What Does HIPAA Require for Compliance in Training?
HIPAA provides less detail concerning employee training. Here’s the direct quote from the “simplified” instructions on the Department of Health and Human Services (HHS) website:
“A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
The standard relates explicitly to training on the HIPAA policies and procedures that an organization has in place. This is a critical clarification because training that does not include employee review and attestation of organization policies will not satisfy the requirement of the law. How can you decide what strikes a balance between fulfilling the training requirements of the law and running your organization efficiently?
Industry Best Practices and the Good-Faith Principle
Industries identify best practices by looking at the successful actions taken by members as they respond to market and regulatory conditions. It doesn’t mean every business has to follow them, but they provide an excellent starting point to develop a strategy for your organization.
The HHS Office for Civil Rights is responsible for enforcing HIPAA. They understand that preventing every breach of protected health information (PHI) is impossible. They are far less understanding when they discover that an organization cannot demonstrate that its actions constitute a good-faith effort to follow the law.
Annual HIPAA compliance reviews and training are recognized as best practices by many in the healthcare industry. One reason is that it is an excellent way to demonstrate an organization’s good-faith efforts to comply with HIPAA Privacy Rule and HIPAA Security Rule requirements.
Compliancy Group’s healthcare compliance software, The Guard, streamlines the process of conducting risk assessments to identify gaps and craft remediation plans to address them. It helps you build and update policies and procedures and provides clear training with attestations for employees.
The Guard also keeps track of all Business Associate Agreements for your vendors and provides breach reporting and response services if needed. Most importantly, The Guard records all of your actions toward achieving HIPAA compliance so that you can prove your good-faith effort if necessary.