HIPAA Training Resources

Several of HIPAA’s requirements (directly or otherwise) stipulate that covered entities must provide proper privacy training to their employees and contractors. Anyone within your organization who may have access to PHI must receive training on HIPAA policies.

For security and liability purposes, covered entities may also choose to go above and beyond the requirements outlined in the Privacy Rule and the Security Rule, and certify their workplace with third-party training programs.

For more information, please visit our HIPAA Certification article.

In this article, we will examine the HIPAA training requirements and discuss free training resources that your organization may take advantage of.

HIPAA Training Requirements

Spread across several sections of HIPAA’s Privacy and Security Rules, the disparate training requirements do not apply equally to all covered entities. Read through the following requirements carefully, and conduct your own due diligence to ensure that your organization is meeting all the requirements outlined in the Act.

Policies and Procedures

Perhaps the most vital component of HIPAA training, your organization is required to have a set of codified policies and procedures to ensure the safety of PHI. This is clearly stipulated in every Standard found in the Administrative, Physical, and Technical Safeguard requirements of section 164 of HIPAA.

Each Standard requires covered entities to “implement policies and procedures” to ensure full compliance. These policies and procedures must be codified, and all employees and subcontractors must be trained and educated on each Standard applicable to their functions.

For a full list of required policies and procedures, take a look at the HIPAA compliance checklist.

Security Awareness and Training

This is the fifth standard of the Administrative Safeguards outlined in HIPAA. This standard requires your organization to “implement a security awareness and training program for all members of its workforce (including management)” (HIPAA 164.308).

Its implementation specifics require your organization to:

A) Provide your team with periodic security updates.
B) Train your employees on protecting their digital media from malicious software.
C) Train your employees on proper login procedures.
D) Train your employees on proper password management.

Technical Safeguards

Although Technical Safeguards are included in the Policies and Procedures requirement, they must be given special attention.

Technical Safeguards like encryption must be used diligently by all employees/contractors who handle ePHI. In order for the technical requirements of HIPAA to be met, your workforce must be properly trained to use these tools.

Privacy Practice Notice

As explained in our HIPAA forms article, covered entities with a direct treatment relationship with patients must make a good faith effort to collect acknowledgment from all patients, stating that they understand the privacy practices of the covered entity regarding PHI. Part of this good faith requirement is to ensure that employees are trained to:

1. Stock the proper forms and documents.
2. Hand out Privacy Practice Notices to all new patients.
3. Request the patient’s signature.
4. If a signature was not received, document the attempt.
5. Document and escalate patient complaints about privacy.
6. File all documents properly.

Free HIPAA Training Programs

In addition to conducting the necessary in-house training outlined above, covered entities can make use of several free resources to ensure that their employees and contractors are thoroughly trained to handle PHI.

Where applicable, your organization’s employees and subcontractors may receive the benefit of CME/CE credits upon completion of these training courses.

Government Sponsored HIPAA Training

The foremost provider of free HIPAA training resources is the United States government. Part of the United States Department of Health and Human Resources, the Office of Civil Rights provides 6 HIPAA training resources that your organization can take advantage of:

• EHRs and HIPAA: Steps for Maintaining the Privacy and Security of Patient Information
• Your Mobile Device and Health Information Privacy and Security
• Understanding the Basics of HIPAA Security Risk Analysis and Risk Management CME
• Patient Privacy: A Guide for Providers
• HIPAA and You: Building a Culture of Compliance
• Examining Compliance with the HIPAA Privacy Rule

Previously, completion of these programs awarded its participants free CME and CE credits however, as of now, none of these programs are valid for credit.

College-Sponsored Training

As part of their CME and CE programs, many colleges and universities offer free HIPAA training for medical professionals.

A prominent provider of free downloadable HIPAA training is the University of North Carolina School of Medicine. Their training materials can be accessed here, and may carry the added benefit of CME/CE credits for medical and health professionals.

Other institutions, like the University of Maryland School of Medicine or the University of Kansas Medical Center provide free HIPAA training for students, alumni, faculty, and affiliates. Assuming that these resources are up to date, you may also be eligible to receive CME/CE credits for partaking in the training provided by these institutions.

Army HIPAA Training

Although not directly applicable to civilian medical and health professionals, personnel of the DHA (Defense Health Agency) can access free HIPAA training materials via the MHS (Military Health System). In fact, if you are an employee (civilian or army) of the DHA, you are required to complete HIPAA training courses on the MHS Learn platform.

Third-Party Training

Although there are many free third-party HIPAA training resources available online, none of them carry the added benefit of giving medical professionals CME credits and health professionals CE credits. If you wish for your organization’s employees to take advantage of the credits, you should use either government HIPAA training, medical school HIPAA training, or medically recognized paid HIPAA training.

If you are simply looking to further educate your organization’s workforce on HIPAA laws, there are a few great resources from third-party providers.

Pro HIPAA: This website offers all of their training materials for free, including more than 20 minutes of videos, prep materials, and tests. Employees of covered entities can access all of these features by creating an account. However, test results and certifications are locked behind a pay-wall.

HIPAA Secure Now: A little bit more dated in its design, HIPAA Secure Now provides a similar breadth of materials for training. Instead of locking features behind a pay-wall, this website limits access to 14 days, after which a subscription must be paid.

Final thoughts on HIPAA training

Whether your organization is conducting all of its HIPAA training in-house or making use of other training programs, it may be a good idea to take advantage of some of the free resources available online. Although doing so does not directly impact HIPAA compliance, a better-trained, more educated workforce is a benefit of its own.