HIPAA regulations are often difficult for small practices to understand. The rules are written so say that Covered Entities and Business Associates must do what is reasonable and appropriate to protect the Confidentiality, Integrity, and Availability of Protected health information (PHI). This ambiguity can cause issues because what is reasonable to someone may not be to another. This also tempered with the ability of the small practice to have the budget to handle compliance. One area that is especially obvious is in the area of HIPAA training.
The HIPAA Security Rule specifies that Covered Entities and Business Associates should “implement a security awareness and training program for all members of the workforce”. But other than that, there are no specific guidelines provided. However, recently the Department of Health and Human Services (HHS) has started to use a system called the Compliance Effort Ratings to qualify how much a CE or BA is actually complying with HIPAA. This applies to training as well.
What are the Compliance Effort Ratings?
The Compliance Effort Ratings are used to grade audits that HHS performs on CEs and BAs. To date, this provides us with the best definitions of what HHS is looking for in a compliance program. They are scored from 1 to 5 with the best score being a 1.
This applies to everything in an entities compliance program. But for our purpose, we will focus on training. Notice that in the 4 rating, you will that training is poorly documented and generic. This gives us an indication of the types of training, or what should be included in HIPAA training. HHS does not want canned training anymore. Training should be tailored to the entity itself based on its needs and Risk Assessment.
Some entities will have different threats to their data and this will require different training. For example, while we all have to be concerned with phishing emails and employees looking at records that shouldn’t, not everyone has to face a hurricane. Some entities may not allow any mobile devices in their facility and won’t require that training address these as much as locations where they are in heavy use. That is why training can no longer be generic.
What is HIPAA training?
Training is a requirement under both the HIPAA Privacy Rule as an Administrative Requirement and under the HIPAA Security Rule as an Administrative Safeguard. These rules outline that staff should be trained to protect the privacy of patient data. But beyond that, the rules don’t really provide much guidance. Other than the mention of the implementation of the security awareness program, it isn’t very clear. This is why we refer back to the Compliance Effort Rating. Are we doing enough to protect patient privacy under the law? Does our current program teach staff what they can and cannot do? Do we help staff to understand the emerging threats to HIPAA data such as phishing emails or ransomware?
By looking at training in that way, we can better formulate our own HIPAA training policy.
In addition, you can refer back to your Risk Assessment to know who has access to PHI and what their roles are. That is a good guide of what type of training each person will need.
Who needs HIPAA training at your location?
Under HIPAA regulations, you are required to train your entire workforce on how to protect the confidentiality, integrity, and availability of your data. This will include the following:
- Physicians and other providers
- Front desk staff
- Back office billing staff
- In house accounting staff
- In house IT staff or support personnel
- Cleaning staff
- Owners and family members who work at the entity
If there is anyone that works in your office, they need to receive training. Not only that, you need to document that training in their employee file and also in your own HIPAA documentation.
What should be in a HIPAA training program?
The main thing to consider is that it shouldn’t be a canned approach to training. While a common base of training is good for a solid foundation, it shouldn’t be the only thing your training program is composed of. You also should consider that everyone learns in different ways. If you approach training in the same way for everyone, it may not reach some of your people. This may require you to create different training pieces so that you can better reach each type of employee. Some may not learn well watching online videos and others may not like to read the documentation. The goal is to help them all learn how to protect your patient’s privacy.
Here are some suggested items to include in your own HIPAA training:
- Why HIPAA was created/what is for
- The terms used under HIPAA such as Protected Health Information
- How a patient’s privacy must be protected
- What happens if a breach occurs?
- Unintentional violations like pictures with PHI in the background
- Leaving messages
- Sharing PHI with family members – when it is acceptable
- Basic computer security
- Mobile device security
- Paper record security
- Faxing PHI – ensuring the correct entity receives it
Other HIPAA training considerations
Training should be made realistic to address each person’s work. Each job role will have different needs that should be addressed. Physicians don’t have the same needs as your billers or interns. There are many items that apply equally to everyone, but each role does have its own specific issues.
Another issue small practices run into is scheduling the training. With the hectic pace of a small office, it’s easy for training to fall through the cracks. Make sure you schedule a time to perform your office’s training and then carry it out. After that, document it in your HIPAA documentation.
Training should be kept brief enough to cover the topic but not long and detailed. Most people won’t find this topic interesting and long training sessions will be boring. that will cause them not to retain the information.
Make sure your employees are also aware of the consequences that can happen in a breach. These should include those under the law to the practice but also to the employee. This would include punishments within the practice and should be documented in the policies and procedures. These should be reviewed when a person is hired so they are aware from the beginning.
All training should be documented. Individual training sessions should be placed in employee files and also in your main HIPAA documentation.
Following these guidelines should allow you to develop a HIPAA training program for your organization that will meet the standards that HHS is wanting entities to meet.