Disclaimer: CMA/PrivaPlan PrivaGuide: Workforce Training.
The information provided in this document does not constitute, and is no substitute for, legal or other professional advice. Users should consult their own legal or other professional advisors for individualized guidance regarding the application of the law to their particular situations, and in connection with other compliance-related concerns.
PrivaGuide: Workforce Training
By Lesley Berkeheiser, and David Ginsberg
HIPAA requires that you train all members of your workforce in security and privacy policies and procedures. Specifically, this means:
You must provide training for all employees of your organization and for contract personnel under your direct supervision. HIPAA requires more than just policies and procedures to safeguard PHI. You must provide adequate training and education to your staff and physicians/providers, as well as any contractors or other members of your workforce. The initial training should be completed for your entire workforce by April 14, 2003.
New employees must be trained within a reasonable time period after beginning work.
You are required to keep records of who was trained.
Training must be updated as you change your policies and procedures, or as your staff takes on new responsibilities which impact HIPAA obligations.
Training is an Ongoing Process
If policies and procedures undergo a “material change” the individuals who are affected must be trained on the change within a “reasonable period of time.”
A “material change” to a policy or procedure refers to any change that has other than a trivial impact, especially with respect to a HIPAA compliance requirement.
A reasonable period of time is an amount of time that can be explained in terms of actual scheduling constraints.
How to do this:
In this section we document some practical suggestions for implementing your training procedure. “Implementation” suggestions relate to the initial steps you take to get into HIPAA compliance. “Maintenance” suggestions relate to on-going activities. Your implementation policy and procedure documentation should be based upon your specific needs and on your understanding of how the HIPAA privacy regulation applies to you.
PROCEDURE — TRAINING
Be sure that training records are kept for all employees and other personnel in your workforce. HIPAA requires that such records be kept; this can be something as simple as a sign-in sheet describing the date, time, attendees, instructor, and topics covered that is then filed in the office records. Use the Workforce Training Log to track training sessions. In addition you may also use the HIPAA Privacy Rule Training document. Alternatively, or if you are a larger practice you may choose to purchase a commercial tool such as the PrivaPlanED HIPAA training product that produces automated printed reports for your compliance records. (Call PrivaPlan for more information).
Customize Training for Your Office.
For example, you may want all new workforce members to receive instruction in the core privacy and security requirements before beginning work. Then, within the first week or so of beginning work, they could receive more in-depth training on each person’s specific assignment.
Of course, the level of training is dependent on their job function. For example, the front desk scheduler may be assigned the responsibility of explaining the notice of privacy practices to those who have questions. This person should have in-depth training before performing this role. A night cleaning person, by contrast, would need much less in-depth training and could probably make do with just the introductory orientation mentioned above. Use the Job Responsibility with Respect to PHI list you created in Stat # 1 to determine the job responsibilities of your personnel. Then provide them with the pertinent training using your completed Procedure Manual.
Ensure that everyone understands policies and procedures. HIPAA requires that you train your workforce on the various policies and procedures you implement as part of the compliance effort. You should discuss the various forms of protected health information that they may encounter. Review your notice of privacy practices with the employees. Also, review your acknowledgment and authorization procedures and any other privacy policies you have created.
Develop security awareness in the workforce. You should consistently stress the importance of being conscious of potential security exposures. For example, train users to notice “last login time” messages and to be wary of telephone calls from “tech support.” Also, use periodic security reminders. For example, set up a quarterly staff meeting to review security and privacy procedures and/or hang posters or other materials that summarize the information.
Teach physical security habits. Discuss how your employees can protect their computer equipment from unauthorized access or physical damage. This includes reminders about locking doors and filing cabinets, proper disposal of PHI, proper use of passwords and restricting the visibility of medical charts and material displayed on computer screen.
Develop a curriculum. You can find a user training presentation on under theTraining section, that you can update as you change your policies.
Review the Job Responsibilities with Respect to PHI form. You created this form in Stat #1 and it provides an excellent outline of each member of your workforce and the PHI they handle. Use this to provide the specific training on policies and procedures that relates to each member of your workforce and the job they perform.
Use PrivaPlan Stat as a training program. The 10 steps outlined in Stat and its easy to understand real life examples form a wonderful foundation for workforce training. You can choose to give staff members a hard copy of Stat or have them review electronically. Also, you can use the HIPAA Ready Reference as a training tool.
Provide your workforce with a copy of your Policies and Procedures to review. This can be augmented by a training session to discuss the Policies and Procedures. Alternatively, you may choose to purchase the PrivaPlanED HIPAA training CD, which includes features (such as real-time quizzes for trainees) that cannot be provided in a PowerPoint presentation.
Provide your workforce with a training test. Use the “HIPAA Privacy Rule Training” booklet for this purpose. Ask each member of the workforce to read this booklet and then answer the quiz at the end. They must also sign the certification and complete their HIPAA job responsibility sheet. Additional printed copies are available for a nominal charge from the California Medical Association by visiting their website, www.cmanet.org. If you are not a member of CMA these are still available, but at a slightly higher cost.
Especially in large organizations, doing all your refresher privacy training in one big lump can result in your staff being put through a long, boring and unproductive ordeal that the staff completely forgets as soon as it’s over. One idea to avoid this is to schedule the privacy and security training as part of each department’s regular meetings: it is possible to be more topical in your choice of subjects and easier to tailor the subject matter to the jobs of the people you are training. Also, by breaking refresher training into more manageable chunks, the staff has a better chance of retaining the information and following your policies and procedures more faithfully.
Grade the results of each training test. If a member of the workforce answers all the questions correctly and correctly completes their HIPAA job responsibility sheet, indicate that they have passed the test. If they do not answer these correctly provide additional training and re-test the member of the workforce until they pass the test. Indicate the training process and results on the Workforce Training Log
Update your procedure manual to reflect your training program. Ensure your procedures for training existing and new staff are correctly described in the Procedure Manual and that you follow these.
Document receipt of Policies and procedures. Using the Log of Policies and Procedure Distribution form to track when members of the workforce have received their copies.
Conduct Refresher Training. HIPAA does not require refresher training for employees when policies and procedures have not changed. However, most practices are planning on routine (yearly) training of HIPAA issues, in addition to when things materially change, in order to reinforce overall understanding and we recommend that you do the same both to remind the staff what your policies and procedures are and to help ensure that they are carried out.
Train staff about changes. Any time that there is a material change in the policies and procedures or in a staff member’s job description, anyone of the workforce whose job function is impacted must also receive training on these changes.
Training includes management
The security rule specifically mentions “management” in its training requirement. For a health care provider this means that the physician(s) or provider must be included in training and appropriate documentation maintained.
Train staff to use the security incident reporting procedure. As described in the Implementing the Security PrivaGuide, suspected or actual security incidents must be documented, investigated and if necessary corrective action put in place. Train staff to document any incident-for example they noticed the door was unlocked upon first entering the office, or they are aware that a temporary employee is using a password from another employee and reviewing data not necessary for their job.
Train staff to be careful about introducing malicious software into the system. Frequently remind staff to be careful about opening email attachments or emails from sources they are not familiar with. Also remind staff that they are not allowed to download software or CD’s, disks etc from their home computer on the office system, without permission.
Train staff to maintain security updates. Some systems will alert the user when an update is ready to be installed. Train staff either to do the installations when alerted, or immediately notify the security official and await instruction.
Train staff about the necessity to protect electronic PHI. Remind staff that electronic PHI must also be safeguarded. Remind staff periodically about workstation and screen “placement” (so it is not easily visible to repair personnel or patients), and also that data back up or other devices must be properly stored (not left on the seat of a car exposed to heat or theft) and discarded (properly deleted prior to discarding).
What Should I Teach?
HIPAA requires that you train your staff about all policies and procedures you adopt to ensure your customers’ privacy. Your privacy and security policies and procedures should be documented in a policies and procedures manual. This manual is an essential part of any HIPAA training that you provide.
About the Authors:
This PrivaGuide has been greatly improved and customized by the California Medical Association. Specifically, the work of Catherine Hanson, Vice President and General Counsel of the CMA and Steve Fleisher, Esq. of Fleisher and Associates.
Ms. Berkeyheiser has over twenty years experience in the healthcare industry, most of it involving managed care, including direction and management of healthcare operations at various renowned health plans. She is Principal and founder of The Clayton Group, LLC, an independent consulting company specializing in healthcare issues including Health Insurance Portability and Accountability Act of 1996 (HIPAA) preparation work, business development and technology. She either has created and/or maintains ownership in various HIPAA remediation products, including HIPAA training products, (PrivaPlanED), Gap Analysis (PrivaPlan), and HIPAA Policies and Procedures (Clayton MacBain HIPAA Templates) and actively participates as Co-Chair for Security and Privacy, and was past Leader of the Vendor Technologies Interdependencies subgroup of the workgroup for Electronic Data Interchange Strategic National Implementation Process (WEDI SNIP). This gives her an extensive and current knowledge of HIPAA remediation solutions.
Ms. Berkeyheiser can be contacted at The Clayton Group, 53 Bethel Road, Glen Mills, PA 19342. Telephone: (610)-558-3332. Email: firstname.lastname@example.org.
Ms. Paramore has over 18 years experience in the healthcare industry, in health plan, provider, and vendor operations. She founded PCI in 1997 in order to help healthcare organizations realize the business benefits of e-commerce and EDI technologies. Ms. Paramore is a frequent speaker and panel participant at industry conferences (particularly HIPAA), has authored industry white papers and is often quoted by healthcare trade magazines. She has been working with HIPAA at a detailed level since 1999 and has completed numerous HIPAA engagements for clients. Recently, Ms. Paramore has become expert in the Gramm-Leach-Bliley legislation and its privacy impacts on health plans. Her consulting practice helps clients balance e-commerce strategy with compliance burdens.
Ms. Paramore previously served as VP of Anthem EDI (formerly the CEO of MMR, Inc., a subsidiary of Anthem BCBS) a healthcare EDI clearinghouse where she was responsible for all day-to-day operations of the company. She successfully repositioned the company into a profitable business unit, capitalizing on market opportunities and exiting unprofitable lines of business. Ms. Paramore was responsible for processing all EDI transactions for Anthem BCBS and AdminaStar Medicare operations. While in this role, her team developed and launched the Anthem Midwest Intranet. She also founded and chaired the Anthem-wide Internet Strategy Committee.
Prior to Anthem EDI (MMR), Ms. Paramore held a number of senior consulting and executive management positions in the healthcare industry. She served as Vice President and General Manager of Operations for AllMed Financial Corp., a physician billing and hospital AR receivables management organization; she was with Ernst & Young in their healthcare management consulting division; she was with GEIS, operating the hospital information systems for Hospital Corporation of America. During her tenure there, she worked with the original software development team to build the EDI*Express product.
Miriam J. Paramore
PCI: e-commerce for healthcare
9001 Shelbyville Road
Louisville, KY 40222
Mr. Ginsberg is President of PrivaPlan Associates, Inc. and is one of the founders.
David Ginsberg is a healthcare consultant with over twenty-five years experience. Most currently he organized and is Executive Director of the Colorado Physician Network, a statewide network of 2500 physicians. Mr. Ginsberg was also Vice President of Intellectron/Medcobill a large regional physician practice management and billing company providing services to over 1000 physicians in California; during this time he implemented the second Medicare electronic claims transmission program of its kind and pioneered an EDI solution for Medicaid.
Mr. Ginsberg has expertise in managed care operations, IPA development, and physician-hospital strategic planning, practice management consulting, and compliance issues.
Mr. Ginsberg can be contacted at PrivaPlan Associates, Inc.,, 3 Monte Alto Way, Santa Fe, NM 87508. Telephone: 877-218-7707. Email: dginsberg@PrivaPlan.com.