HIPAA TRAINING
Strangely, while training employees on HIPAA requirements is absolutely necessary, the requirements laid out in the legislation regarding training are limited. This is in part due to the fact HIPAA covers a broad range of covered entities (CEs) and their business associates (BAs). The training requirements for a healthcare clearinghouse will naturally be different to those of a healthcare provider, so it is left to the discretion of each covered entity to determine what is reasonable and appropriate. The main reason why specific information on the required content of training courses is not provided is because it makes the HIPAA legislation timeless. When there are changes to training best practices the HIPAA text does not need to be updated. Training is required under the administrative requirements of the HIPAA Privacy Rule and also under the administrative safeguards of the HIPAA Security Rule. Neither provide very comprehensive information on what is required in terms of training. They state that training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule) and that CEs and BAs should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule). There is also the requirement to provide additional training to staff members when “functions are affected by a material change in policies or procedures.” Regrettably, this lack of certainty regarding HIPAA training does lend itself to confusion. Despite the lack of clear rules, should a breach of Protected Health Information (PHI) occur and it is found that staff weren’t adequately trained, the CE and BAs may be issued with a fine by the Office for Civil Rights (OCR). To prevent such a breach happening, it is essential that regular risk analyses are conducted by CEs and BAs. These will help to establish the role each employee has with respect to PHI. From the risk analysis, CEs and BAs can determine what training is appropriate for each employee’s role. The purpose of HIPAA training is to make each employee aware of the requirements of HIPAA to ensure that they can perform their job in a HIPAA compliant manner. Visit us at www.hipaaguide.net.