Much is often said about non-compliance with HIPAA as well as a missing understanding for all that HIPAA does. While those sentiments are all too often true, the question of why that is that case, especially within an organization, is not always sufficiently explored. Nothing can be done about willful ignorance or other deliberate actions to avoid coming to an understanding. However, efforts can be made to put the necessary information into the hands of individuals to do the right thing. That means providing training and education.
What is training under HIPAA? The regulations say the following:
“[Security] Standard: Security Awareness Training: Implement a security awareness and training program for all members of [the entity’s] workforce (including management). 45 C.F.R. 164.308(a)(5)(i)
Implementation of the security training is meant to include periodic security updates. That is all that is contained in the HIPAA Security Rule.
Slightly more detail is provided in the HIPAA Privacy Rule, which states:
(b)(i) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required [the Privacy Rule], as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.
(2) Implementation specifications: Training. (i) A covered entity must provide training that meets the requirements of paragraph (b)(i) of this section, as follows:
(A) To each member of the covered entity’s workforce by no later than the compliance date for the covered entity;
(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce; and
(C) To each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by [the Privacy Rule], within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.
Again, not much direction is provided within the text of the Privacy Rule. It is clear that training is needed, but only that members of the workforce need to know about the privacy requirements.
What do the definitions actually mean? It means taking the time to fully explain what HIPAA is, what HIPAA does, why the organization in question needs to comply with HIPAA, how the organization complies with HIPAA, how HIPAA impacts functioning within the organization and more. The description of what training encompasses is intended to be quite broad, though hopefully not so big that it scares people away. However, it is essential to be comprehensive.
In designing the training, it does not need to be stale or bland. An example of a great training was a video-based training that deftly wove together images and text while using a voiceover that had a pleasant tone and was not just going through the paces. Self-directed training can also be made dynamic even without the video component. A key could be for the designer to consider what would keep attention and not just throw together dense slides that make one’s eyes glaze over.
In addition to those considerations, there should also be a regular cadence to training. The best approach is to have training occur at least annually. That way awareness, at least theoretically, does not become overly stale and can be refreshed on a regular basis.
Beyond training, ongoing education can also help to cement understanding and awareness of HIPAA. Examples of education could be highlighting events that have occurred in the news to explain the positives or learn from the negatives. Periodic newsletters or other nuggets of information can also help make retention better since only smaller amounts of information are being conveyed. The baseline for education is to break down the concepts contained in HIPAA to reinforce the training that is also occurring.
Generating good knowledge of HIPAA plays an important role in a solid compliance plan. Training and education should not be viewed as onerous tasks, but opportunities for some fun and engagement. A more positive approach also reflects a better overall culture around HIPAA and take the steps needed to protect the privacy and security of sensitive information.
This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.