All clinics have HIPAA privacy and security responsibilities in their organization, make sure you have a real plan in place. This is not only to have your processes documented in the case of a breach or audit, but also to ensure that staff know what is expected of them and take the appropriate steps in their day to day responsibilities.
Mid-size independent clinics may be able to reduce administrative upkeep and costs of privacy and security training by integrating it into other educational programs and training during the year. It can also be part of an ongoing educational effort that is daily or weekly in nature. While many of the concepts of HIPAA are universal some staff may need additional training in job specific areas, such as front desk or IT staff. Senior management may need another level of training and understanding to ensure policy is being implemented appropriately throughout organizational practices.
The following guidelines can be applied in most clinic environments for HIPAA training and security
- Create a policy document that employees can keep in their work areas as reference
- HIPAA training must include written documentation, explanation, education and application of the skills as well as sustainability measures.
- Training should address the different forms of PHI (verbal, written, and electronic)
- Provide training for all employees, including part-time, interns and contract workers.
- Training should take place on the very first day of employment and be completed and signed off prior to engaging with confidential records.
- Have staff training mandated on an annual basis as a refresher
- Ensure staff engagement in training by creating peer review or rewards for identifying risk areas and recommendations to address them
- Have a means to collect questions confidentially and provide employees a means to relay information without adverse repercussions
- Evaluate training and seek feedback on effectiveness and gaps that still need to be covered
- Have a sign-off document that ensures employee responsibility for the information they have received
Don’t wait to get started – try a HIPAA office walk through. But make sure you have your trainer value what they are espousing. The last thing a clinic needs to someone conducting the training who does not genuinely believe in the importance of PHI and compliance! Just because someone is a manager does not make them the only choice for a training. Identify staff champions that can relay information in a sensible and easy to implement fashion can go a long ways to having training that lasts.