Health Information Compliance Alert

Training:

Use Real-Life Examples For Most Effective HIPAA Training

One size does fit all where HIPAA privacy training is concerned.

If you're planning to educate only your managers on HIPAA privacy compliance in hopes that the crucial information will trickle down to your front-line staff, you need to reassess your strategy.

"You can't say, 'OK, I'm going to train the top three people in my organization and therefore I'm going to be done with my HIPAA privacy training because they're going to understand everything and will be there to answer questions," warned Kristen Baum of Joliet, IL-based Murer Consultants, at an Eli teleconference on HIPAA privacy training. "That's not going to cut it. The rule is very specific about having everyone in your organization trained on privacy."

Co-presenter Michael Murer pointed out that failing to train everyone on your staff comes with a hefty price tag. "[HIPAA training] requires the involvement of everyone who is associated with your institution, because the penalties are harsh," he cautioned.

How harsh? Civil penalties under HIPAA carry fines of $100 per incident, capped at $25,000. However, the cap applies only to violations of the same requirement; if you violate different sections of the rule, you could face multiple civil violations.

Meanwhile, knowing violations of the regulations carry criminal fines of as much as $50,000 or a year in prison. In addition, tort lawyers are likely to use the law to sue providers for damages.

Murer elucidated the characteristics of an effective training program. Such a program, he explained, is:

Functional. A training program that takes a purely theoretical approach won't work. Instead, it should be built around real-life examples. "Make them interesting," Murer urged. "Give a lot of detail so [trainees] say, 'This is like a case we had. This is like something that we've seen.'"

Analytical. Trainees should be allowed to talk about how to apply the rule in different cases, not only to improve their understanding of the rule, but also to improve your organization's compliance efforts. "You need to be able to find the people who understand what it is that you're trying to teach them, so that they can be the [knowledge] base for that part of the organization," he explained.

Matrixed. Murer pointed out that health care organizations deal with many different kinds of staff, professional and nonprofessional, as well as outside contractors, and that creates a complex matrix of relationships. "Who can have what information, who can't have what information, where are the limits, how is the information transmitted. All of these are concerns of your training program," Murer noted.

As an example, he described a scenario where a facility accountant reviews a patient's file for billing purposes, then attends a cocktail party where he sees the patient's physician. What, if anything, can the accountant say?

And what happens when a janitor sees a patient's records lying on a clinician's desk? Effective HIPAA training would address these situations, the presenters said.

"Organizations in health care know how to treat patients, how to bill, how to administer," Murer said. "Now they have to learn how to protect individually identifiable health information."

Other Articles in this issue of

Health Information Compliance Alert

View All