HIPAA training for healthcare administrators can vary considerably depending on the nature of their roles and the nature of their employer´s operations. Nonetheless, it is essential all healthcare administrators have a basic understanding of HIPAA even if the safeguards required by the Privacy and Security Rules do not apply.
Contrary to popular belief, not all healthcare administrators are veterans of the healthcare industry with many years´ experience of HIPAA compliance. An increasing number are recruited from outside the industry due to the growing influence of IT in healthcare and the subsequent need for personnel who understand the implications of new technologies for everything from legal issues to operational issues.
It is also the case that not all healthcare administrators work for healthcare organizations. It is common to see healthcare administrators employed at insurance companies, health IT startups, consulting firms, and public health agencies – not all of whom are Covered Entities, and some not even qualify as Business Associates.
In circumstances in which an organization is neither a Covered Entity nor a Business Associate, HIPAA does not apply. Nonetheless, it is still important healthcare administrators have a basic knowledge of the Privacy and Security Rules in order to perform their roles with an understanding of how the decisions they make may affect those for whom HIPAA does apply.
This depends on the HIPAA status of the healthcare administrator´s employer. When healthcare administrators are employees of Covered Entities, their employers are responsible for providing HIPAA training on policies and procedures relating to PHI. As healthcare administrators may be responsible for managing facility staff, the patient care experience, and recordkeeping, the volume of policy and procedure training for new healthcare administrators will likely be substantial.
In addition, Covered Entities and Business Associates are also required to implement a security and awareness program to train all members of the workforce on the physical, technical, and administrative safeguards implemented to mitigate threats to the confidentiality, integrity, and availability of electronic PHI (ePHI). Again, when healthcare administrators are responsible for developing, implementing, and enforcing staff policies, this could involve a lot of training.
However, when healthcare administrators work for Business Associates that are not required to provide policy and procedure training – or for organizations that are neither Covered Entities nor Business Associates – the responsibility for providing HIPAA Privacy Rule training is unclear. Depending on their roles, it may even be the responsibility of healthcare administrators themselves to ensure an up-to-date knowledge of HIPAA – such as new exceptions to the disclosure rules.
Covered Entities are not required by HIPAA to provide refresher training on the Privacy Rule. Once a member of the workforce has received their initial “policy and procedure” training, the only times further Privacy Rule training is required is when a material change to the Covered Entity´s policies and procedures affects a healthcare administrator´s functions, when a risk assessment identifies the need for further training, or when it is required under an OCR corrective action plan.
However, it is recommended by compliancy experts that refresher Privacy Rule training is provided annually, and that security and awareness training is an ongoing program. This can make it difficult for a healthcare administrator – especially one employed by a non-Covered Entity – to keep their HIPAA knowledge up-to-date. One solution is HIPAA training packages available from compliance organizations. These are regularly updated to reflect changes to the Privacy and Security Rules and can be subscribed to by a healthcare administrator or their employer.
Off-the-shelf HIPAA training packages do not absolve Covered Entities from providing “policy and procedure” training. However, they are suitable for basic HIPAA training if a healthcare administrator is recruited from outside the industry, if a Business Associate employs a healthcare administrator with no previous HIPAA knowledge, and for organizations – such as public health agencies – that are not subject to the HIPAA regulations, but to whom PHI may be disclosed without patient consent to prevent or control a disease or other public health hazard.
With regards to HIPAA Privacy Rule training, Covered Entities are required to designate a Privacy Officer who is responsible for providing training. In smaller healthcare facilities, it may be the case a healthcare administrator is assigned the role, but not always. With regards to security awareness training, the role of Security Officer is most usually assigned to a senior member of the IT team.
Although the employee will have a knowledge of HIPAA from a previous role, the Covered Entity will still have to provide policy and procedure training and the employee will still have to participate in the security and awareness training program. In addition, it may be valuable for the employee to undergo HIPAA refresher training depending on how long it is since they last worked in the industry.
The Privacy Rule states training must be provided “as necessary and appropriate for members of the workforce to carry out their functions”. Therefore, if a healthcare administrator has no interaction with the public, some subjects can be bypassed unless the administrator´s role includes managing staff who do interact with the public – in which case these subjects must be included.
In many healthcare facilities, medical professionals are under enormous pressure to “get the job done” as efficiently as possible; and in some circumstances this may lead to shortcuts being taken with compliance. If shortcuts are allowed to develop into a cultural norm, the risk of HIPAA violations and data breaches increases. Once it is identified that shortcuts are being taken, Covered Entities need to provide refresher training to reinforce the importance of HIPAA compliance.
The Office for Civil Rights investigates more than twenty thousand complaints each year – most of which relate to unauthorized disclosures of PHI, the failure to comply with the Minimum Necessary Standard, and patients´ rights of access. When complaints are upheld, the most common course of action is a corrective action plan to prevent a repeat of the complaints, and when the complaints are attributable to a lack of knowledge, the most common remedy is further training.