fbpx
HIPAA Training Standards Everyone Needs to Know

HIPAA Training Standards Everyone Needs to Know

HIPAA Training Standards Every Business Associate Needs to Know

Per the HIPAA Privacy Rule and HIPAA Security Rule, both Covered Entities and Business Associates, must require HIPAA training for all workforce members that access protected health information (PHI) or electronically protected health information (e-PHI) in any of its forms and should be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the [organization].”

According to the Rule, training must be provided “to each new member of the workforce within a reasonable period of time after the person joins the [organization’s] workforce.” Along with all other annual compliance requirements, HIPAA training is arguably the most important. Your workforce members are your first line of defense in the event of a Breach and must be able to identify your organization’s designated HIPAA Security Officer, and have a firm understanding of the HIPAA Privacy and Security Rule. Training should also highlight the organization’s Technical, Administrative, and Physical Safeguard objective security requirements. It is best practice to provide ongoing security awareness training and, in addition to the mandatory annual training, the Privacy Rule also highlights what’s known as “periodic” training. The goal is to ensure workforce members’ knowledge of HIPAA compliance is not forgotten.

It’s advisable that HIPAA training is given to all employees as new hires during the new employee orientation period, and before new employees are exposed to or work with individually identifiable health information. This includes officers, agents, employees, temporary employees; like students, interns, volunteers, and salespeople. At a minimum, training should cover the basics of HIPAA, the basics of privacy and security requirements and restrictions, and policies and procedures. All new hires need to be provided HIPAA training and a post-test on the material covered within the training course to ensure comprehension of relevant and appropriate HIPAA policies and procedures.  Security Officers should be trained on the Breach Notification Rule, Minimum Necessary Rule, and the Organization’s policies and procedures.

The HIPAA Privacy Rule states that “An [organization] must document that the training as described [in the HIPAA Text] has been provided.” Failing to do so will be seen as “willful neglect” and will result in HIPAA violations including monetary penalties as high as $1.5 million dollars. A minor violation may only result in a corrective action plan requirement, whereas a significant data breach attributable to a lack of training will be viewed more seriously.

At Live Compliance, we make checking off your compliance requirements extremely simple.

      • Completely online, our role-based courses make training easy for remote or in-office employees.
      • Short informative video training to meet periodic training requirements
      • Depending on the size of your organization training may start as low as $79

Call us at (980) 999-1585 or visit us online at www.LiveCompliance.com/ezclaim


ABOUT EZCLAIM:
EZClaim is a leading medical billing, scheduling, and payment software provider that combines a best-in-class product with exceptional service and support. For more information, schedule a consultation today, email our experts, or call at 877.650.0904.

Small Practice Fined $100,000 for Risk Analysis Breach!

Small Practice Fined $100,000 for Risk Analysis Breach!

An independent physician gastroenterology practice in Utah had to report a breach related to a dispute with a Business Associate to the Office for Civil Rights Department of HHS.

After the investigation into the breach, it was determined that the practice of Steven A. Porter, MD “had failed to complete an accurate and thorough risk analysis, and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level” and therefore, has agreed to pay a $100,000 fine.

In addition to the monetary penalty, the practice is required to implement a Corrective Action Plan (CAP). According to the investigation resolution agreement, the practice agreed to conduct a thorough Risk Analysis, the Practice must develop a complete inventory of all its categories of electronic equipment, data systems, and applications that contain or store ePHI, which will then be incorporated into its Risk Analysis and must complete a Risk Management plan. They must also revise and implement actionable policies and procedures, all of which should have been in place prior to the breach incident.

Have you ever read such headlines and doubted whether a small Billing Company or independent physician practice actually ever face penalties?

According to the Resolution Agreement, the practice must also completely reinvent its Business Associate process, and implement a strict protocol to ensure it’s Business Associates are HIPAA Compliant. In addition to ensuring their Business Associate relationships are accurate, the entire staff must undergo security and privacy training that stresses the use of Business Associate services and applications, disclosures to Business Associates that require a Business Associates agreement, or other reasonable assurances in place to ensure that the Business Associate will and can safeguard the PHI and/or the ePHI. This puts immense pressure on the Business Associates, such as Billing Companies, to ensure that they are HIPAA Compliant, but also independent physician practices to ensure their Business Associates, “down the chain” are also compliant. This is also known as gaining Satisfactory Assurance of vendor HIPAA compliance.

What can you do?

As we have stressed before, it is important for you to understand that every complaint or potential breach must be investigated by HHS/OCR. If you, a billing company, or another vendor, suspect a breach you must inform the covered entity (your client) and have a breach risk assessment completed to determine key factors and take action. Keep in mind, a business associate is a ‘person’ or ‘entity’. This means there is no Billing Company too small or too large to comply with the Federal HIPAA regulations. Again, if you haven’t completed an accurate and thorough security risk assessment prior to that, you could also be penalized under ‘willful neglect’. This category alone is $50,000 per violation!

What we do is keep this from ever being a worry for you! In fact, we have a 100% audit pass rate! For example, Live Compliance has easy to understand HIPAA breach notification training. We perform your security risk assessment and manage all your requirements, including business associates, in a clean, organized cloud-based portal. Don’t risk your company’s future, especially when we are offering a FREE Organization Assessment to help determine your company’s status. It’s easy, call us at (980) 999-1585, email me jim@LiveCompliance.com or visit LiveCompliance.com

[ Contributed by Jim Johnson, President of Live Compliance ].