Health Information Management

Q. Our organization received information indicating that medical personnel must attend at least 50 hours of HIPAA training annually. How many hours of training are necessary to be compliant with HIPAA training requirements?

HIM-HIPAA Insider, October 20, 2008

A. The HIPAA privacy and security rules require you to provide regular HIPAA training for all work force members. But there is no requirement that work force members receive 50 or more hours of training annually. Further, the HIPAA privacy and security rules do not specify a required number of hours.
 
HIPAA requires organizations to provide training for new work force members. It also requires periodic refresher training. General work force refresher training doesn’t need to be longer than one-and-one-half to two hours as long as the training covers all the aspects of HIPAA that work force members need to know to adhere to required privacy and security policies, procedures, and practices. Training should also include information about additional HIPAA privacy and security resources or training that might be available.
 
It might be necessary to provide periodic specialized training for work force members in certain positions (e.g., HIM, information technology network administration, or regulatory compliance staff members). This training should meet the specific HIPAA requirements that pertain to these specialized positions. It should also address targeted areas in greater detail than that provided during general work force refresher training. No set amount of time is necessary for specialized training.
 
State licensing bodies and certifying authorities may require licensed and certified work force members to attend a specified number of hours of additional training. But this pertains to licensure and certification; it is not a HIPAA requirement.
 
Covered entities should also remember that the HIPAA security rule requires regular security reminders. Inclusion of regular privacy reminders as well is ideal. Also note that the HIPAA security rule does not define “regular.” Periodic e-mail reminders, brief security reminders at staff meetings, and articles in company newsletters meet the requirements of the HIPAA security rule. Remember to document the training you provide, the reminders you distribute, and the names of those who attended training.
 
Editor's note: Chris Apgar, president of Portland, OR-based Apgar & Associates, LLC, answered this question. This is not legal advice. Consult your attorney regarding legal matters.

Comments

0 comments on “Q. Our organization received information indicating that medical personnel must attend at least 50 hours of HIPAA training annually. How many hours of training are necessary to be compliant with HIPAA training requirements?

 

Most Popular