Editor's note: This is the second blog in a series of articles on HIPAA compliance and is produced in partnership with Total HIPAA Compliance. The first blog in this series discussed penetration testing and can be viewed here. In the next article, we'll take a look at why staff may be your biggest threat to compliance.
If you attended our webinar last week, you heard Dan Brown and me speak about the importance of a HIPAA Compliance Plan, and tips for responding to a HHS Audit request. In our next webinar, we'll discuss updating your HIPAA Compliance Plan and the importance of training. You can register here.
How to Choose Training
Looking at the NueMD survey from this year, the results show only 58% of the practices surveyed said they have implemented annual training for their staff. If you aren’t training annually, this is a MAJOR hole in your HIPAA Compliance Plan. You can have the best Compliance Plan money can buy, but without staff training, this plan is effectively useless.
Two types of training are required under the HIPAA Law.
- Training on the HIPAA Law
- Training on your specific policies and procedures
Training on the law can be difficult, unless you happen to have a HIPAA expert on staff. Training on your specific policies and procedures, however, should be handled by internal staff who are familiar with your practice’s decisions since they likely had a hand in creating them.
What to Look for in Training
There are a multitude of training choices out there. Do you train everyone yourself, hire an outside resource, or use an online training solution? This is really a choice that is best answered by how confident you are in your knowledge of HIPAA, what your budgets look like, and the size of your staff.
Training Staff Yourself
Theoretically, this is the cheapest option, provided you have a strong understanding of HIPAA and a dedicated employee who can train your entire staff. However, many practices struggle to find an internal staff member that truly understands HIPAA, has the time to train staff annually, and can train any new staff as they come onboard in addition to any other responsibilities they may have within the practice.
- Strengths - Cost effective, easy to incorporate new staff
- Weaknesses - Requires you have a staff member that understands all aspects of HIPAA, additional responsibility for a staff member, have to store training records internally, finding time to train staff, and training development costs that reflect updates in the HHS rulings
Hiring an Outside Resource
Your legal counsel should be able to supply someone to train your staff on HIPAA and your Compliance Plan, but this a more expensive option than training staff on your own. Another issue you may run into is coordinating staff to be available when the trainer is onsite, and the inflexibility of training new staff members when they come onboard.
- Strengths - Expert trainer in office
- Weaknesses - Difficult to incorporate new staff into training program, expensive, finding time that is convenient to train all staff at same time
For many practices, this has all the benefits they are looking for: expert training, cost-effective and easy to incorporate new trainees as they come in. The drawbacks are, you still need to train your employees on the specifics of your plan. This option stands a chance if it is motivating and memorable.
- Strengths - Cost effective, easy to incorporate new staff, expert training, staff can train when it is convenient for their schedule
- Weaknesses - May not be up-to-date and still have to train staff on specifics of your practice’s HIPAA Compliance Plan
Any of these three approaches can be pretty boring. I recommend you try the training before you buy in, and make sure it’s not the dreaded “Death by PowerPoint.”
What about HIPAA certifications?
This is actually a marketing claim that will ultimately end up costing you more money with little to no additional benefit. HHS does not have a certification program, nor do they recognize these certifications. Usually, this is a way for companies to justify charging more for their services.
What are auditors looking for?
In the upcoming audits, HHS is going to be looking at your training logs. This means having a date workforce members were last trained, individual test scores, and regular training updates. The training records are important to show that you are taking HIPAA seriously, and have consistently trained your staff. If you don’t dedicate a budget to HIPAA compliance and training, you probably will not meet OCR’s requirements for HIPAA training.
To learn more about updating your existing compliance plan and how to choose the best training method for your practice, register to attend our upcoming webinar that will be held on Thursday, March 17 at 2pm EST. The webinar is free and all healthcare professionals are encouraged to attend. If you can't make it at 2pm, don't worry! Register anyway and we'll send you a copy of the recording and slide deck from the presentation. We hope to see you there!