Although Title II of the Health Insurance Portability and Accountability Act (HIPAA) stipulates HIPAA training is mandatory “for all members of the workforce”, the text of the Act provides few details about specific training requirements.
The reason the Act is limited with regards to specific HIPAA training requirements is because HIPAA applies to many different types of Covered Entities. Each Covered Entity is required under 45 CFR § 164.530 to implement policies and procedures “taking into account the size and the type of activities that relate to protected health information undertaken by a Covered Entity”. The clause also requires Covered Entities to train all members of its workforce on the policies and procedures.
Consequently, a healthcare insurer will have different policies and procedures than a healthcare provider, and the training provided to an employee of a healthcare insurer would be different than the training provided to an employee of a healthcare provider. It may also be the case the nature of the training varies according to the function of the employee. This is because training must be tailored “for the members of the workforce to carry out their functions within the Covered Entity”.