Home

  • Home
    • » e-Newsletters

Stop stumbling through your HIPAA privacy and security training: Expert advice for common concerns (part one of three)

HIPAA Training Advisor, April 3, 2008

HIPAA privacy and security officers have been asking themselves the following questions for years:

  • How frequently do I need to train staff?
  • What do staff members actually need to know?
  • Which training method is most effective, and what will it cost me?

"Although organizations have had a few years to fine-tune programs, many are still tweaking their training, while others continue to stumble with education efforts that are ineffective and yield mediocre results," says William M. Miaoulis, CISA, CISM, manager of HIPAA security services at Phoenix Health Systems in Dallas.

If you're still struggling with your training or questioning whether your training program is HIPAA-compliant, let our experts be your guide as you create a training program that meets HIPAA requirements and fits your needs.

In this week's issue, we'll explore the first question: When should you train staff?

Don't delay, train new staff right away

HIPAA requires that covered entities train all staff members in policies and procedures related to PHI as necessary and appropriate for them to perform their job functions. Covered entities also should retrain staff members when they amend their policies and procedures.

Ideally, facilities should provide extensive HIPAA training to all new staff members during new-hire orientation. But some facilities conduct new-hire orientation only once per month, and this often leads to situations in which employees face difficult HIPAA situations before learning the proper response, says Susan A. Miller, JD, independent consultant and chief operating officer of Health Transactions in Concord, MA.

Miller warns facilities not to give new hires access to data before properly training them. "Many facilities schedule new-hire training once a month but have new hires starting on a weekly, if not daily basis," Miller says. So if staff members begin working the day after the monthly new-hire training, they potentially could be handling sensitive information for a full month with no knowledge of their HIPAA privacy and security responsibilities.

Facilities that are unable to provide training during the first day or two of employment should at least give new employees written material that explains HIPAA and its basic requirements in relation to their individual jobs.

The need to train new staff immediately upon hire is apparent, but there is some debate over how frequently you should retrain your entire work force. Mary D. Brandt, MBA, RHIA, CHE, CHPS, president of Brandt & Associates, Inc., in Bellaire, TX, recommends annual general training for all staff, in addition to special sessions, to address compliance problems any time they arise.

"If a facility recognizes compliance problems in a particular area, they should not wait and try to work these issues into their general training program," says Brandt. "If necessary, conduct spot training in the particular area where the incident or incidents have occurred," she says.

Most Popular