Are you confused about HIPAA training for students and what aspects of the HIPAA Rules need to be covered? Here we cover some of the most important questions asked about student HIPAA training to help you develop or purchase appropriate training courses.

Is HIPAA Training for Students Necessary?

HIPAA training is required for all individuals who come into contact with protected health information in any of its forms – paper, films, electronic, or spoken. Healthcare students will come into contact with PHI during the course of their studies, so student HIPAA training is required.

Training should be appropriate to the student’s course and their likely interactions with PHI. The aim of training should be to allow students to complete their studies work with patient data in a HIPAA compliant way.

What Aspects of the HIPAA Rules Should be Covered in Student HIPAA Training?

HIPAA training needs to be geared to the roles and responsibilities of members of the workforce, and the same is true for HIPAA training courses for students. Students will not need to have a comprehensive understanding of all aspects of the HIPAA Rules, but must be provided with training on the elements of HIPAA that impact their studies and patient contacts.

A HIPAA training course for students should give a broad overview of HIPAA and should convey the importance of the legislation and compliance and students should be made aware of the penalties that can be imposed for accidental and deliberate HIPAA violations. Training should provide more detailed information on allowable uses and disclosures of PHI, medical record access by students, when HIPAA authorizations are required, the minimum necessary rule, and patient rights.

The HIPAA Security Rule requires ePHI to be protected at all times, so training must cover securing PHI in all its forms. The Security Rule calls for security awareness training to be provided. This should cover threats to PHI, identifying phishing emails, reporting threats, and cybersecurity best practices, including setting passwords, the safe use of computers, and secure transmission and storage of PHI.

When Should Healthcare Students Receive HIPAA Training?

There is no deadline for providing HIPAA training for students, as HIPAA only calls for training to be provided “within a reasonable period of time after the person joins the covered entity’s workforce.” For students, the best practice is to provide training on HIPAA prior to students accessing protected health information – health information that has not been deidentified -or as soon as possible after the student starts working with PHI or patients.

Is a HIPAA Handout Sheet Sufficient?

HIPAA training for students can take many forms. A handout on the requirements of HIPAA which details the key points of the legislation can be a useful training tool, but it is difficult to tell whether the handout has been read and understood. Some educational institutions and teaching hospitals will cover HIPAA in a classroom training session, while others provide online HIPAA training courses that can be completed by students in their own time and can be easily tracked. The HIPAA text does not specify how much training should be provided, how long training sessions should be, but given the potential consequences of HIPAA violations, a HIPAA cheat sheet alone is unlikely to be sufficient.

Will the HHS Impose Fines if HIPAA Training is not Provided to Students?

The HHS’ Office for Civil Rights has not imposed any fine to date for the failure to provide HIPAA training for students, but enforcement actions have been taken against covered entities that include penalties for training failures. Cyberattacks and data breaches have increased sharply in recent years and OCR enforcement activity has been stepped up. In the event of a compliance investigation, training failures are likely to be uncovered and OCR is well within its rights to impose financial penalties.