• E-mail
• Print
• RSS

Work with managers to provide job-specific HIPAA training

Ambulatory Safety Monitor, February 25, 2004

Want to receive articles like this one in your inbox? Subscribe to Ambulatory Safety Monitor!

One person cannot train every member of the work force on how to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

But HIPAA's privacy rule requires policy and procedure training for every staff member who handles patient information. HIPAA is a detailed set of security and encryption requirements for sharing and transmitting patient information.

Many organizations do hold very general privacy training, says Jill Callahan Dennis, JD, RHIA, principal of Health Risk Advantage in Denver. However, everybody's job differs and nobody has the time to come up with customized training for every employee.

Consider the following four tips:

1. Conduct two types of training
Take a two-level approach to training staff, says Dennis. First, conduct general HIPAA training that covers basic information about HIPAA, such as the purpose, general requirements, compliance dates, and penalties for violations.

Next, work with department managers to provide job-specific training. "You're training staff on how the privacy rule applies to their specific job responsibilities," explains Dennis. "Some staff will not be affected and many will, but in a very specific way."

The privacy officer in a smaller organization can get involved, but it's not practical to do so at larger ambulatory practices, she says. "Department heads probably have a pretty good idea of what needs to be covered, but since the privacy officer is on the hook for it, sit down and see what they have in mind and make sure it's adequate."

2. Have department heads report back to the privacy officer to maintain accountability
Often, you hand the training over to the department heads and you never know whether they do it, says Dennis.

Making the managers responsible for training and having them report back to the privacy officer is a good way of getting the work done and getting the message out that patient privacy really is everybody's job, she explains.

3. Set deadlines
It's a good idea to set deadlines for managers, says Dennis. You must train new staff within a "reasonable" period of time. "Determine what is 'reasonable' and make it a matter of policy," says Dennis. "Should it be 15 days after hire?"

Focus on the heavy users of patient information first, such as nursing, patient accounting, and medical staff.

4. Document all training
The privacy rule requires documentation of training. "It's good to have some sort of paper trail, so that you know the training took place," explains Dennis.

Want to receive articles like this one in your inbox? Subscribe to Ambulatory Safety Monitor!

• E-mail to a Colleague
• Print
• RSS
• Archive