admin

First, a few things that ARE NOT required for an effective HIPAA staff training program:

  • Expensive consultants
  • Monthly subscriptions
  • Video training courses
  • Quizzes and exams
  • Training “certificates”
  • Fees “per employee”

So why are these things common elements among so many HIPAA training courses?

Partly because that’s what people expect “training” to look like, and partly because that’s what they’re selling, not what you need.

  • Unless that consultant is going to invest a good deal of time in learning the exact nature, processes and procedures of your specific daily business activity, you are buying a generic HIPAA training program with an expensive salesman attached.
  • Is there really any need for a monthly fee for mandatory annual training?
  • Unless that time-consuming series of training videos is prepared specifically for the exact needs of your business operation, you may be unnecessarily investing time and money in a drawn-out generic training class.
  • Quizzes and exams, and grading them, are time consuming, unnecessary in that they are not required for an effective training course, and can raise another set of issues, because they are either designed to be so simple that anyone can pass, and therefore pointless, or you have to have a mechanism for dealing with those who don’t pass.
  • Certificates are nice, and may motivate certain employees, but they mean nothing to HIPAA regulators. The regulatory authorities do not license, accredit or certify any trainers or training, and the certificate is simply something issued by the company selling the training.
  • And should you really need to pay “per employee” when they are all going to receive exactly the same training?

The truth is, HIPAA regulations are incredibly vague about training requirements.  Annual training for employees is mandatory. But there are no guidelines whatsoever that specify the form or content of that training.

In developing a training program for HIPAA purposes, you should realize that you ultimately want to achieve two goals:

First, you need a program that will get your organization to the all-important “good faith effort” standard for compliance purposes.

Second, you need a program that will provide your organization with the best possible protection against breaches, errors and violations.

Keep these two goals separate in your mind right from the start, because prioritizing your efforts separately will keep you from falling into the Goldilocks trap. This is the tendency to keep refining and fine tuning the details, trying this and researching that, until your training program is “just right.” Working on developing a training program that you will implement as soon as it is ready DOES NOT get you into compliance.

With HIPAA regulations, it is not the thought that counts.  As far as the HIPAA auditors and investigators are concerned, either something is done or it is not done. And by the way, if it is not documented, it is not done. Make a note of that and keep it in mind:

If it is not documented, it is not done.

 You must keep and maintain records of all phases and aspects of your HIPAA compliance program, including your training program. Investigators may look at your records going back as far as six or more years, depending upon when the requirement in question went into effect.

Precisely what you really need in a training program will depend on your circumstances. Please note that these considerations are not part of any mandatory guideline, as no specific guidelines exist. Rather these are recommended best practices based on the education, training and experience of the editorial staff at Apex Legal Publishing.

  1. If you regularly conduct and document your annual staff training you may only need an annual update to address and changes and a refresher, assuming all new hires get basic HIPAA training as part of their new employee training.
  2. If you don’t have an ongoing training program in operation, you need to implement a basic training program and get your staff through it NOW, so you are in compliance when an auditor or investigator shows up tomorrow. A solid basic program may not be your ideal solution, but it is not just for show, it will place you in compliance with the training requirement.
  3. If you have a training program but have made changes in hardware, software or procedures you will need to evaluate and address how these changes affect your obligations under HIPAA.
  4. If you do not have a comprehensive HIPAA compliance program in place, getting your people through a basic training program and documenting that fact should not be delayed until the whole program is ready to go.
  5. If your organization handles information subject to HIPAA regulation, all employees should receive at least basic training. Those who actually deal with such information, even on an occasional basis, should receive additional training appropriate for their specific job or role in the organization.

Mandatory annual training is one of the easiest, quickest and least expensive components of an effective HIPAA compliance program. It can be completed independently of the completion of the comprehensive risk assessment or development of the written policies.

If your organization does not have on ongoing training program and is starting from scratch, you should immediately get a training program in place.

Implementing and completing a basic training program will get you into compliance, which is the first critical objective. Additional or supplemental training for specific roles or circumstances should be added as you develop them to better protect your organization and the information relating to your clients or patients.