Medicare Compliance & Reimbursement

From the ground up: Tips for building your security training program.

Are you certain your employees have all the Health Insurance Portability and Accountability Act (HIPAA) security training they need to keep your organization sanction-free? If not, now is the time to fine-tune your security-rule compliance, starting with an individualized training program built for your organization's specific needs.

While the privacy rule brought across-the-board mandates, the security rule "gives more room for individual development of a procedure that reflects the level of technology of the individual organization," says William Hubbartt, president of St. Charles, IL-based Hubbartt & Associates. Use this wiggle room to your advantage by developing a training program that works with the technology your organization uses, rather than trying to conform to one general standard, he suggests.

Prioritize: Your training program must incorporate the 18 required standards, but many of the addressable standards can also be used. "Build your program around the required standards," Hubbartt advises, and then choose the addressable standards that best suit your needs.

Generally speaking, the security rule "gives you an opportunity to speak to an audience [of employees]," reminds Rose Dunn, consultant at First Class Solutions in St. Louis, MO. "So if there are things that management believes are good to do regardless of whether the regulation requires them or not, this is an ideal time to incorporate them."

Set achievable goals: Security should facilitate your operations, not grind them to a halt. "If security paralyzes the goal of your business, then you've failed," clarifies C. Jon Burke of Toshiba America MRI Inc. "Don't let security paralyze the operations. HIPAA is not intended to interfere with the delivery of health care," he notes. Choose The Right Architect Your security-training program must be helmed by someone who knows how to bring your organization into compliance and has the technical knowledge to implement the necessary changes.

The designated officer also needs to possess "the ability to communicate with people who operate at all different levels of the organization," posits Boston Bar Association president and Suffolk University Law School associate professor Ren Landers. Without effective communication, she says, the training will be inefficient and could lead to trouble.

Built-in flexibility: "While the privacy rule requires you to have a privacy officer, the security rule does not specifically state that you must have a security officer," Hubbartt advises. Consider involving an information systems expert. "Depending on the degree of detail, there needs to be close coordination between" the security administrator and those qualified to carry out the compliance requirements, he says.

Most importantly, Landers observes, "it should be clear who ... people can go to at any time with questions so that there isn't this feeling that they're out there alone with [...]