Question: What are the HIPAA training requirements for employers?

Short Answer: Employers with a self-insured health plan need to train employees within a reasonable period of time upon entering a position within the HIPAA firewall and upon a material change to the plans HIPAA policies and procedures.

HIPAA imposes the only mandatory employee benefits training requirements. However, there are a number of restrictive qualifications that significantly limit which employers are subject to the training requirements and which employees must undergo training.

See our Newfront Office Hours Webinar: HIPAA Training for Employers.

Limitation #1: Training Requirement Applies Only to Employers With Self-Insured Health Plan

All employer-sponsored group health plans including fully insured plans are HIPAA covered entities. However, generally only self-insured group health plans are subject to the HIPAA training requirements.

For fully insured plans, although the group health plan is still a covered entity, the insurance carrier is also acting as a covered entity. Because there are dual covered entities involved, the HIPAA privacy/security rules largely exempt the employer from HIPAAs documentation and training compliance requirements that would otherwise apply.

For example, an employer with only fully insured plans would not need to have HIPAA policies and procedures documents, provide employees with a notice of privacy practices, engage in business associate agreements, or undergo HIPAA training. The insurance carrier (again, also a covered entity) is responsible for those requirements.

Most employers with fully insured plans meet this exception because they generally receive only summary health information for limited purposes and enrollment/disenrollment information. In other words, in most cases only the carrier will have direct access to claims information without an employees authorization. Furthermore, enrollment/disenrollment information held by the employer are generally considered employment records maintained by the employer (which is not subject to HIPAA) rather than plan information maintained by the covered entity.

Limitation #2: Training Requirement Applies Only to Employees Within the HIPAA Firewall

Employers with a self-insured health plan need to maintain a HIPAA firewall that ensures only those employees with a plan-related need access to PHI for plan administrative functions are permitted access to the plans PHI. This ensures the privacy of the information and that the information is not used for employment-related purposes, which HIPAA strictly prohibits.

Plan administration functions include payment and health care operations activities performed by employees of the employer. Protected Health Information (PHI) generally includes any individually identifiable health information maintained or transmitted by a HIPAA covered entity. In this case, the covered entity is the employer-sponsored group health plan.

Keep in mind that employee enrollment and disenrollment information (that does not include any substantial clinical information) maintained by the employer is not PHI protected by HIPAA. That information is considered an employment record rather than PHI held by the plan. This major exclusion from the definition of PHI dramatically limits the scope of employees who need to undergo training.

Employees within the HIPAA firewall (i.e., whose job duties include some plan administrative functions with access to PHI) typically include only certain benefits and HR professionals within the organization. It generally does not include finance, accounting, payroll, C-suite, or other corporate leadership positions.

Limitation #3: Training Requirement Applies Only Upon Joining the Workforce Within the HIPAA Firewall (and Upon a Material Change Thereafter)

The HIPAA rules provide that HIPAA training is required for an employee within a reasonable period of time upon joining the covered entitys workforce, which includes a new hire within the HIPAA firewall or an existing employee moved to a position within the firewall.

Training is also required within a reasonable period of time upon a material change to the plans HIPAA policies and procedures, which is likely to rarely occur for employers outside of major changes to the law prompting required revisions.

Although there is no requirement to undergo additional training outside of those timeframes, we recommend that employees within the HIPAA firewall undergo HIPAA training at least once every two years to refresh their understanding on a continuing basis.

Keep in mind that HIPAA also requires employers to document that employees have completed the required HIPAA training.

Where Can I Find a HIPAA Training Course?

See our Newfront Office Hours Webinar: HIPAA Training for Employers.

For more details on HIPAA Privacy and Security:

• Newfront Compliance Post: Disclosing PHI to Family Members Under HIPAA

• Newfront Compliance Post: The HIPAA Notice of Privacy Practices

• Newfront Compliance Post: HIIPAA Privacy and Private Workspaces

• Newfront Compliance Post: When is a HIPAA BAA Required

Regulations

45 CFR 164.530(b):

(b)

(1)Standard: Training.

A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.

(2)Implementation specifications: Training.

(i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows:

(A) To each member of the covered entity’s workforce by no later than the compliance date for the covered entity;

(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce; and

(C) To each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.

(ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.

45 CFR 164.530(k):

(k)Standard: Group health plans.

(1) A group health plan is not subject to the standards or implementation specifications in paragraphs (a) through (f) and (i) of this section, to the extent that:

(i) The group health plan provides health benefits solely through an insurance contract with a health insurance issuer or an HMO; and

(ii) The group health plan does not create or receive protected health information, except for:

(A) Summary health information as defined in 164.504(a) ; or

(B) Information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan.

(2) A group health plan described in paragraph (k)(1) of this section is subject to the standard and implementation specification in paragraph (j) of this section only with respect to plan documents amended in accordance with 164.504(f) .

67 Fed. Reg. 53181, 53208 (Aug. 14, 2002):

https://www.gpo.gov/fdsys/pkg/FR-2002-08-14/pdf/02-20554.pdf

While the standard enrollment and disenrollment transaction does not include any substantial clinical information, the information provided as part of the transaction may indicate whether or not tobacco use, substance abuse, or short, long-term, permanent, or total disability is relevant, when such information is available. However, the Department clarifies that, in disclosing or maintaining information about an individual’s enrollment in, or disenrollment from, a health insurer or HMO offered by the group health plan, the group health plan may not include medical information about the individual above and beyond that which is required or situationally required by the standard transaction and still qualify for the exceptions for enrollment and disenrollment information allowed under the Rule.

65 Fed. Reg. 82461, 82496 (Dec. 28, 2000):

https://www.gpo.gov/fdsys/pkg/FR-2000-12-28/pdf/00-32678.pdf

The preamble to the Transactions Rule noted that plan sponsors of group health plans are not covered entities and, therefore, are not required to use the standards established in that regulation to perform electronic transactions, including enrollment and disenrollment transactions. We do not change that policy through this rule. Plan sponsors that perform enrollment functions are doing so on behalf of the participants and beneficiaries of the group health plan and not on behalf of the group health plan itself. For purposes of this rule, plan sponsors are not subject to the requirements of 164.504 regarding group health plans when conducting enrollment activities.

45 CFR 160.103:

Protected health information means individually identifiable health information:

(1) Except as provided in paragraph (2) of this definition, that is:

(i) Transmitted by electronic media;

(ii) Maintained in electronic media; or

(iii) Transmitted or maintained in any other form or medium.

(2) Protected health information excludes individually identifiable health information:

(i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;

(ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);

(iii) In employment records held by a covered entity in its role as employer; and

(iv) Regarding a person who has been deceased for more than 50 years.

67 Fed. Reg. 53181, 53208 (Aug. 14, 2002):

https://www.gpo.gov/fdsys/pkg/FR-2002-08-14/pdf/02-20554.pdf

While the standard enrollment and disenrollment transaction does not include any substantial clinical information, the information provided as part of the transaction may indicate whether or not tobacco use, substance abuse, or short, long-term, permanent, or total disability is relevant, when such information is available. However, the Department clarifies that, in disclosing or maintaining information about an individual’s enrollment in, or disenrollment from, a health insurer or HMO offered by the group health plan, the group health plan may not include medical information about the individual above and beyond that which is required or situationally required by the standard transaction and still qualify for the exceptions for enrollment and disenrollment information allowed under the Rule.

65 Fed. Reg. 82461, 82496 (Dec. 28, 2000):

https://www.gpo.gov/fdsys/pkg/FR-2000-12-28/pdf/00-32678.pdf

The preamble to the Transactions Rule noted that plan sponsors of group health plans are not covered entities and, therefore, are not required to use the standards established in that regulation to perform electronic transactions, including enrollment and disenrollment transactions. We do not change that policy through this rule. Plan sponsors that perform enrollment functions are doing so on behalf of the participants and beneficiaries of the group health plan and not on behalf of the group health plan itself. For purposes of this rule, plan sponsors are not subject to the requirements of 164.504 regarding group health plans when conducting enrollment activities.

65 Fed. Reg. 82461, 82646 (Dec. 28, 2000):

https://www.gpo.gov/fdsys/pkg/FR-2000-12-28/pdf/00-32678.pdf

We agree with the commenters that firewalls are necessary to prevent unauthorized use and disclosure of protected health information. Among the conditions for group health plans to disclose information to plan sponsors, the plan sponsor must establish firewalls to prevent unauthorized uses and disclosures of information. The firewalls include: describing the employees or classes of employees with access to protected health information; restricting access to and use of the protected health information to the plan administration functions performed on behalf of the group health plan and described in plan documents; and providing an effective mechanism for resolving issues of noncompliance.

Newfront Office Hours Webinar: HIPAA Training for Employers

HIPPA Privacy Overview - When is Training Required?

HIPPA Privacy Full Insured Plans

HIPPA Security Overview - Firewall