What do you need to include in your company’s HIPAA security awareness and training program can be different for very single HIPAA-governed entity.
There will be different considerations to take into account such as individual employee, manager, volunteer, trainee or contractor duties in relation to handling or processing PHI or ePHI. Due to this you may need to conduct a range of different classes for different sectors within your own organization, in order to ensure that you are 100% HIPAA compliant and also reassured that you staff are conscious of all the responsibilities that they have in relation to HIPAA.
While it may seem a daunting mission to accomplish, putting together a training course like this, not matter how long or arduous it may seem, is worth it to give you peace of mind and help yuor group avoid falling foul of HIPAA rules.
When you have your course designed you must ensure that you are running the course, and refresher classes, in line with the requirements of the HIPAA Privacy Rule and Security. The Privacy Rule states that HIPAA training is required for “each new member of the workforce within a reasonable period of time after the person joins the Covered Entity´s workforce” and also when “functions are affected by a material change in polies or procedures” – again within a reasonable time.frame
HIPAA Compliance Training Best Practices
As there are no specific HIPAA training obligations, we have compiled a number of best practices HIPAA compliance managers may want to take into account when compiling “necessary and appropriate” security awareness and training courses.
- Always keep training concise. It is recommended that training sessions last no more than one hour and are regular events rather than the “periodic” refreshers suggested by the HIPAA Security Rule.
- Always take into account the impact of a HIPAA breach during the course – not just the financial implications for the CE or BA, but the implications for trainees and their colleagues, and – of course – the person(s) whose PHI has been impacted.
- Do not quote long pieces of copy of text from the HIPAA guidebook. Use multimedia presentations to make the training more easy to remember. HIPAA compliance training not only has to be taken in, it has to be comprehended and adhered to on a daily basis.
- Ensure that senior management take part in the training. Even if senior managers are not handling PHI, it is crucial they are seen to be included in HIPAA compliance training.
- Record your training course so you have proof it took place in the event of an OCR investigation or audit.
The HIPAA Security Rule states that HIPAA training must be conducted “periodically”which is usually understood to mean annually. However, in reality HIPAA training must be conducted every time there is a change in working practices or technology, or whenever new rules or guidelines are released by the Department for Health and Human Services. In order to assess whether HIPAA training is required, Privacy and Security Officers must:
- Review HHS and state publications for advance notice of rule amendments. Realistically this should include following a news feed or other official communication channel.
- When new rules or guidelines are released, complete a risk assessment to see how they will impact the group’s operations and if HIPAA training is necessary.
- Work with with HR and Practice Managers to receive advance notice of suggested changes in order to determine their influence in relation to compliance with the HIPAA Privacy Rule.
- Partner with IT managers to receive advance notice of hardware or software upgrades that may affect HIPAA Security Rule compliance.
- Complete ongoing risk assessments to discover how amendment to policies or processes may impact the chances of HIPAA violations occurring.
- Putting together a HIPAA training course to educate how any changes will affect employees´ compliance with HIPAA – not only the changes on their own.