All you need to know about HIPAA training

John Sherman

More than likely you’ve heard the word “HIPAA” but still don’t fully understand what it is and why it’s such a big deal. HIPAA is the acronym for the Health Insurance Portability and Accountability Act established in 1996.

In basic terms, it requires your organization and employees to keep all information about your patients confidential, regardless of the medium including paper, oral, or electronic device.


For starters, HIPAA consists of five different titles, each playing a distinct role in the overall protection of someone’s personal information.

  1. Title 1 – This title is what regulates the availability and access to healthcare plans, as well as the renewability and portability of coverage. In other words, for someone with a pre-existing condition, this title regulates the way group insurance plans handle him or her.
  2. Title II – Included as part of this title is the Privacy Rule, which regulates the ways you can share Protected Health Insurance or PHI with various covered entities such as healthcare clearinghouses and insurers.
  3. Title III – Title III of HIPAA is what standardizes the amount of money a person can save for a medical savings account.
  4. Title IV – The focus of this title is on the application and enforcement of group health plans.
  5. Title V – For patients with life insurance premiums, this title regulates the tax deductions.

Although your HR Director needs proper training on all five Titles of HIPAA, you want him or her to pay special attention to Title II since it is something organizations associated with healthcare deal with often.

This title requires the person in your organization who oversees HIPAA to complete specific training. With this, he or she can protect data connected to 18 unique identifiers. Otherwise, an unauthorized party could determine who the information belongs to, which under this Act, should never happen.

  1. Name
  2. Physical location
  3. Phone number(s)
  4. Email address(es)
  5. Fax number(s)
  6. Web URL
  7. Internet Protocol (IP) address
  8. Dates (birth date, termination date, hire date, date of death)
  9. Social Security number
  10. Banking account number(s)
  11. Medical record number
  12. Certification or license number
  13. Beneficiary number for a health insurance plan
  14. Device number(s)
  15. Vehicle license plate number(s)
  16. Biometric identifiers (retinal scans, fingerprints, voice, etc.)
  17. Photograph(s) (extending beyond just the face)
  18. Any other distinct characteristic, code, or number that would reveal a patient’s identification)

As explained by the US Department of Health and Human Services, “the Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the US  Department of Health and Human Services (HHS) to develop regulations to protect the privacy and security of certain health information.

If you operate a business in the healthcare sector, whether physical or mental, the law mandates you follow all titles, especially Title II.

HHS goes on to state before the enactment of HIPAA, there were virtually no set standards for the security of information nor were there any general requirements for protecting information on an individual’s health within the healthcare sector.

However, with advanced technology making it increasingly easy to obtain someone’s information, the government recognized the need to do something to change that in the form of HIPAA.

HIPPA training

HIPPA training is not limited to just healthcare organizations. Any Business Associate (BA) or entity that requests, handles, and stores patient or client information must complete specific certification courses. Without proper training, there’s no way for your HR Director, Compliance Manager, L&D Manager, and others as you deem necessary, to successfully protect information about your patients.

As for Business Associates (BAs), the government defines these as any individual or business with access to a patient’s protected health information. Some examples include accountants, lawyers, and third-party insurance billing services.

While the government mandates certain HIPAA training, there are areas where training is not required. Even so, for optimum protection of the patients and clients your organization provides services to, you should have the appropriate leadership team take as many online courses possible while maintaining an emphasis on those pertaining to Title II.

If a breach of PHI compliance occurs, government officials would open a formal investigation. During that period, if they discover you failed to provide the appropriate people within your organization the training required, you would likely receive a significant fine from the Office for Civil Rights.

Furthermore, failure to comply would put your business at a tremendous risk for any involved patient or client to file a lawsuit against your company.

Keep in mind, the HIPAA training your staff needs and the courses you recommend will vary somewhat according to each of their positions and the specific functions they perform. Typically, companies that deal with sensitive and proprietary healthcare information complete multiple training courses to ensure managers understand all angles of security awareness.

Fortunately, many of the courses are available online through a reputable Learning Management System (LMS). Although an industry or topic expert develops each course, the majority only take about an hour to complete. These courses are also affordable and available in a variety of formats, including articles, podcasts, videos, and so on.

Between the mandated and selective training, there’s a tremendous amount of information. However, with an LMS, your staff can complete courses within a reasonable period, preventing them from trying to cram their minds with more information than they can retain.

After all, even mandated HIPAA training has no set timeframe, although the government expects organizations to complete it as quickly as possible to ensure compliance.

If you look under the Security Rule of HIPAA, you would see it requires training “periodically,” meaning there’s no set timeline. A good rule to follow is to have the correct members of your organization complete mandated training once a year. As for supplemental training, they could coordinate courses with their schedules. Of course, any changes to HIPAA would prompt immediate action.

The Compliance Manager within your organization plays a key role in keeping your L&D Manager up-to-speed on any HIPPA training issues. In this role, the individual responsible for compliance should perform several duties, including:

  • Monitoring – Monitor both the HHS website and various state publications for rule changes. Although HHS provides an advanced notice, it never hurts to have your Compliance Manager subscribe to several viable channels and news feeds.
  • Assessment – Whenever the HHS issues new guidelines or rules, your Compliance Manager should conduct a thorough risk assessment. With that, he or she can determine if the modifications impact your business.

    If it does, your Compliance Manager should work with your L&D Manager to ensure the proper people complete any necessary training, both mandated and supplemental. Beyond an assessment following changes to HIPAA, it’s essential to have your Compliance Manager conduct additional risk assessments regularly. That way, the risk of your organization to have a HIPPA violation decreases dramatically.
  • Liaison – If changes occurred, your Compliance Manager needs to schedule a meeting with the L&D and HR Managers. Together, they can identify any impact relating to compliance with Title II of HIPAA.
  • Training – If HIPAA changes impact your employees’ compliance, your L&D manager would organize the necessary training. Remember, only members of your organization affected by modifications to HIPAA must complete the mandated training.

Critical components of HIPPA training

The government mandates specific HIPAA training, including the Administrative Safeguard of the HIPAA Security Rule and the Administrative Requirement of the HIPAA Privacy Rule. Along with those two, consider several supportive training courses for each of the four remaining titles, as well as others such as Information Security and Privacy and Compliance: Privacy Awareness. The more knowledge your executives and senior management team has the better.

These two mandated courses cover a lot of valuable information. Following are some examples:

  • What is HIPAA
  • Why HIPAA is Important?
  • Definitions of HIPAA
  • HIPAA Privacy Rule
  • PHI Disclosures
  • Patients’ Rights
  • Notification of a Breach
  • Business Administrative Agreements
  • Potential Violations
  • HIPAA Security Rule

Standardizing a system

HHS provides templates for the various HIPAA topics, making it easy for you to stay on top of training, compliance issues, and other concerns. If you have a healthcare organization, you must explain HIPAA laws to patients and provide them with a HIPAA statement that clearly outlines their rights. You should do both of these before a person actually sees a physical or mental healthcare professional.

If you run a BA or entity, meaning you don’t actually see patients but still deal with personal information, again, you need to let your clients know about HIPAA. The best way to prevent an oversight is by establishing a privacy policy reflecting the Privacy Rule.

Whether an existing or new patient, make sure you have a check and balance system guaranteeing you provide everyone with both oral and written information. Then, have the patient sign the paper, followed by keeping a copy in his or her file and storing a digital copy.

If you have an insurance assistance, billing, or some other type of company that deals with patient information, adopt the same kind of system. The goal is to cover your back, ensuring your organization is 100 percent compliant and therefore, not at risk for a breach.

Along with this system, you could create a simple Excel spreadsheet listing the mandated training courses. Include a column for the team member’s name and the date of completion. For each person, you would then list secondary training on patient privacy courses. With this, you have control of HHS and your internal training program.

One important thing to note, if you anticipate sharing a patient’s Protected Health Information (PHI) with a third-party, you’re required to seek permission first. If granted, the patient needs to sign a form either created by you or one provided by HHS, which you then maintain as part of your record keeping system. If at any time a patient requests a copy of the signed document, you’re required to provide one.

Something else you need to know is if you have a counseling, therapy, or psychiatry business, under HIPAA, you’re not required to share mental health notes. In other words, you can share names, addresses, and various other patient details to a third-party but personal psychotherapy notes are off limit. What is comes down to is you and your staff must protect the security and privacy of every person seen.

The only exception is if for some reason you have a genuine concern a patient may harm him or herself, or someone else, you can contact family members or law enforcement. In such an event, you would need to make a relatively fast assessment, followed by taking the appropriate action to keep your client safe.

Training do’s and don’ts

As mentioned, along with mandated training, it’s highly recommended you provide your leadership team with supplemental courses.

For both, consider some of the primary do’s and don’ts:

  • Do – Choose online courses of real value.
  • Don’t – Go into great detail about HIPAA’s history. While perhaps interesting to some individuals, most people really don’t care.
  • Do – Select supplemental online training courses your staff can complete in an hour or less.
  • Don’t – Make training boring. There’s no reason to provide codes and quotes from HHS. If you plan to have your leadership team complete training on the same day and at the same location, have your L&D Manager prepare an engaging presentation.
  • Do – Cover the different consequences of being in breach of HIPPA. For this, you need to send a clear message about the damage this would have not only on the organization but also employees and most importantly, patients.
  • Don’t – Overlook the importance of documenting all training provided and completed.
  • Do – Choose the right members of your team for training. The three most critical people include your HR Manager, Compliance Manager, and L&D Manager.

Training source

For the best HIPAA training, go through the US Department of Health and Human Services website. However, for additional training, make sure you choose a trusted, respected, and reliable source.

While you’ll have no problem finding an LMS, not all offer the same caliber of service. Go1 is by far your best option. With a vast library of courses on patient privacy and an affordable membership price, you can access whatever training you feel your team needs to complete in support of HIPAA training.

Although HIPAA training protects patients and clients, it also protects your business and the people who work for it. Enforce the completion of mandated courses and select supplemental training for optimum protection. The last thing you want is to have the government breathing down your back about a potential non-compliant issue. We invite you to visit our website or call to speak with a representative.

Go1 helps millions of people in thousands of organizations engage in learning that is relevant, effective and inspiring.
Latest stories and insights