There are some commonly asked questions regarding HIPAA training requirements.
To answer these questions, we begin by reviewing the official text of both the HIPAA Privacy and the Security Rules to understand what is required by law. Interestingly, they are worded differently on this subject:
HIPAA Privacy Rule
Keep in mind that when the Security Rule says "Addressable" it means that the item must be addressed. It is NOT optional. It should be carefully evaluated to see how the requirements fit into your organization and then your organization's policy regarding that requirement must be documented in your HIPAA Compliance Manual. For example, item a.5.ii.A "Security reminders" states "periodic security updates." Your documentation should state how often security reminders/updates are performed.
A: EVERYONE! Anyone who comes into contact with protected health information (PHI) needs to be trained - this includes healthcare providers, ancillary staff, administrators, and business associates - literally EVERYONE!
A: The Privacy Rule states; "A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information...as necessary and appropriate for the members of the workforce to carry out their functions.” Your workforce needs to know how to protect the PHI that they come into contact with during their workday. They need to understand what health information is protected, how to protect it and what to do when there are possible violations of privacy.
The Security Rule says that training needs to cover security awareness, which includes security reminders; procedures for guarding against, detecting and reporting malicious software; procedures for monitoring log in attempts and discrepancies; and password management. These are the bare minimum topics that must be covered.
Recent OIG settlement reports of HIPAA violations and breaches, clearly indicate that HIPAA Privacy and Security requirements are still not clearly understood or followed. It is essential that employees understand all applicable HIPAA policy and procedures established by your organization (preferably not in one sitting) so that there are no misunderstandings and your organization knows what they need to do to ensure compliance.
The following are some important topics which should be included as part of ongoing HIPAA training:
A: Again, the Security and Privacy Rules are different. In plain English, the Privacy Rule requirements are:
As for the Security Rule, it states that training needs to be "periodic," but doesn't provide any further guidance on WHAT that means. It is left up to the organization to make that determination.
We recommend that ongoing HIPAA training take place, preferably every 6 months (annually at the minimum); because let's face it, we are human and we tend to forget. We all need to be reminded of why HIPAA is important. Additionally, if the Department of Human Services (HHS) releases new guidelines or if HIPAA rules are updated, revised, or released; additional training must take place within the time frame outlined by HHS even if you just finished HIPAA training. Ongoing training should NOT be a re-hashing of the same information in the last training session. Mix it up, show some videos, do some role-play scenarios, use some examples from your organization to make it meaningful and memorable.
A. The HIPAA Rule doesn’t specify any time requirements. Use good judgment and keep in mind that too short (10-15 minutes) is just as bad as too long (over an hour). It's actually better to break it up into short segments (less than an hour) because people will remember it better. For example, take some of the HIPAA components and have a 30 minute training on just those components. At another date, cover additional topics for another 30-45 minute session. These are just some examples to consider when planning your organization's ongoing HIPAA training.
A: HIPAA Rules don't specify what needs to be documented, only that it needs to be documented. Based on HIPAA audits, your HIPAA training documentation should be an easily accessible log which includes the following:
Complete and Easy HIPAA Compliance includes a HIPAA Policies and Procedures template, an Employee Training Log and numerous other forms to help your organization achieve and maintain HIPAA compliance.
Complete & Easy HIPAA Compliance
A simple and practical guide to implementing HIPAA, HITECH, and Omnibus Final Rule components. Includes the forms and policies and information you need to meet compliance requirements. Plus over 50 customizable forms!
This article is available for publishing on websites, blogs, and newsletters. The article must be published in its entirety - all links must be active. If you would like to publish this article, please contact us and let us know where you will be publishing it. The easiest way to get the text of the article is to highlight and copy. Or use your browser's "View Source" option to capture the HTML formatted code.
If you would like a specific article written on a medical coding and billing topic, please Contact Us.
Find A Code, LLC
62 East 300 North
Spanish Fork, UT 84660
Phone: 801-770-4203 (9-5 Mountain)