Question: We occasionally hire temporary workers and other nonpermanent employees at our facility. Should we offer training on the Health Insurance Portability and Accountability Act (HIPAA) to them or have them sign anything about the regulation? AAPC Forum Participant Answer: No matter the status of the staff for a covered entity (CE), if the employees are interacting with patients — or, in this case, residents — and disclosing or using protected health information (PHI), they are subject to the HIPAA Rules.
“For internal uses, a covered entity must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce,” the HHS Office for Civil Rights (OCR) reminds in online Privacy Rule guidance. “These policies and procedures must identify the persons, or classes of persons, in the workforce who need access to protected health information to carry out their duties, the categories of protected health information to which access is needed, and any conditions under which they need the information to do their jobs,” OCR adds. Tip: Compliance officers should adapt HIPAA training based on an employee’s role and how much PHI that they’ll be handling daily. That being said, they should also ensure that staff are fully trained on the Rules — and know the consequences for unauthorized access and disclosure.