The short answer: yes. A lack of employee HIPAA training is a violation of the law.
It is not enough to train your employees about the law. The training must be HIPAA-certified. Certified means there is proof of employee retention. For example, exam scores after training.
After a data breach, you will have to give records of employee training. If you can provide these records, your practice is likely to face less severe penalties. Fines increase with willful neglect.
Why care About HIPAA Training?
Penalties already increased in 2019, as outlined by HIPAA Journal.
According to Channel Futures, experts predict penalties will increase in 2020. The government will most likely make up for budget cuts with increased enforcement.
Let’s forget about fines. Let’s talk about patient trust. After a data breach, you must follow the Breach Notification Rule. You must provide notification of the breach to patients, the Secretary, and sometimes the media.
A data breach could destroy patient trust in your practice. As a result, your patients might leave for a different practice.
Who Needs to be Trained?
Any employee who encounters Protected Health Information (PHI) needs to be trained. Of course, this includes doctors, dentists, and nurses. But you also need to train other employees. For example:
- Sanitation workers
- Business Associates
What Should be Included in Training?
What to include in your HIPAA employee training, according to HIPAA Journal:
- What is HIPAA?
- Why is HIPAA important?
- HIPAA definitions
- Rights of patients
- HIPAA Privacy Rule
- HIPAA Security Rule
- Disclosures of PHI
- Safeguarding ePHI
- Breach notifications
- Business Associate Agreements
- Employee Sanctions