIPAA privacy topics that can be included in employee training but our opinion is those additional topics detract at worst, or dilute at best, the most important points that employees should know about HIPAA.

Security awareness training

Security awareness is a well established discipline. HIPAA simply requires that all employees, including management, receive security awareness training. One way some companies check the box on this training is with annual security training.

We think training should be more frequent and the goal of security training should be to go beyond checking the box for HIPAA (or SOC 2 or PCI or whatever).

In terms of what to include in your security awareness training, we wrote an entire post on what topics should be a part of the security awareness training for technology companies.

Evidence of training

Writing and implementing policies and procedures that address all of the requirements in HIPAA is only the first step. The next step is proving it. For HIPAA training, both security awareness and privacy, you first need to create a security awareness policy and procedure that outlines the type and frequency of training. You then need to ensure you have evidence showing completion of training for all employees, with associated completion dates. Rarely, you may get asked by an auditor to show content of training so it is best to make sure you have easy access to this as well.

Google Forms and Sheets can be used for evidence of training, though it can get unruly with lots of employees and multiple required types of training.

----

Haekka offers training that addresses all HIPAA training requirements, all from Slack. Our audit evidence is ready whenever your auditor, or your partners or customers, need it. Put HIPAA training on auto-pilot in less than 2 minutes with Haekka.