HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAAwareness Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

Training – The First and Last Word in Privacy Compliance

By D'Arcy Guerin Gue, Executive Vice President, Phoenix Health Systems
October 2003

Even if your organization has finished implementing its new Privacy policies and procedures, it cannot rest on its laurels if you haven't also instituted a formal, ongoing enterprise-wide training program. A one-time education initiative to kick off your Privacy implementation is not sufficient; for example, your training program must be adaptable enough to ensure that newly-hired staff and transferred or promoted employees receive Privacy training that relates to their new or changed job roles. In addition, as new regulations are published or internal policies amended, continuing training must be applied.

Who Should be Trained?

The HIPAA Privacy Rule stipulates that all members of the enterprise workforce receive training that is appropriate to their organizational roles. The "workforce" includes employees, volunteers, trainees, and other persons who work for a covered entity, whether or not they are paid by it. Some staff members will need to be trained in applying specific policies and procedures, such as provision of the notice of information practices or obtaining authorizations. Others, such as those who rarely have access to PHI, may require only an overview of HIPAA's background, objectives, principles, and general regulatory requirements.

New employees who join the organization must receive training within a reasonable period of time. It is often practical to include HIPAA privacy training in new employee orientation programs, particularly because privacy principles easily fit into discussions of the organization's mission and infrastructure. Workforce members who change jobs or receive new responsibilities must receive additional training if their new job duties include new patient privacy-related responsibilities. Further, the Privacy Rule requires retraining for each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures.

Covered entities also must document that privacy training has been provided. Though there is no requirement that members of the workforce sign a certificate following training, it is useful to document training completion by each worker, for future verification purposes.

What Should Your Training Program Cover?

The Privacy provisions do not prescribe the nature of the required training; HHS has left the design, approach, and specific content to the discretion of the covered entity. However, at the very least, it is recommended that the following topics be covered with all members of the workforce. In addition, more specialized training on detailed HIPAA requirements and internal procedural changes must be tailored for workforce groups that will be directly affected by them in the course of their work.

  • Principles and objectives of HIPAA Privacy
  • Background – What is protected health information (PHI)?
  • Need for privacy of PHI
  • Overview of HIPAA privacy regulations, including penalties
  • Individual's rights regarding privacy
  • Individual's rights regarding control of uses & disclosures of PHI
  • Individual's right to request access, accounting, amendment
  • New organizational privacy policies and procedures
  • Sanction policy
  • Notice of privacy practices
  • Authorizations for use and disclosure
  • Privacy Officer role and contact information
  • Complaint policies and procedures
  • Cooperating with investigations or audits
  • How to report a violation, and the whistleblower policy
  • Organization's commitment to patient privacy integration with transactions standardization and security mandates

Developing Your HIPAA Training Program

The HIPAA training team should recognize that the enterprise's privacy training program must be tailored to the organization, its unique information infrastructure and culture, and its particular privacy policies, procedures, and practices. Some development guidelines include:

  • Assign responsibility for developing the privacy training program to an individual or team with training development expertise and a strong understanding of HIPAA privacy principles and mandates. Within a large organization, it should be determined if a "train the trainer" approach may be required for those who will actually conduct the educational sessions.
  • The training development team should include various departmental representatives, who are in the best position to tailor curricula to their particular functions, and to communicate effectively with their staff. For example, ensuring that a nurse helps to develop and conduct training for the nursing staff will reassure participants that their particular needs and priorities will be addressed.
  • Consider incorporating privacy training components that are applicable to all staff into the Corporate Compliance Program, which is already geared to training all employees; and incorporate new employee orientation and refresher training. Besides saving costs, such integration has the benefit of building on what the organization has already learned about compliance training and related cultural changes.
  • Training should be role-specific and/or job-specific. For example, gear curricula for registration and admitting staff to the HIPAA obligations they will have on the job, such as providing notice of privacy practices and obtaining authorizations.
  • Develop an approach that enables demonstrated mastery of the material presented. In other words, provide for feedback through mechanisms such as discussions, quizzes, "case study" problem solving, and other exercises.
  • Investigate the variety of formal and informal training methodologies that exist, as they apply to the size and nature of your training audience. Where possible, strive for an approach that enables student interactivity and feedback, such as small in-person workshops or computerized learning systems. If large-scale auditorium training is necessitated by the size of the workforce, ensure that later staff meetings of smaller groups reinforce your Privacy training program.
  • Make your program user-friendly: gear lessons to the comprehension levels of participants, break up the training into manageable modules, and avoid including technical or regulatory content that doesn't meet the "need-to-know" test.
  • Provide follow-through learning materials (presentation materials, articles and the like) that students can take away and use for reference.
  • If possible, set up a mechanism for evaluating the effectiveness of training, comparing baselines established during initial assessment with "final exam" results.
  • Follow-up training with on-going reinforcement and informational updates, perhaps in the form of periodic newsletter articles, poster campaigns and the like.

Go to TOP