People think HIPAA is difficult. Taken as a whole, HIPAA can seem overwhelming and it has a lot of parts. But each of the parts can be broken into steps that can be easily learned. Sound crazy? It’s not when you remember that people need only learn the steps to safeguard the protected health information (PHI) that they work with. Everyone doesn’t need to know everything!
HIPAA Training for Quality Care
Workforce is the backbone of HIPAA compliance. Although there’s been a massive shift to electronic record keeping, healthcare is not delivered by robots. Everything that happens in healthcare requires people interacting with other people – other professionals or patients or the public.
While HIPAA requires that covered entities and business associates provide workforce training, it also may be the most effective tool you have to defend against cyber crime, prevent breaches and support the workforce. Maintaining patient trust by protecting privacy also is essential for quality care.
HIPAA Training Should be Relevant
An important part of Risk Management is making sure that workforce members are trained on the HIPAA rules that apply to them and that they understand the training.
To begin, everyone needs to understand that protecting PHI is a core value of the organization. Beyond that they don’t need to know the details of any HIPAA safeguards that don’t apply to their work.
The best training is relevant, fun, and memorable. It needs to be delivered in short chunks, tailored to the job position, and give people a sense of accomplishment. All of this is achievable because HIPAA can be understood step-by step, and once learned, helps staff understand and do their jobs better.
HIPAA Training Should be Targeted
A key to HIPAA training is the “minimum necessary standard”. “Minimum necessary ” is applied in several ways under HIPAA. One meaning is that workforce members only need to be trained on the HIPAA rules that apply to the protection of the PHI that that their duties require them to handle.
Take for example, the front desk staff – they interact with patients and they need to understand the simple protective steps required to protect the health information of patients they deal with – they don’t need to be bothered with the intricate safeguards that are included in the Contingency Plan for example. And an important tool for front desk staff training is making sure they have the right forms to use and know when to use them.
HIPAA Training Can Fix a Common HIPAA Failure
For example, in the past eighteen months there have been sixteen enforcement actions involving failure to provide patients access to their own medical records. The front desk staff should have available the correct form for a patient to request access and should be trained to help patients fill it out. They then should give the form to the medical records department that needs only to be trained in the steps required to fulfill the patients’ request for access.
IT staff (who do not interact with patients) do not need to know how to fill out a medical records access request, but they do need to know about log-in monitoring and password management. Make sure their training covers the HIPAA safeguards in the Security Rule, and that they can support the organization’s HIPAA Risk Analysis – Risk Management.
HIPAA Training Should be Delivered in Chunks
Experts tell us the best training is practical, short, and repeated frequently. That’s why we say an organization’s HIPAA training should be fast and flexible. By that we mean it is given in short chunks on topics that are relevant to the workforce member’s job.
It does no good to assemble the entire workforce once a year and subject them to the same hour-long powerpoint lecture about HIPAA if it doesn’t relate to their day to day jobs. Targeted, laser-focused training is easier to absorb and keeps staff engaged.
HIPAA Training Should include Cybersecurity Awareness
A critical point to note now is that everyone (in every field) needs to be aware of cybersecurity attacks. This training does not need to be lengthy or complicated. It means being aware of common phishing strategies like clickable links in emails, unusual pop-ups, and what to do if they suspect an electronic intrusion, i.e., turning off the computer and reporting it to the HIPAA Security Officer/IT staff immediately. Make the cybersecurity training relevant by helping staff understand that cybersecurity protection helps them at home as well as at work.
Help with HIPAA Training
If you need help with training your workforce, give us a call at The HIPAA E-Tool®.