Let me try to bring some clarity to what is required for HIPAA Security Awareness Training, especially dental providers that utilize electronic health records (EHR) and/or file electronic health insurance claims. The U.S. Department of Health and Human Services (HHS) provides guidance for the Privacy Rule and the Security Rule training requirements. The description of each is very similar; however there are four specific implementation specifications that must be met for the Security Rule.
A simple way to determine what rule applies to your specific situation is this: the Privacy Rule covers those practices utilizing paper charts; the Security Rule covers practices utilizing EHR. Even if your practice utilizes EHR, most of the Privacy Rule is still applicable regarding patients’ privacy issues.
The following is a breakdown of the requirements for each:
HIPAA Privacy Rule § 164.530(b)
A covered entity must provide training that meets the requirements of this Code of Federal Regulation (CFR), as follows:
- The training for a covered entity must cover all policies and procedures with respect to protected health information;
- Each member of the covered entity's workforce must receive the training;
- The training must occur within a reasonable period of time after the new staff member joins the covered entity's workforce;
- A covered entity must document that the training was provided;
- Training must occur on an annual basis, at minimum.
Security Rule, Section §164.308(a)(3)
A covered entity and business associate must provide training that meets the requirements of this Code of Federal Regulation (CFR), as follows:
- The training for a covered entity and business associate must cover all policies and procedures with respect to safeguards for electronic protected health information;
- Each member of the covered entity's and business associate’s workforce must receive the training;
- The training must occur within a reasonable period of time after the new staff member joins the covered entity's or business associate’s workforce;
- A covered entity and business associate must document that the training was provided;
- Training must occur on an annual basis, at minimum.
According to the CFR for the Security Rule, the following four implementation specifications must be covered:
- Security reminders that include periodic security updates;
- Protection from malicious software. Training should cover procedures guarding against, detecting and reporting malicious software;
- Log-in monitoring. The training needs to inform the workforce of monitoring log-in attempts and cover procedures for reporting discrepancies;
- Password management. Training needs to cover procedures for creating, changing and safeguarding passwords.
As you can see, both rules cover a number of the same requirements. However, one major difference is the HIPAA Security Rule extends to business associates and includes the four specifications.
Here are five best practices to follow regarding HIPAA Security Awareness Training:
- A training program must be in place that covers workplace policies and procedures for safeguards for all protected health information.
- All training needs to be documented. This includes keeping a list of those who received the training and the completion dates.
- Training must be conducted on an annual basis. It is a great idea to also make available periodic refreshers.
- Training should cover your Sanction Policy. This explains what disciplinary action could occur if the policies and/or procedures are violated.
- Training for the HIPAA Security Rule must cover the four implementation specifications.
If you need assistance with HIPAA Security Awareness Training, please contact us. We offer an easy to use web based training program that can be completed in about an hour along with other training options.