Are your business associate relationships properly labeled? Teaching staff about HIPAA can be daunting, but your job will be more manageable if you tailor your policy training to what employees actually need to do their jobs compliantly. Employees Want To Cut To The Chase And Kristen Rosati, an attorney with Coppersmith Gordon Schermer Owens & Nelson in Phoenix echoes a mantra that is broadly applicable to all covered entities struggling with this concern: "What's most important to realize about HIPAA training is that you don't have to train your employees or your work force members on the HIPAA privacy standards. You have to train them on your policies."
Sort out business relationships: Providers who have multiple entities need to begin with a thorough examination of how their operations are organized, says Robert Markette, an attorney with Indianapolis-based Gilliland & Caudill. They should determine whether they will need to designate themselves as affiliated, hybrid, or an organized health care arrangement, he notes.
Hidden advantage: There are great benefits for providers who do this, such as reducing the number of privacy notices and the ability to reduce the number of business associates, adds Markette. "Because of the efficiencies this can create, I would advise anyone doing this analysis to start with an evaluation of the association to determine the most efficient way to designate any associated providers or other supporting organizations," he directs.
Rosati says covered entities need to focus on what their employees need to know in order to ensure that their hospital or health care organization doesn't violate the privacy rule. To do that, they'll need to create policies that incorporate all the requirements, and then see to it that the employees are aware of the policies that will affect their work.
Training will vary depending on the type of work they do for the health care organization. "Employees who don't handle health information as part of their job certainly won't need as much training as clinical personnel," asserts Rosati, who offers up a janitorial staffer as an example.
"They need to be trained about what to do if they find a medical record in the trash. Or, for example, if someone sees a celebrity in the hospital, their presence there is confidential and you can't tell your friends if some celebrity showed up in the place."
The best approach is to be very practical about who needs to know what in a particular organization, privacy experts agree.