HIPAA and OSHA Training Requirements

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August 1996, to prevent the inappropriate use and disclosure of individual health information. According to the U.S. Department of Health and Human Services, the HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. The Rule requires the protection and privacy of personal health information and sets limits and conditions on its use and disclosure without patient authorization. The Rule also gives patients’ rights over their health information, including rights to obtain a copy of their health records, and request corrections. All health plans and health care providers must comply with HIPAA law and regulation.

The Occupational Safety and Health Administration (OSHA), was signed into law in December 1970 and was established to assure safe and healthful working conditions for workers by setting and enforcing standards and by providing training, outreach, education, and assistance.

Both HIPAA and OSHA have mandatory training requirements that can often be a source of confusion for many practices. The following are some important things to consider:

  • Annual Requirements- OSHA and HIPAA both have training requirements for medical practices. OSHA requires all employees to be trained annually. While HIPAA does not require annual training, most practices do conduct HIPAA training every year, and it is considered to be a best practice.
  • Employee Training- According to OSHA all employees should be trained. HIPAA specifies that training is mandatory for anyone who comes into contact with patient health information, including doctors, nurses, administrative staff, and part-time employees.
  • Length of Training- There is not a mandatory length or time for training. What is most important is the content of the training and to ensure the information is being taught effectively. Employers should visit OSHA's website (https://www.osha.gov/) and HIPAA (https://www.hhs.gov/) for more specific training requirements.
  • Documentation- All training should be documented. HIPAA requires training to be documented but does not specify how training must be documented. OSHA also requires training be documented and requires the following:
    • Dates of training
    • Information covered in the training
    • Names and qualifications of trainers
    • Names and titles of attendees
  • Penalties- OSHA penalties can vary from $0-$70,000, depending on how serious the violation. HIPAA issues penalties as much as $1.5 million based on the violation.

While HIPAA and OSHA training can be time-consuming and can often take employees away from their daily work routines, it is one of the best defenses against complaints, failed audits, citations, medical identity theft, and fraud. Training is also crucial to ensuring safe working conditions and protecting patient’s personal health information.