HIPAA TRAINING REQUIREMENTS
HIPAA requires that both covered entities and business associates
provide HIPAA training to members of their workforce who handle PHI.
This means that even small physician’s offices need to train their
personnel on HIPAA. Doctors need to be trained. Nurses need to be
trained. Business associates — and any of their subcontractors — must
have training. Basically, anyone who comes into contact with protected
health information (PHI) must be trained.
HIPAA doesn’t specify any particular length for the training. Obviously, training for just a few minutes wouldn’t be sufficient, but training does not have to go on for hours.
A common mistake I see in training programs is that they are often too long and bombard people with a lot of information they don’t need. The human attention span is very short. I have not seen any data to support that very long training programs — ones that go on for 2+ hours — will achieve better comprehension of the material. In fact, this often backfires and results in people coming away remembering less.
I recommend that training be anywhere from 20 to 40 minutes for privacy and 20 to 40 minutes for security. What matters more than time is the content of the training and how effectively and memorably the information is taught.
The HIPAA Privacy Rule says that training must be “as necessary and appropriate for the members of the workforce to carry out their functions.” HIPAA thus doesn’t require that everyone be trained in the same way. The Privacy Rule doesn’t provide much further guidance on the specific topics that should be covered in the training.
Many employees may have functions with only a limited involvement with patients or PHI. If an employee is not involved in providing notice to patients or in providing patients with access to their records, they don’t need training on these topics.
At business associates, employees will rarely be involved with administering patient rights (which is typically done by covered entities). Their training need not go into topics that aren’t relevant for their job functions.
The most common and important HIPAA privacy topics to train about include identifying PHI, the minimum necessary rule, the rules about when and how PHI may be disclosed, the importance of confidentiality, avoiding snooping (even when one has access to PHI), and the need to keep an accounting of disclosures. Patient rights and authorization important topics for many employees at covered entities. Basic information about business associate obligations is important for employees at BAs. And training should also discuss the consequences of failing to follow the HIPAA Privacy Rule — how people can be victimized by medical identity theft, how people can lose trust, how organizations can be penalized by HHS and other regulators for violations, and how employees can be penalized too — by their organizations, by civil and criminal penalties under HIPAA, and by state law.
HIPAA doesn’t specify any particular length for the training. Obviously, training for just a few minutes wouldn’t be sufficient, but training does not have to go on for hours.
A common mistake I see in training programs is that they are often too long and bombard people with a lot of information they don’t need. The human attention span is very short. I have not seen any data to support that very long training programs — ones that go on for 2+ hours — will achieve better comprehension of the material. In fact, this often backfires and results in people coming away remembering less.
I recommend that training be anywhere from 20 to 40 minutes for privacy and 20 to 40 minutes for security. What matters more than time is the content of the training and how effectively and memorably the information is taught.
The HIPAA Privacy Rule says that training must be “as necessary and appropriate for the members of the workforce to carry out their functions.” HIPAA thus doesn’t require that everyone be trained in the same way. The Privacy Rule doesn’t provide much further guidance on the specific topics that should be covered in the training.
Many employees may have functions with only a limited involvement with patients or PHI. If an employee is not involved in providing notice to patients or in providing patients with access to their records, they don’t need training on these topics.
At business associates, employees will rarely be involved with administering patient rights (which is typically done by covered entities). Their training need not go into topics that aren’t relevant for their job functions.
The most common and important HIPAA privacy topics to train about include identifying PHI, the minimum necessary rule, the rules about when and how PHI may be disclosed, the importance of confidentiality, avoiding snooping (even when one has access to PHI), and the need to keep an accounting of disclosures. Patient rights and authorization important topics for many employees at covered entities. Basic information about business associate obligations is important for employees at BAs. And training should also discuss the consequences of failing to follow the HIPAA Privacy Rule — how people can be victimized by medical identity theft, how people can lose trust, how organizations can be penalized by HHS and other regulators for violations, and how employees can be penalized too — by their organizations, by civil and criminal penalties under HIPAA, and by state law.
Comments
Post a Comment