Health Information Compliance Alert

They say an ounce of prevention is worth a pound of cure, but when it comes to HIPAA, that only works if everyone in your office takes their training vitamins.

With the Health Insurance Portability and Accountability Act’s privacy requirements set to take effect in April 2003, scores of covered entities are beginning to train their staff on compliance. But how does one train frontline staff?

Take physician practices, for example. If you’re planning to educate only your managers in hopes that the crucial information will trickle down to your frontline staff, you need to reassess your strategy.

“You can’t say, ‘OK, I’m going to train the top three people in my organization and therefore I’m going to be done with my HIPAA privacy training because they’re going to understand everything and will be there to answer questions,” warned Kristen Baum of Joliet, IL-based Murer Consultants, speaking last month at Eli’s teleconference on HIPAA privacy training. “That’s not going to cut it. The rule is very  specific about having everyone in your organization trained on privacy.”

Co-presenter Michael Murer pointed out that failing to train everyone on your staff comes with a hefty price tag.

“[HIPAA training] requires the involvement of everyone who is associated with your institution, because the penalties are harsh,” Murer cautioned.

How harsh, you ask? Civil penalties under HIPAA carry fines of $100 per incident, capped at $25,000. However, the cap applies only to violations of the same requirement — if you violate different sections of the rule, you could face multiple civil violations.

Meanwhile, knowing violations of the regulations carry criminal fines of as much as $50,000 or a year in prison.

Effective training programs have the following characteristics, according to Murer:

• Functional. A training program that takes a purely theoretical approach won’t work. Instead, training should be built on real-life examples. “Make them interesting,” Murer urged. “Give a lot of detail so [trainees] say, ‘This is like something that we’ve seen.’”

• Analytical. It’s important that trainees be given a chance to talk about how to apply the rule in different cases — not only to improve their understanding of the rule, but also to bolster your organization’s compliance efforts.

“You need to be able to find the people who understand what it is that you’re trying to teach them, so that they can be the [knowledge] base for that part of the organization,” Murer explained.

• Matrixed. Murer pointed out that healthcare organizations deal with many different kinds of staff, professional and nonprofessional, as well as outside contractors, and that creates a complex matrix of relationships.

“Who can have what information, who  can’t have what information, where are the limits,  how is the information transmitted — all of  these are concerns of your training program,”  Murer noted.

As an example, he described a scenario  where an accountant reviews a patient’s file for  billing purposes, then attends a cocktail party  where he sees the patient’s physician. What, if  anything, can the accountant say?

And what happens when a janitor sees a  patient’s records lying on a physician’s desk?  Effective HIPAA training would address these  situations, the presenters said.

Health care providers “know how to treat patients, how to bill, how to administer,” Murer  said. “Now they have to learn how to protect  individually identifiable health information.”