According to the HIPAA Privacy and Security Rules, formal education and training of the work force is required to ensure ongoing accountability for privacy and security of protected health information (PHI).
The Omnibus Rule, that went into effect on March 23, 2013, has extended the training requirements to include business associates as well as covered entities. In other words, any workforce member who could possibly be involved with PHI must be trained and retrained when changes occur in an organization’s rules, policies or procedures.
- HIPAA’s privacy rule defines workforce as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity whether or not they are paid by the covered entity.”
- HIPAA’s Privacy Rule states: covered entities and business associates must train all members of their work force on the policies and procedures with respect to PHI as necessary and appropriate for the members of the work force to carry out their function within the covered entity.
- HIPAA’s Security Standard states: Covered entities and business associates should implement a security awareness and training program for all members of its work force including management.
- Covered entities and business associates are required to document that the training has been provided and retain the documentation for a minimum of six years.
It is important to note that the HIPAA privacy and security rules address minimum training so it is the responsibility of each organization to customize programs according to the roles and positions held by the members of their workforce. The level of training and topics addressed should vary according to who is being trained. For example, the training of staff members involved with direct patient care will differ from administrative staff or personnel in the Health Information Management (HIM) Department.
What are your thoughts?