Voted Best Sexual Harassment Training Solution in 2021 by The Balance SMB

A HIPAA Certificate Expires...When? (And All Your questions on HIPAA Certification and Training Answered)

If you're new to the world of healthcare, the topic of HIPAA certification can seem hazy. There's very little information you can find on HIPAA certificates and their purpose. 

This article will try to answer some of the frequently asked questions on HIPAA certification and training, starting with one that's more often than not the main source of confusion:

Note: If you want to make sure your company is compliant with HIPAA, the best way to do it is with EasyLlama's HIPAA training course. Our bite-sized videos make it easy for your employees to follow HIPAA laws and help your company avoid unnecessary fines. Get in touch with us to try a free trial today. 

Does HIPAA certification expire?

HIPAA only requires employers to retrain employees if new rules are introduced. Most businesses, however, modify their policies on an annual basis or every two years.

That said, although a certificate given at the conclusion of a training course is merely a point-in-time recognition, it is also a proof-of-compliance document demonstrating that instruction was given. Because Covered Entities and Business Associates are required to keep HIPAA-related papers for at least six years, in theory, HIPAA Certification has a shelf life of six years - although this may be considerably longer in reality.

What's the purpose of HIPAA Certification?

Healthcare workers who have earned HIPAA certification can use it as documentation that they completed the educational materials provided. In this sense, documented HIPAA certification for healthcare employees protects the company from liability in the event of a HIPAA violation or data breach caused by employee negligence or data theft.

That is why, when a person completes a third-party training program, certifications are frequently provided. If the certificate has a signature and date on it, it may be used as proof that you completed the course on time and schedule.

Certificates have been useful to businesses in providing evidence of training attendance in the case of a HIPAA audit or breach. Unless you can show another method of ensuring that every worker at your healthcare company received their instruction on time and regularly, a certificate might be beneficial.

HIPAA certification also demonstrates to both customers and potential clients that your business takes patient privacy very seriously. By putting in the effort to comply with HIPAA, your organization can boost its reputation as a trustworthy healthcare provider.

How often should organizations undertake HIPAA training? 

The HIPAA Security Rule specifies that organizations should conduct training “periodically”. Since a longer period, such as every two or three years, would be considered negligent if discovered during an HHS investigation of a breach, as we’ve mentioned earlier.  Most healthcare professionals interpret “periodically” to mean once per year.

Training must show that you are familiar with the most recent updates to HIPAA regulations. It would also be helpful if training included information on how to maintain compliance since HIPAA rule changes nearly every year.

What is covered in a typical HIPAA training course?

A typical HIPAA training course covers what employees need to know about keeping patient records private and secure under the standards set by HIPAA. Because of this, most courses include how to use computers safely, how to avoid phishing scams, how to protect yourself from hackers, which files are safe to print out at work, and more.

Many courses are now online or can be downloaded as apps. With an electronic format you can study anywhere that is convenient for you, no matter where you are or how busy you are.

HIPAA training courses must cover policies and procedures related to the HIPAA Security Rule, including (but not limited to) administrative, technical, and physical safeguards to restrict access, detect threats or hazards, and protect against vulnerabilities. It must also include measures an organization will take if gaps are identified.

Is HIPAA certification required?

HIPAA certification is not legally required, but several different types of organizations mandate it as a condition of employment. Among the most well-known is the U.S. Department of Health and Human Services (DHHS), which sets HIPAA standards for all federal agencies that handle protected health information (PHI). 

While HIPAA certification isn’t required by law, failing to keep up with changes in regulations through continuing education can have serious consequences because neglecting compliance means neglecting patient security and privacy. 

In fact, if you are found to be non-compliant because of negligent training or education, your penalties may be greater than if HIPAA violations were the result of willful neglect.

What are some common compliance issues?

Some common HIPAA training violations are printing PHI without shredding it first, sending PHI through insecure email services, and losing mobile devices containing patient information. Since any single one of these errors could lead to a serious data breach that would affect hundreds or thousands of patients, all employees who handle PHI must understand how to avoid making them. 

Additionally, several other small things can cause HIPAA non-compliance problems mostly related to portable devices not being password-protected so anyone who accesses the device can see PHI.

Is there an HHS-Endorsed HIPAA Certification?

The Department of Health and Human Services does not endorse any particular HIPAA accreditation because HIPAA compliance is a never-ending process. A third-party organization's HIPAA compliance program may have been passed and procedures put in place to maintain compliance, but this does not ensure that the firm will continue to be HIPAA compliant in the future.

There are a variety of reasons why a company may not be HIPAA compliant in the future. It is possible that it will alter the technology it employs or how technologies are utilized. It's conceivable that business goals, operational processes, or personnel management rules will change. 

Regardless of whether or not HIPAA regulations are updated in the future, any one of these changes might invalidate a HIPAA certification. As a result, HIPAA qualification should be viewed as an initial objective and then kept up to date.

Do I need to be HIPAA certified before working at an office?

The better question would be if it is required by your State Law. Every state has its own unique laws governing the use of PHI - California for instance requires all employees (and subcontractors) to complete HIPAA training, but only before his or her first patient encounter. The federal HIPAA rules do not place any limits on who can access PHI; however, some states require healthcare entities to limit access based on job functions and duties. For example, under California law (the California Confidentiality of Medical Information Act), pharmacy technicians are allowed limited access to medical information, while pharmacists may need full privileges—if seen as essential to their jobs.

What are the requirements of HIPAA training?

There are no federal regulations that outline specific HIPAA training requirements for personnel. The Centers for Medicare & Medicaid Services (CMS) requires patients to be notified about what will happen with their PHI if an organization participates in its programs.

This is currently done through a general notice of privacy practices, which must comply with the standards set by the HIPAA Privacy Rule. The HHS Office for Civil Rights maintains a list of Covered Entities and Business Associates who must provide information about their privacy policies. Organizations not on this list are encouraged, but not required, to provide a similar notification.  

What is the difference between HIPAA certification and HIPAA compliance?

HIPAA certification certifies that you have successfully completed all applicable HIPAA training requirements, whereas HIPAA compliance addresses specific activities; for example, establishing security safeguards to protect PHI; developing business associate contracts with any outside organizations handling patient health information (PHI); and implementing policies and procedures to comply with federal privacy regulations.

What is the HIPAA training timeline?

If you are unable to take HIPAA compliance courses on your own schedule, some online providers offer live classes with flexible scheduling. Organizations can also hold mandatory in-person classes for employees if they wish to make attendance more urgent.

What are the HIPAA certification requirements for covered entities?

Third-party compliance experts will review seven areas of HIPAA compliance to determine whether a business is HIPAA compliant:

  • In-depth knowledge of the HIPAA Security Rule's administrative, technical, and physical safeguards. This includes (but is not limited to) an asset and device audit, an information technology risk assessment questionnaire, a physical site survey, a security standards inspection, a privacy standards examination, and a HITECH Subtitle D privacy check.
  • Measures to take if gaps are identified in the audits mentioned above
  • Documenting a “good faith” effort to comply with HIPAA regulations and establish policies and procedures to address regulatory compliance.
  • An employee education program that covers the above policies and procedures
  • To guarantee that the HIPAA documentation is kept and accessible, an audit of records is conducted.
  • Business Associate Agreement management and examination procedures
  • Incident management procedures in the event of a data breach or a HIPAA-reported violation.
That said, it's safe to assume that the HIPAA certification requirements cannot be completed overnight due to the procedures involved in auditing for HIPAA compliance.

It's also hard to say how long it will take to get certified without knowing what gaps may be found during the audit and what kind of repair plans will need to be implemented in order to address them.

How much does HIPAA training cost?

HIPAA training costs vary depending on location, class type (online or in-person), and whether you choose self-paced learning or live sessions that include instructor facilitation.

With that said, most HIPAA training courses are affordable for most organizations. For instance, our EasyLLama HIPAA training course only costs $12.95/training. And the best part? No contract required, no long-term commitment, and no setup fees

The course covers:

  • Covered Entity
  • Hybrid Entity
  • Business Associate
  • Protected Health Information
  • Breach Notification Rule
  • How to avoid HIPAA breaches
  • Privacy Rule
  • Rights of Individual
  • Limits for Marketing and Fundraising
  • Business Associate Agreement
  • Best practices
  • Penalties for violation

Who needs HIPAA Compliance Training?

Anyone who handles PHI at any point--that includes employees (part-time or temporary), contractors (working for third party businesses), interns working within healthcare organizations--should take HIPAA compliance training courses. Employees that work in positions where they regularly handle PHI should have ongoing awareness training so they can refresh on new topics.

What does it take to be HIPAA compliant?

HIPAA certification is an important step towards ensuring that you are HIPAA compliant, but there are other important pieces of the puzzle to consider.

For an organization to be HIPAA compliant, it must: 

  • Establish a risk analysis and management plan
  • Develop policies and procedures related to various requirements
  • Identify employees with access to PHI
  • Create contracts with any business associates which handle PHI
  • Maintain physical and network security including user access and passwords 
  • Provide HIPAA training to all employees who handle patient information

What does it mean to be HIPAA compliant?

For any organization, becoming HIPAA compliant means taking steps towards protecting patient privacy. These steps may vary depending on the types of PHI your employees use and where they access it, but in general, there are three main categories that all healthcare companies should follow: 

  • Policies and Procedures - All organizations who handle PHI should have policies in place for how employees should do their jobs while keeping data safe. This includes creating rules around paper and digital storage, access restrictions, training requirements, etc. This also includes business associate agreements with any Third Party Providers that work with PHI.
  • Physical and Network Security - Third-party providers have a responsibility to ensure the security of all patient information including regular network monitoring and restricting access to certain data depending on job role. Due to these measures being so essential for HIPAA compliance, many businesses use third-party solutions such as cloud services or other IT platforms which can provide these features within their contract.
  • Training - Employees at every organization who have access to PHI should undergo periodic HIPAA training from their companies regarding best practices for protecting patient privacy.

What are the HIPAA rules and regulations covered in training courses?

Most HIPAA training courses cover the three HIPAA rules and regulations, which include:

  • HIPAA Privacy Rule
  • HIPAA Security Rule
  • HIPAA Breach Notification Rule
Here's a brief summary of each rule:

HIPAA Privacy Rules

The HIPAA privacy rules protect the privacy of patients and give them the rights to understand how their health information is used. They define how PHI must be handled and make sure the individual's privacy is protected with respect to this medical data. Organizations that handle PHI need to know about these rules and ensure they are compliant.   

HIPAA Security Rule

The HIPAA security rule requires healthcare organizations and business associates of covered entities (organizations that handle PHI) to put into place administrative, physical, and technical safeguards that appropriately protect the privacy of all patient records. These safeguards must provide a "sufficient" level of protection for any electronic PHI as well as "reasonable" protection for paper records. Again, those organizations that handle PHI need to know about these rules and ensure they are compliant.

HIPAA Breach Notification Rule

The HIPAA breach notification rule establishes requirements for how organizations must handle data breaches that occur involving unsecured PHI. If unencrypted patient data is breached, a report needs to be made within 60 days of the discovery of the breach. The time frame for reporting depends on the size of the breach, with smaller breaches needing to be reported more quickly. Organizations that handle PHI need to know about these rules and ensure they are compliant.