You know the saying ‘teamwork makes the dream work’? The same goes for HIPAA compliance within your practice, too. The easiest way to make sure everyone is on the same page is to implement a comprehensive HIPAA compliance training program. HIPAA training is key to securing your patients’ information and instilling a culture of compliance within your organization. Compliance is a group effort, and ensuring that all workforce members have a full understanding of their HIPAA responsibilities will limit the accidental exposure of protected health information (PHI) and avoid potential high dollar settlements for the practice.
58% of healthcare breaches involve practice employees, and these breaches are largely a result of employees improperly disclosing patient information, the mishandling of medical records, losing devices containing electronic protected health information (ePHI), or a general lack of training. This makes education a key aspect in preventing improper access or misuse of PHI. Unfortunately, the Office for Civil Rights (OCR) doesn’t provide any lesson plans or online training classes – leaving the burden of providing proper education completely on your practice. Here are a few key points to keep in mind when it comes to the “who, what, when, and how” of employee training.
Who needs to be trained?
All workforce members, part-time, contract, or full-time, that come into contact with protected health information must be properly trained. This includes providers as well. HIPAA law states that training must be done “as necessary and appropriate for the members of the workforce to carry out their functions.” Some staff members, like your practice’s HIPAA Compliance Officer, should be trained more frequently than the rest of the staff and the material should be specific to their HCO duties.
What needs to be included in the training?
HIPAA doesn’t specify any particular topics that should be covered or what timeframe they should be addressed in, but training should be designed around what a staff member needs to know in order to perform their job function. That might include new employee training that covers the basics and additional training that dive more deeply into the nuances of how HIPAA impacts the staff’s daily job roles. Common HIPAA training topics include:
- What HIPAA stands for, what it means for staff, and who it applies to
- Important HIPAA definitions such as PHI, ePHI, covered entities, and more
- Patient’s right of access
- The HIPAA Privacy Rule and Security Rule
- How to protect against cyberthreats and basics of protecting ePHI, such as changing passwords regularly and logging off of devices when not in use
- How to identify and report a potential breach of patient data
- And more!
When should employees be trained?
While HIPAA does not technically specify the timeframe of ongoing training, most agree that annual training is the appropriate timeframe to keep HIPAA top of mind for staff. In addition, any new employees must complete initial training on HIPAA within a reasonable time after being hired – this is recommended within the first 90 days of employment. HIPAA training should be a key part of the employee onboarding process to ensure compliance. It will also set the standard that HIPAA compliance is important to your practice.
How long must each training be?
There’s no specified length of training regulated by HIPAA, but the length must be sufficient enough to cover all the necessary materials. The quality of the information being provided as well as the effectiveness of how it is taught is the most important aspect of proper training. This could mean a shorter but more engaging training, such as an animated video and interactive quiz.
There’s also no specifics that identify if training must be completed individually or as a group. Utilizing training videos may help your practice avoid losing valuable patient time by letting staff complete training on their own time.
What is required to document training?
One of the most important aspects of completing HIPAA training is to document each staff member’s completion. When it comes to HIPAA, document, document and document some more. It is key to providing proof of compliance if ever audited or breached. For training, a certificate of completion showing who completed the training and when it was completed will show all needed information. Offering a modular-type training format, such as a quiz after training, is important for showing that employees retained the material.
Unpacking HIPAA means peeling back a lot of layers, and ensuring that each employee is properly trained on HIPAA’s nuances to fully understand what’s needed to be compliant may seem daunting. A solution like Abyde makes HIPAA training as easy as a click of a button, sending animated training videos that keep HIPAA fun and engaging. No matter the training solution your practice chooses, make sure it meets all HIPAA requirements and most importantly delivers content in a way that will be retained and understood by your employees.