Persepolis Law Website

As discussed in the article “Who is Required to Comply with HIPAA?”, not every individual and organization under the sun is required to comply with HIPAA’s rules. It is only those certain individuals and enterprises dubbed “Covered Entities” and “Business Associates” who come under the reach of the law.  The reason HIPAA regulates (i.e. dictates the conduct of) these certain individuals/entities is because they, by virtue of their daily conduct, regularly come into contact with sensitive medical information (called “Protected Health Information” or “PHI”). 

The same logic applies when determining who within an organization or business is required to be trained on HIPAA.  Not every individual or department of a particular Covered Entity or Business Associate is required to receive training.  Rather, training is only required for those individuals or departments who, by virtue of their daily job functions, may come in contact with PHI.  For example, a large hospital system will often employ a wide variety of staff, ranging from physicians and nurses to operational staff and cafeteria workers.  Physicians and nurses may require a different level of training than operational staff, while those working in the cafeteria may only require a short 5-minute speech from their manager.  

As discussed in “What is Required to be Taught in HIPAA Training?”, HIPAA regulations do not specify the content, specificity, or duration required for training.  The law simply requires that a Covered Entity or Business Associate trains its workforce “as necessary and appropriate” for them to carry out their job duties in compliance with HIPAA.  In other words, workforce need to be trained well enough so that they do not mishandle PHI and commit a mistake (a “breach) under the law.  And what is considered “necessary and appropriate” or “well enough” will vary depending on the job role.  Physicians and nurses of a hospital, who are in constant contact with PHI, will obviously require a greater depth of training to be able to carry out their duties than employees of the hospital cafeteria, who come across PHI incidentally. 

Sometimes, HIPAA training won’t be required at all for certain workforce members. For example, consider a software company that provides a cloud data storage solution to customers in a variety of industries.  The software company may divide its workforce by industry served, with only one department being dedicated to serving clients in the healthcare industry (who use the software to store data containing PHI).  Because the company’s software hosts PHI on behalf of its healthcare clients, the company would be considered a Business Associate of these clients and is thus subject to HIPAA training.  However, the company may decide to only provide HIPAA training to staff working in its healthcare department since they are the only ones in the company who would ever come into contact with PHI.  They may not need to train their staff who are dedicated to serving clients in sectors like finance or manufacturing. 

There’s also the question of who exactly is considered to be part of a Covered Entity or Business Associate’s “workforce” for purposes of training.  The term “workforce” is defined to include all employees, volunteers, trainees, and other individuals under the direct control of the Covered Entity or Business Associate. This means that independent contractors are not considered part of the workforce.  However this does not mean that independent contractors are exempt from HIPAA training.  Independent contractors of a Covered Entity who work with PHI are indeed considered Business Associates of that Covered Entity, and as such are independently required to train their staff under HIPAA. 

In sum, all Covered Entities and Business Associates are required to provide HIPAA training to their staff.  Who among their staff is required to be trained, and what type/level of training they will require, is a case-by-case determination.  As is often times true with HIPAA compliance, no solution is one-size-fits-all. Some Covered Entities and Business Associates choose to provide one generic HIPAA training to their entire workforce.  While technically this can “check the box” for the legal requirement to provide HIPAA training, organizations should keep in mind the essence and purpose behind the requirement – that is, to train staff well enough that they do not commit costly mistakes under the law. 

Contact Persepolis Law to discuss how we can help design a HIPAA training plan best suited to your organization. 

Leave a Reply

Your email address will not be published. Required fields are marked *