Confusingly, though training employees in HIPPA compliance is absolutely necessary, the requirements laid out by the legislation regarding training are vague. This is in part due to the fact HIPAA covers a broad range of covered entities (CEs) and their business associates (BAs).
Training, in some form, is required under the Administrative Requirement of the HIPAA Privacy Rule and an Administrative Safeguard of the HIPAA Security Rule. Neither provide very comprehensive guidelines: training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule) and that CEs and BAs should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule).
Regrettably, this lack of certainty regarding HIPAA training guidelines does lend itself to confusion. Despite the lack of clear rules, should a breach of Protected Health Information (PHI) occur and it is found that staff weren’t adequately training, the CE and BAs may be issued a fine by the Office for Civil Rights. The OCR sits within the Department for Health and Human Services.
To prevent such a breach happening, it is essential that regular risk assessments are conducted by both the CEs and BAs. These will establish the role each employee has regarding the handling of PHI. This can help ensure that each employee gets training appropriate to his/her role.
CEs should tailor security awareness and training programs for the role of each employee, manager, associate etc. that will come in contact with PHI. For complex roles, many training sessions may be required.
Providing training can be costly and time-consuming, which is often off-putting. It is, however, necessary. We recommend that training sessions are offered in shorter, frequent sessions rather than one long. This way, employees are more likely to stay focussed and retain critical information.
To help CEs and their business associates navigate the confusing world of HIPAA compliance training, we have compiled a simple list of best practices for employee training.
Do try to keep training sessions short. This will make employees more likely to retain information and thus help prevent further breaches. Remember: ignorance is not considered an excuse for PHI breaches.
Do provide regular training sessions. Each can focus on a different aspect of training, update staff on new developments or even just remind employees of the most important aspects of the regulation.
Do inform employees of the dangers of a PHI breach. These can include fines and legal action for the CE, and a loss of privacy for the patient affected. Such information can help highlight the need for HIPAA compliance.
Do include all levels of management in training. Everybody needs a refresher from time to time, and a lack of training provided to higher levels reflects poorly on the CE in an audit.
Don’t forget to make clear records of when the training occurred, who was involved and what information was handed out. If the OCR carries out an investigation or an audit, this information will be critical.
Don’t just read passages from HIPAA. Explain legal jargon and summarise important pieces of information. Try to ensure that participants both know the required legislation but also understand how to enact it in their day-to-day roles.
Don’t go into the history of HIPAA – it is not essential information and is likely to cause participants to lose focus before you even begin. Having so much information thrown at you before you even get into the important information will alienate employees.
The phrasing of the HIPAA legislation means that it is up to covered entities and their business associates how best to provide training to employees. Ultimately, so long as sufficient training is provided to allow employees understand how to prevent PHI breaches, it should be adequate.