Advanced Search

Health Information Compliance Alert

Training:

EFFECTIVE HIPAA TRAINING USES REAL-LIFE EXAMPLES

Published on Fri Mar 01, 2002

With HIPAA's privacy requirements set to take effect in April 2003, covered entities should be training staff on compliance. But if you're planning to educate only your managers in hopes that the crucial information will trickle down to your front-line staff, you need to reassess your strategy.

"You can't say, 'OK, I'm going to train the top three people in my organization and therefore I'm going to be done with my HIPAA privacy training because they're going to understand everything and will be there to answer questions," warned Kristen Baum of Joliet, IL-based Murer Consultants, speaking last month at Eli's teleconference on HIPAA privacy training. "That's not going to cut it. The rule is very specific about having everyone in your organization trained on privacy."

Co-presenter Michael Murer pointed out that failing to train everyone on your staff comes with a hefty price tag. "[HIPAA training] requires the involvement of everyone who is associated with your institution, because the penalties are harsh," he cautioned.

How harsh? Civil penalties under HIPAA carry fines of $100 per incident, capped at $25,000. However, the cap applies only to violations of the same requirement if you violate different sections of the rule, you could face multiple civil violations.

Meanwhile, knowing violations of the regulations carry criminal fines of as much as $50,000 or a year in prison. In addition, tort lawyers are likely to use the law to sue providers for damages.

Murer elucidated the characteristics of an effective training program. Such a program, he explained, is:

  • Functional. A training program that takes a purely theoretical approach won't work. Instead, it should be built around real-life examples. "Make them interesting," Murer urged. "Give a lot of detail so [trainees] say, 'This is like a case we had. This is like something that we've seen.'"

  • Analytical. It's important that trainees be allowed to talk about how to apply the rule in different cases not only to improve their understanding of the rule, but also to improve your organization's compliance efforts."You need to be able to find the people who understand what it is that you're trying to teach them, so that they can be the [knowledge] base for that part of the organization," he explained.

  • Matrixed. Murer pointed out that health care organizations deal with many different kinds of staff, professional and nonprofessional, as well as outside contractors, and that creates a complex matrix of relationships. "Who can have what information, who can't have what information, where are the limits, how is the information transmitted all of these are concerns of your training program," Murer noted.

    As an example, he described a scenario where a facility accountant reviews a patient's file for billing purposes, then attends a cocktail party where he sees the patient's physician. What, if anything, can the accountant say?

    And what happens when a janitor sees a patient's records lying on a clinician's desk? Effective HIPAA training would address these situations, the presenters said.

    "Organizations in health care know how to treat patients, how to bill, how to administer," Murer said. "Now they have to learn how to protect individually identifiable health information."

    • Other Articles in this issue of

    Health Information Compliance Alert

    View All