What are our obligations for training employees under HIPAA?
HIPAA Weekly Advisor, April 11, 2002
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: What are our obligations for training employees under HIPAA?
A: The rules require covered entities to train all members of their workforce on policies and procedures for dealing with protected health information (PHI), based on their job responsibilities.
A group health plan that provides benefits solely through an issuer or health maintenance organization (HMO), and that does not create, receive or maintain PHI other than summary health information or information regarding enrollment and disenrollment is exempt from the training requirements.
Each member of a covered entity's workforce must receive training by no later than the compliance date and new members must be trained within a reasonable time after joining the workforce. The rules do not define "reasonable period of time."
Workforce includes employees, volunteers, trainees, and other persons under the direct control of the entity, regardless of whether they are paid.
The HHS commentary says covered entities have no duty to train their business associates. However, if a covered entity believes including a training requirement in business associate contracts is an appropriate way to protect PHI provided to the business associate, it is free to do so.
The rules do not prescribe the content or method of the required training. They're left to the discretion of the covered entity.
Covered entities must retrain staff when they make changes to privacy policies and procedures, and must retrain each member of the workforce whose functions are affected by the change within a reasonable period of time after it becomes effective.
The rules require covered entities to document providing training. There is no requirement that members of the workforce sign a certificate following training, but it is a good idea to have evidence of who received the training on what date. The HHS commentary also says that covered entities must have policies and procedures for the training requirements.
HHS expects to provide general training materials and work with professional associations and other groups that target classes of providers, plans and patients, in developing specialized material for these groups. But if HHS does not provide these materials, you're not exempt from training your workforce.
Brought to you by attorneys Marty Baxter and Gretchen McBeath at Bricker and Eckler, LLP(http://www.bricker.com/hipaa) and The Quality Management Consulting Group, Ltd. (http://www.qmcg.com). E-mail: mbaxter@bricker.com or gmcbeath@bricker.com.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Identify potential Medicaid RAC target areas
- Topic: CMS, OESS post new security compliance review information, checklist
- HIPAA Q&A: Level of encryption needed for email
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- OB services: Coding inside and outside of the package
- QA:Coding multiple initial infusions
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- What does case-mix index mean to you?
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched