Determining the amount of adequate training is not an easy question because the answer is highly dependent on the individual and the organization. Individuals often claim that vendor training provides only the problems, but not the solutions. That is a missed opportunity because if you know the problem and don't have an adequate answer, you're likely to be faced with difficulty responding and potentially encounter an Incident, Breach, or unauthorized disclosure of Protected Health Information ("PHI"). In this article, we describe aspects of what may be considered "good training" and what kind of training we make available so that you can compare across vendors.
You need answers! In our view, if you do not succeed in establishing compliance literacy in your workforce, you are likely going to have an occasional bad day, not to mention being out of compliance with the HIPAA regulations for training and associated documentation. As expressly stated in HHS' Audit Protocol, policies and procedures that have been adopted and activated by covered entities and business associates to meet selected standards are reviewed to determine an organization's implementation specifications of the Privacy, Security, and Breach Notification Rules. Training, by the way, is one of the Privacy Rule Regulations.
If you are audited, one of the things that will be reviewed is your training documentation. Yes, seems this is a small item compared to your Risk Assessment and other Compliance efforts. However, Covered Entities ("CE") and Business Associates ("BA") must train all members of their workforce regarding PHI as it applies and as necessary to perform their jobs. Compliance with Privacy Rule regulation 164.530(b) requires policies and procedures for training and to document which staff member was trained on what topic and when.
From a practical standpoint, when it comes to training, it's not enough to have an understanding of the regulations, but also training should provide the ability to evaluate responses to a variety of situations where PHI may be at risk. Training that provides hypothetical risk situations related to HIPAA regulations that prevent incidents or breaches and/or a Quiz regarding knowledge obtained is a component of quality education.
But is HIPAA a top priority for a CEO's average day? Probably not, unless there is an Incident or a Breach. The same is likely true for other executives in your organization. Aside from the regulation requirement, this is a VERY good reason why a named Compliance Officer should be in each Covered Entity and Business Associate's organization. A Compliance Officer has the responsibility to ensure that policies and procedures are being followed by the workforce to avoid non-compliance. And yes, the Compliance Officer ensures policies for training and the visible, demonstrable evidence for same.
So, how much training is really needed? For the purpose of this article, we will use the HIPAA Training Products contained within our Subscription Plan as training recommendation topics for different categories of workforce members. Again, remember our principal premise is that all workforce members need to become HIPAA literate since you have the 800-pound gorilla of Breach Notification staring you in the face.
Training for Clinicians
Not all staff members need to attend or be educated for every HIPAA training module. We recommend three (3) training sessions for clinicians as listed below:
Privacy Rule Training for Clinicians (coming soon!)
Breach Notification Training for Clinicians (coming soon!)
Why do we recommend specific training for clinicians? Well, I can say as a Registered Nurse, clinicians do not need to understand every aspect of the regulations. What they need to know is how to respond to various threats to PHI or situations where compliance action is required. They need an awareness and a basic understanding of Security, Privacy, and Breach Notification regulations that will enable prevention of risks while managing situations when HIPAA rules are tested.
A particular item of importance is knowing WHO to call when a situation arises. The same is true for Business Associates. You might be surprised at the number of times I have randomly asked clinicians the name of their HIPAA Compliance Officer and they did not know. That's a recipe for a bad day! Try this yourself next time you visit your doctor. Ask the receptionist or the nurse, or any other clinician or workforce member you encounter if they know the name of their Compliance Officer. By the way, this is generally true of organizations both large and small, even those that regularly train their employees.
Foundational Training for Other Staff
The following list of training modules is recommended for other workforce members, including the executive management team.
I have been asked if there is a HIPAA LITE for Business Associates, and the answer is No! Business Associates need to be as aware of the regulations as Covered Entities if they are "touching PHI." That said, we also provide specialized training for Business Associates in situations where their needs differ from Covered Entities (see below).
In addition to the training above, compliance officers should consider taking the following training classes to obtain their certification. We offer a HIPAA Certified Professional ("HCP") certification after taking an exam that covers material from the training modules listed below.
We also recommend that Compliance Officers take advantage of our pre-recorded four-part training series entitled: "Surviving a HIPAA Audit." Subscribers may log in to the Compliance Hub Member website to:
For some, the amount of information may be overwhelming, but just like HIPAA, you bite off a piece of the elephant one at a time.
Specialty Workforce Training
Finally, we recommend that staff who are responsible for items in the list below, and Compliance Officers and/or Executive Officers become knowledgeable on the following topics:
Training for workforce members that are designated as "point persons" for the Patient's Bill of Rights; these are sections 164.520 through 164.528 of the Privacy Rule.
The regulations require that individuals "sign off" on certain processes pertaining to providing access to a patient's PHI;
Helping a patient amend their PHI;
Distributing the notice of privacy practices, etc.
Training for individuals that handle Privacy Rule requests for authorizations, restrictions, etc.
Training for personnel assigned the responsibility of tracking security incidents.
Training for information technology personnel that are required to audit information systems containing PHI.
Training for personnel that are assigned the responsibility for disposing of PHI.
This is not an exhaustive list. The "final" list of training will depend on your operational environment, the size and complexity of your organization, and the resources you have available, etc. One thing is certain, look for training that provides answers, not just a description of the problems.
HOW TO COMPLY WITH HIPAA
At 3Lions Publishing, Inc. our mission is to provide clients with:
Premium Compliance Products,
Free Monthly Webinars,
Newsletter Articles on HIPAA and regulatory topics, as well as
"High Touch" LIVE assistance with Products for Risk Assessment and Remediation.
We do NOT charge extra for compliance support like many of our competitors, the cost for your LIVE assistance is included in your Subscription purchase.
A full 360-degree circle of Risk Assessment and Remediation products are provided in 3Lions Publishing Inc.'s
The Subscription Plan includes Expresso®, the Risk Assessment "SaaS" based software, over 30+ compliance and remediation products, and training videos that help Covered Entities and Business Associates understand how to implement the necessary Controls to be in compliance with HIPAA regulations. Our LIVE "High Touch" Assistance helps you "get it done" fast!
Our many Training products describe various aspects of the regulations as well as demonstrations of how to use Expresso and associated compliance tools. As part of the Subscription Plan, we also provide certification for clients seeking designation as a HIPAA Certified Professional ("HCP").
A "Crosswalk" between Expresso Risks and Remediation tools provides easy access to model policies, procedures and tracking mechanisms for compliance.
FREE Monthly newsletters and webinars provide education on topics of regulatory concern. Missed one? Webinars and articles are posted to the HIPAA Survival Guide Store Website for future reference.
So, why are we sharing this information in our Newsletter? Education, Education, Education. Stay tuned not only for Product updates but also for new capabilities and value offered to our elite group of clients. Save time and money with our high quality, bargain Subscription Plan!
Or, take advantage of our FREE 15 day trial of Expresso to complete your Risk Assessment!
Questions? Please call or write using the contact information below.
Do you have compliance and regulatory questions that aren't answered easily? Don't have a reference for those unique situations that only apply to your organization? Well look no further.
We have educated thousands of stakeholders on the HIPAA Rules ("Rules") through our monthly webinars and newsletters over the past ten years. The HIPAA Handbook: A Definitive Guide to Articles was curated from 10 years of HIPAA Survival Guide Newsletter Articles.
Buy your copy of the 1st Edition of The HIPAA Handbook: A Definitive Guide to Articles for the bargain price of $179.95. That's about $1.50 per article! With over 500 pages of content on a variety of topics, you'll become better educated about regulations.
Sections in this handbook cover the following topics and its index can be used as a reference for HIPAA questions.
Author, Carlos Leyva, CEO of 3Lions Publishing, Inc. and Managing Partner of the Digital Business Law Group, P.A. has taught thousands of individuals a comprehensive methodology for dealing with HIPAA Compliance. He's a HIPAA thought leader and innovator well-known for his compliance acumen. He's the driving force behind the production of over 30+ HIPAA Survival Guide products including compliance Risk Assessment software (Expresso®), checklists, frameworks, training videos, model documents, articles, and webinars. He also provides legal assistance with his law firm, The Digital Business Law Group, P.A.
Notice that the title does not say 10 "Easy" Steps! There is nothing easy about compliance in general and the GDPR specifically. Far from it. However, these ten (10) steps have been vetted in other compliance regimes (e.g. HIPAA) and have proven robust. Further, the reader should note that the title says "Launching" and not "Completing."
You can get your GDPR initiative "off the ground" with these steps but you are far from done. In fact, as anyone who has ever seriously tackled the compliance challenge (under any non-trivial regime), you know that you will never be done. Although many are the poor souls that have been fooled by a "once and done" strategy.
(1)Gather data landscape/data audit/data inventory: find and analyze your personal data ("PD"); without an inventory of your PD you are likely to incur the wrath of the Supervisory Authority (more than you otherwise would) when (not if) a breach occurs. Without an inventory of your PD you are in willful neglect land; subject to the steepest penalties.
(2)Develop, review, and distribute policies: this is such an obvious win BUT so many companies neglect this aspect of compliance. You need to have a clear understanding of your internal policy objectives and be able to communicate that to your employees. Obviously, you need SO much more, but policies are foundational.
(3)Understand a Data subject’s bill of rights & processes: the GDPR establishes "fundamental rights" for Data Subjects. In the U.S. this would be like freedom of speech or freedom of the press. We don't pay THAT much attention to privacy in the U.S., although after the Facebook debacle that may change. However, make no mistake, the GDPR is deadly serious about a Data Subject's "constitutional rights."
(4)Perform Risk Assessments on high-risk personal data (“PD”) Processing: in the HIPAA universe Risk Assessments suckup all the compliance oxygen in the room. They are STILL important under the GDPR but qualitatively different. First, under the GDPR the assessment of risk is performed from the perspective of the Data Subject; not the organization. Second, you don't need to do it in all cases, only "HIGH RISK" use cases (whatever that means).
(5)Identify low hanging fruit & pick it: encrypt; encrypt; encrypt!
(6) Create a GDPR compliance repository: you need a "single version of the truth" space where you store your compliance documentation and it should be secured yet visible to the organization (e.g. an Intranet).
(7)Implement the necessary safeguards: you are now in the security controls business. You need to implement a set of controls that will protect PD. Without controls policies are nothing more than flowery language; they remain important but ONLY to the extent that there are processes and controls that underpin them.
(8)Train your staff: again, like policies, this step appears so obvious and yet it's often overlooked. EVERYONE needs some basic GDPR training; without exception. GDPR is an organization wide challenged, not just an information technology challenge.
(9)Prepare for Breach notification: GDPR introduces breach notification into the EU for the first time. It will quickly become the 800 pound gorilla.
(10)Katrina proof your disaster recovery: ultimately this is the practical objective you should have in mind when considering how to protect PD. Ask the question "Would our PD survive Katrina?"
This webinar discusses why HIPAA & other compliance stakeholders need a governing philosophy that underpins their Information Governance initiatives...the challenge is much broader than HIPAA, with myopic views leading to fragmented compliance silos and initiatives.