Health Information Management

HIPAA Q&A: You’ve got questions. We’ve got answers!

HIM-HIPAA Insider, December 15, 2014

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at and we will work with our experts to provide you with the information you need.

Q: What is the most common practice for annual HIPAA training (e.g., videos, tests, online training)? I am responsible for training clinical and clerical staff annually. Do you have any recommendations for job-specific HIPAA training?
A: HIPAA doesn't require a set style of training. At minimum, most industry experts recommend that organizations conduct new employee orientation training (including temporary staff members, students, interns, and volunteers) and annual refresher training for existing staff members. A number of good vendors on the market provide training tools, ranging from PowerPoint presentations to hosted webinars to interactive online training. Whatever your choice, track attendance. Administering a test to gauge knowledge retention is also a good idea.
Several reputable vendors offer role-based training (i.e., training customized specifically for IT staff, nurses, administrators, etc.). Providing that specialized training is wise, especially for employees who are entrusted with a high level of responsibility when it comes to PHI.
For example, HIM staff should receive additional training given that these employees are the custodians of patient medical records.
Try to avoid using the same refresher training year after year because the training will no longer sink in after a while. Focus training on certain topic areas such as mobile device security and social media use. These are high-risk areas; the more employees know, the lower the risk of breaches and other adverse events will be.
Consider other laws that may also apply such as the Red Flags Rule, 42 CFR Part 2 (alcohol and chemical dependency) and state privacy and security laws. Few training packages available from vendors include this level of training. If you are subject to other federal and state privacy and security laws, add training material on these subjects to any vendor-provided training you may use.
Training does not need to be complex. Security reminders may be as simple as, "Don't open the attachment if you don't know the sender." It can include articles in staff newsletters, fun posters, pop quizzes, and headlines of breaches that appear in the news. The more training you provide, the greater the staff retention and the lower the risk of noncompliance.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA newsletter. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular