HIPAA Workforce Education Requirements- Revisited!
by R. Harold (Hal) McCard, Jr. and Lauren M. Venturatos, Chaffe McCall L.L.P., New Orleans, LA
From time to time, it’s useful to review the specific HIPAA Privacy and Security regulation requirements addressed to workforce training to ensure that current training initiatives and compliance documentation reflect the requirements of the regulations. Here, in a nutshell review, are the requirements:
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) was enacted to protect private individually identifiable patient information, provide for electronic and physical security of patient and health information, and implement the use of standard transactions and billing code sets. HIPAA compliance is required of all covered entities, which include (1) healthcare providers that conduct certain transactions in electronic form, (2) healthcare clearinghouses, and (3) health plans. To implement the security and privacy safeguards created by HIPAA, a covered entity must ensure that its workforce is properly trained to follow guidelines found within the Act’s “Administration Simplification” provisions (which established standards for electronic health care transactions and national identifiers for providers, health plans, and employers to ensure the security and privacy of healthcare information). A covered entity’s workforce is defined as its employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. To be in compliance with HIPAA, a covered entity must ensure that its entire workforce follows the privacy and security requirements found within the Act. Workforce Privacy Education Requirements
Under the HIPAA Privacy Rule, generally, an individual has a right to adequate notice of the uses and disclosures of protected health information (“PHI”) that may be made by the covered entity, as well as his or her rights and the covered entity’s legal duties with respect to protected health information. A covered entity is required to train all members of its workforce on the policies and procedures related to PHI under HIPAA, as necessary and appropriate according to the function of each member’s position within the workforce.
In order to properly train all members of the workforce, the covered entity must provide training that adequately prepares each member for his or her position by (1) training each member of the workforce no later than the compliance date of the covered entity; (2) training each new member of the workforce within a reasonable period of time after the person joins the workforce; and (3) training each member of the workforce whose job functions or duties are affected by a material change in the HIPAA Privacy Rule policies and procedures within a reasonable time after the material change becomes effective. Furthermore, a covered entity must document the provision of such training by maintaining the entity’s policies and procedures, communications, and actions taken, in written or electronic form, for six years from the date of its creation or the date when it was last in effect, whichever is later. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI and provide timely workforce training to meet this goal.
Workforce Security Education Requirements
To comply with the HIPAA Security Rule, a covered entity must (1) ensure the confidentiality, integrity, and availability of all electronic protected health information (“EPHI”) that the entity creates, receives, maintains, or transmits, (2) protect against reasonably anticipated threats or hazards to the security of EPHI, (3) protect against reasonably anticipated impermissible uses or disclosures of EPHI, and (4) ensure compliance with the Security Rule by its entire workforce. In order to meet these requirements, the covered entity must implement a security awareness and training program for all workforce members, including management.
A security awareness and training program must include (1) periodic security updates, (2) protection from malicious software, (3) monitoring of attempts to log-in to the system and the reporting of discrepancies, and (4) procedures for creating, changing, and safeguarding passwords. All aspects of this program are “addressable,” which requires the covered entity to assess whether the implementation specification is reasonable and appropriate, given the entity’s situation and environment. If reasonable and appropriate, the security specification must be implemented. However, if the specification is not reasonable and appropriate, the covered entity must document the reasons why it is not so and implement an equivalent, alternative measure, if reasonable and appropriate. Id. Under the Security Rule, each covered entity must properly train its workforce to protect the confidentiality and integrity of EPHI.
It’s good to review the HIPAA workforce training requirements periodically, to make sure that training and compliance documentation efforts haven’t fallen between the cracks. Each covered entity must complete workforce education, audit its training program on a periodic basis, and ensure that all new hires are properly trained. The training program should include:
- Proper and timely training of the workforce members on HIPAA requirements, according to each member’s position;
- Implementation of periodic security updates;
- Installation of procedures for guarding against, detecting, and reporting malicious software;
- Monitoring of log-in attempts and reporting of discrepancies; and
- Implementation of procedures for creating, changing, and safeguarding passwords.
For more information on HIPAA workforce education, visit the CMS website at: http://www.cms.hhs.gov/HIPAAGenInfo/01_Overview.asp#TopOfPage