Guides
Start typing to search…

Who Needs to be HIPAA Trained?

Overview

  • Employees
  • Contractors, Volunteers, etc.
    • Treated as an Employee
    • Treated as a Business Associate
  • Business Associates

Employees

👍

All Employees should take both HIPAA and Security Awareness Training.

To quote HIPAA's Privacy Rule — 45 CFR §164.530(b)(1):

A Covered Entity must train all members of its workforce on the Policies and Procedures with respect to Protected Health Information required by this subpart, as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity.”

And HIPAA's Security Rule — 45 CFR §164.308(a)(5)(i)

Implement a Security Awareness and training program for all members of its workforce (including management).

We suggest that all Employees take both our HIPAA Training and Security Awareness Training Courses. This is because, although some of your Employees may not directly interact with PHI/ePHI, they could witness an incident. They should be just as prepared as those who do directly interact with PHI/ePHI to identify an incident and know how to respond to/report it.

Contractors, Volunteers, etc.

If the 3rd Party that you work with is an individual, you can decide whether to treat them as an employee (suggested), or as a Business Associate.

Treated as an Employee

📘

If the 3rd Party is an Individual, we suggest treating them as an Employee.

If you decide to treat them as an Employee, you'll onboard them just like you onboard your Employees, Assign them Required Trainings, Policy Attestation, and Attestation to understanding how to Report an Incident.

Treated as a Business Associate

If you decide to treat them as a Business Associate, you'll onboard them just like you onboard your Business Associates – set them up as a Business Associate in our platform and send them a BAA.

In this case, you'll expect that they will manage their own HIPAA and Security Awareness Training, Required Policy & Procedure development, and Incident Response plan. If they are not an Individual, in this case you will also expect that they are managing this for all of their Employees and 3rd Parties/Business Associates.

Business Associates

Although your organization does not need to manage HIPAA Compliance for your Business Associates, you do need to send them a BAA, in which they will agree to follow all HIPAA requirements, just as you are. Meaning, you should expect that all of your BAs will be requiring all of their Team Members, Contractors, BAs, etc. to complete HIPAA and Security Awareness Trainings, Attest to HIPAA Required Policies & Procedures, Attest to understanding how to Report an Incident, and send BAAs to their BAs.

🚧

If you are unsure or skeptical that your BAs are meeting HIPAA Compliance Standards, as they agreed to in your signed BAA with them, you can send them a Risk Questionnaire.


Updated about 1 month ago