Updated: Apr 25
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created to provide standards that healthcare organizations must adhere to order to protect the security and privacy of protected health information (PHI). PHI refers to information that can be used to personally identify a patient. Typical examples of PHI include names, addresses, telephone numbers, email addresses and facial photos.
The HIPAA regulation defines two types of organizations:
Covered Entities: These organizations include healthcare providers, health insurance plans, and healthcare clearinghouses. Covered Entities tend to drive the direct creation of PHI and need to be fully compliant with the HIPAA regulation.
Business Associates: An organization hired by a Covered Entity (or other Business Associate) that must handle PHI to perform their work. Some examples of Business Associates include information technology providers, email encryption companies, practice management firms, physical and cloud storage providers, and data back-up services. While Business Associates are not required to comply with the HIPAA Privacy Rule in its entirety, they must adhere to the rest of the regulatory standards that apply.
An Overview of the HIPAA Rules
Since its introduction in 1996, HIPAA has evolved through various revisions and additions. Together, these are known as the HIPAA Rules, which include:
HIPAA Privacy Rule: The Privacy Rule outlines national standards regarding the privacy, integrity, and availability of PHI. The Rule provides required protection measures to ensure that PHI remains private. In addition, it sets guidelines for patients’ rights to access their medical records, as well as uses, disclosures, and authorizations that Covered Entities must follow.
HIPAA Security Rule: The Security Rule provides national standards for preserving the security of PHI via a collection of Technical, Physical, and Administrative protections that all Covered Entities and Business Associates must employ.
HIPAA Breach Notification Rule: The Breach Notification Rule identifies the processes that entities must follow when a data breach occurs. There are varying timelines and notification standards in place that are dependent upon the number of individuals affected by a given breach.
HIPAA Omnibus Rule: The Omnibus Rule implemented a number of major changes to the HIPAA regulation, mostly regarding the role of Business Associates. Introduced in 2013, it gave Business Associates an obligation to achieve HIPAA compliance.
What are the HIPAA Training Requirements?
While HIPAA training is mandatory, the actual training requirements are often described as “flexible” as there are no specific HIPAA training requirements. The regulation does state that training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule) and that Covered Entities and Business Associates should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule).
Knowing that your organization must provide training, but not receiving lots of guidance regarding the type of training you need to provide, can make your pursuit of HIPAA compliance a bit complicated. Given that, it is a good idea to start by conducting a risk assessment for your organization that outlines the role of each person who may have contact with PHI. You can then build a security awareness and training program that addresses each individual function or role.
eLearning for HIPAA Training
As online technologies have continued to evolve, online training or “eLearning” has emerged as a cornerstone for many organizations that need to develop and deliver HIPAA training programs. If your company is considering the use of an eLearning platform to conduct your HIPAA training activities, here are some of the benefits you can expect.
eLearning allows you to reduce or even eliminate many of the costs associated with traditional, classroom-based training, such as travel, venue and instructor fees, catering, and the distribution of printed materials. And with eLearning, you eliminate costs associated with lost productivity as your employees can conduct their training activities during breaks or after hours.
One of the unfortunate challenges associated with classroom-based training is in the fact that all students must try to keep pace with the instructor. eLearning eliminates this by allowing your employees to work at their own pace. They can even revisit important or challenging materials multiple times before moving on to the next section.
eLearning allows your students to learn in an environment that works best for them as they can access their training materials at any time and from any place. All that is required is an Internet connection (and many eLearning activities can even be accomplished offline).
Communication and Collaboration
Many eLearning platforms now offer tools for online communication among students and between students and instructors. These tools help drive the learning experience and can provide a sense of community. They can also help you to streamline the program feedback process.
eLearning simplifies and streamlines the process of collecting critical program data around engagement and student success. The analysis of this data can be tremendously valuable as you work to modify, expand, and improve your program over time.
LMS Portals and HIPAA Training Requirements
LMS Portals provides a cloud-based platform that allows your organization to run your HIPAA training program on your own branded eLearning portal. Our clients are able to quickly and easily develop and deploy their HIPAA training courses, enable online communications to support the learning experience, and analyze vital program data to measure its effectiveness.
Contact us to discuss running your Online HIPAA Training
on your own branded portal.