More than likely you’ve heard the word “HIPAA” but still don’t fully understand what it is and why it’s such a big deal. HIPAA is the acronym for the Health Insurance Portability and Accountability Act established in 1996.
In basic terms, it requires your organization and employees to keep all information about your patients confidential, regardless of the medium including paper, oral, or electronic device.
For starters, HIPAA consists of five different titles, each playing a distinct role in the overall protection of someone’s personal information.
Although your HR Director needs proper training on all five Titles of HIPAA, you want him or her to pay special attention to Title II since it is something organizations associated with healthcare deal with often.
This title requires the person in your organization who oversees HIPAA to complete specific training. With this, he or she can protect data connected to 18 unique identifiers. Otherwise, an unauthorized party could determine who the information belongs to, which under this Act, should never happen.
As explained by the US Department of Health and Human Services, “the Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the US Department of Health and Human Services (HHS) to develop regulations to protect the privacy and security of certain health information.
If you operate a business in the healthcare sector, whether physical or mental, the law mandates you follow all titles, especially Title II.
HHS goes on to state before the enactment of HIPAA, there were virtually no set standards for the security of information nor were there any general requirements for protecting information on an individual’s health within the healthcare sector.
However, with advanced technology making it increasingly easy to obtain someone’s information, the government recognized the need to do something to change that in the form of HIPAA.
HIPPA training is not limited to just healthcare organizations. Any Business Associate (BA) or entity that requests, handles, and stores patient or client information must complete specific certification courses. Without proper training, there’s no way for your HR Director, Compliance Manager, L&D Manager, and others as you deem necessary, to successfully protect information about your patients.
As for Business Associates (BAs), the government defines these as any individual or business with access to a patient’s protected health information. Some examples include accountants, lawyers, and third-party insurance billing services.
While the government mandates certain HIPAA training, there are areas where training is not required. Even so, for optimum protection of the patients and clients your organization provides services to, you should have the appropriate leadership team take as many online courses possible while maintaining an emphasis on those pertaining to Title II.
If a breach of PHI compliance occurs, government officials would open a formal investigation. During that period, if they discover you failed to provide the appropriate people within your organization the training required, you would likely receive a significant fine from the Office for Civil Rights.
Furthermore, failure to comply would put your business at a tremendous risk for any involved patient or client to file a lawsuit against your company.
Keep in mind, the HIPAA training your staff needs and the courses you recommend will vary somewhat according to each of their positions and the specific functions they perform. Typically, companies that deal with sensitive and proprietary healthcare information complete multiple training courses to ensure managers understand all angles of security awareness.
Fortunately, many of the courses are available online through a reputable Learning Management System (LMS). Although an industry or topic expert develops each course, the majority only take about an hour to complete. These courses are also affordable and available in a variety of formats, including articles, podcasts, videos, and so on.
Between the mandated and selective training, there’s a tremendous amount of information. However, with an LMS, your staff can complete courses within a reasonable period, preventing them from trying to cram their minds with more information than they can retain.
After all, even mandated HIPAA training has no set timeframe, although the government expects organizations to complete it as quickly as possible to ensure compliance.
If you look under the Security Rule of HIPAA, you would see it requires training “periodically,” meaning there’s no set timeline. A good rule to follow is to have the correct members of your organization complete mandated training once a year. As for supplemental training, they could coordinate courses with their schedules. Of course, any changes to HIPAA would prompt immediate action.
The Compliance Manager within your organization plays a key role in keeping your L&D Manager up-to-speed on any HIPPA training issues. In this role, the individual responsible for compliance should perform several duties, including:
The government mandates specific HIPAA training, including the Administrative Safeguard of the HIPAA Security Rule and the Administrative Requirement of the HIPAA Privacy Rule. Along with those two, consider several supportive training courses for each of the four remaining titles, as well as others such as Information Security and Privacy and Compliance: Privacy Awareness. The more knowledge your executives and senior management team has the better.
These two mandated courses cover a lot of valuable information. Following are some examples:
HHS provides templates for the various HIPAA topics, making it easy for you to stay on top of training, compliance issues, and other concerns. If you have a healthcare organization, you must explain HIPAA laws to patients and provide them with a HIPAA statement that clearly outlines their rights. You should do both of these before a person actually sees a physical or mental healthcare professional.
If you run a BA or entity, meaning you don’t actually see patients but still deal with personal information, again, you need to let your clients know about HIPAA. The best way to prevent an oversight is by establishing a privacy policy reflecting the Privacy Rule.
Whether an existing or new patient, make sure you have a check and balance system guaranteeing you provide everyone with both oral and written information. Then, have the patient sign the paper, followed by keeping a copy in his or her file and storing a digital copy.
If you have an insurance assistance, billing, or some other type of company that deals with patient information, adopt the same kind of system. The goal is to cover your back, ensuring your organization is 100 percent compliant and therefore, not at risk for a breach.
Along with this system, you could create a simple Excel spreadsheet listing the mandated training courses. Include a column for the team member’s name and the date of completion. For each person, you would then list secondary training on patient privacy courses. With this, you have control of HHS and your internal training program.
One important thing to note, if you anticipate sharing a patient’s Protected Health Information (PHI) with a third-party, you’re required to seek permission first. If granted, the patient needs to sign a form either created by you or one provided by HHS, which you then maintain as part of your record keeping system. If at any time a patient requests a copy of the signed document, you’re required to provide one.
Something else you need to know is if you have a counseling, therapy, or psychiatry business, under HIPAA, you’re not required to share mental health notes. In other words, you can share names, addresses, and various other patient details to a third-party but personal psychotherapy notes are off limit. What is comes down to is you and your staff must protect the security and privacy of every person seen.
The only exception is if for some reason you have a genuine concern a patient may harm him or herself, or someone else, you can contact family members or law enforcement. In such an event, you would need to make a relatively fast assessment, followed by taking the appropriate action to keep your client safe.
As mentioned, along with mandated training, it’s highly recommended you provide your leadership team with supplemental courses.
For both, consider some of the primary do’s and don’ts:
For the best HIPAA training, go through the US Department of Health and Human Services website. However, for additional training, make sure you choose a trusted, respected, and reliable source.
While you’ll have no problem finding an LMS, not all offer the same caliber of service. Go1 is by far your best option. With a vast library of courses on patient privacy and an affordable membership price, you can access whatever training you feel your team needs to complete in support of HIPAA training.
Although HIPAA training protects patients and clients, it also protects your business and the people who work for it. Enforce the completion of mandated courses and select supplemental training for optimum protection. The last thing you want is to have the government breathing down your back about a potential non-compliant issue. We invite you to visit our website or call to speak with a representative.