Is Certification a Surrogate for HIPAA Privacy and Security Training?

Several visitors to HIPAA.com have asked if ‘certification’ can substitute for compliance with the HIPAA Privacy and Security training standards and new Privacy requirements under the HITECH Act. Generally, certification is a snapshot in a moment of time. The Merrim-Webster’s Collegiate Dictionary (11th ed.) defines certification as the act or state of “attest[ing] as being true or as represented or as meeting a standard.” Certification generally is done by an external source. Training is an ongoing internal process for safeguarding protected health information from unauthorized use or disclosure as business policies and procedures evolve and regulatory standards are initiated or modified.

Further, training requires that workforce members, including management, demonstrate awareness and understanding on an ongoing basis, and that covered entities and business associates document that their workforce members have been trained.  As examples, the first implementation specifications of the Security Rule ‘Security Awareness and Training’ standard is “Security reminders (addressable). Periodic security updates.”  [45 CFR (a)(5)(ii)(A)]  [emphasis added]  One part of the  implementation specification for the Privacy Rule ‘Training’ standard states that a “covered entity must provide training … [t]o each member of covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by this subpart, within a reasonable period of time after the material change becomes effective…” [45 CFR 164.530(b)(2)(c)] [emphasis added].

Another requires that a new workforce member receive training “within a reasonable period of time after the person joins the covered entity’s workforce.” These examples regarding training are dynamic, as indicated in the italicized words and phrases, and the need to conduct training of new workforce members. Although the comment in the preamble of the January 16, 2009, Final Rule pertaining to HIPAA Electronic Transaction Standards refers to ‘administrative transactions’, it may be instructive in the context of training as well:  “HHS does not recognize certification of any systems or software for purposes of HIPAA compliance.” [74 Federal Register 3310] The burden on a covered entity or business associate is to conduct and periodically review its risk assessment, implement policies and procedures to safeguard protected health information, conduct ‘awareness’ training for all workforce members based on those policies and procedures, update that training if policies and procedures change or HIPAA privacy and security regulations are initiated or modified, and document in writing those activities. Certification is not a requirement in that process.