• E-mail
• Print
• RSS

HIPAA training tip: Put procedures in place to carry out training

HIPAA Weekly Advisor, November 29, 2010

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Editor’s note: This is the second in a series of tips to help keep your staff HIPAA-compliant.

Covered entities (CE) need to develop and formally document a procedure for initial and refresher training, according to a report based on CMS’ 2009 HIPAA security audits.

CMS recommends the following to ensure compliance with this requirement:

• Require verification that new users completed initial training before granting them access to ePHI, and require annual training thereafter.
• Design, document, and put in place processes to monitor compliance. Develop tools for monitoring compliance and, if possible, deploy an automated tracking system to capture critical information about program activity, such as completion dates for individuals’ training. The tracking system should capture this information at a high level so CEs can use the data to provide enterprisewide analysis and reporting when it comes to awareness, training, and education, according to the CMS report.
• Retain evidence that workforce members completed training. CMS said some CEs could not provide evidence that every employee completed training within the required time frame.

Keep attendance logs as documentation, says Phyllis A. Patrick, MBA, FACHE, CHC, cofounder and managing director of AP Health Care Compliance Group, which has offices in Pittsburgh and Purchase, NY. Make participation in training mandatory and a factor in annual employee evaluations, she says. When you evaluate your managers, one of their responsibilities should be to ensure that all their employees receive training.
 

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive