Medicare Compliance & Reimbursement

From the ground up: Tips for building your security training program.

Are you certain your employees have all the Health Insurance Portability and Accountability Act (HIPAA) security training they need to keep your organization sanction-free? If not, now is the time to fine-tune your security-rule compliance, starting with an individualized training program built for your organization's specific needs.

While the privacy rule brought across-the-board mandates, the security rule "gives more room for individual development of a procedure that reflects the level of technology of the individual organization," says William Hubbartt, president of St. Charles, IL-based Hubbartt & Associates. Use this wiggle room to your advantage by developing a training program that works with the technology your organization uses, rather than trying to conform to one general standard, he suggests.

Prioritize: Your training program must incorporate the 18 required standards, but many of the addressable standards can also be used. "Build your program around the required standards," Hubbartt advises, and then choose the addressable standards that best suit your needs.

Generally speaking, the security rule "gives you an opportunity to speak to an audience [of employees]," reminds Rose Dunn, consultant at First Class Solutions in St. Louis, MO. "So if there are things that management believes are good to do regardless of whether the regulation requires them or not, this is an ideal time to incorporate them."

Set achievable goals: Security should facilitate your operations, not grind them to a halt. "If security paralyzes the goal of your business, then you've failed," clarifies C. Jon Burke of Toshiba America MRI Inc. "Don't let security paralyze the operations. HIPAA is not intended to interfere with the delivery of health care," he notes.

Choose The Right Architect

Your security-training program must be helmed by someone who knows how to bring your organization into compliance and has the technical knowledge to implement the necessary changes.

The designated officer also needs to possess "the ability to communicate with people who operate at all different levels of the organization," posits Boston Bar Association president and Suffolk University Law School associate professor Ren Landers. Without effective communication, she says, the training will be inefficient and could lead to trouble.

Built-in flexibility: "While the privacy rule requires you to have a privacy officer, the security rule does not specifically state that you must have a security officer," Hubbartt advises. Consider involving an information systems expert. "Depending on the degree of detail, there needs to be close coordination between" the security administrator and those qualified to carry out the compliance requirements, he says.

Most importantly, Landers observes, "it should be clear who ... people can go to at any time with questions so that there isn't this feeling that they're out there alone with decisions to be made that they don't feel comfortable making." In addition, Landers favors a policy that limits access to e-PHI until this doubt is resolved.

Identify The Crucial Elements

Security training "should be tailored to your organization and group of employees and the types of e-PHI they will have access to," explains Dunn. Each employee, from front line to management, comes into contact with different types of e-PHI and must be taught accordingly.

"Everybody should be trained," Hubbartt advocates, "and elements of that training may be more detailed according to the function of the employee." For those with limited access to e-PHI, he recommends that "the training be more broad-brush" by focusing on the requirements of the regulation along with the facility's objectives.

Trap: One of the most frequent pitfalls in security training, experts concur, is the belief that e-PHI exists solely on a computer. All those who have access to e-PHI must be trained and "that doesn't necessarily mean a person who has sign-on rights to a computer. It could mean someone who has access to disks or CDs because they transport that information from one office to another," Dunn clarifies.

And don't forget about training your maintenance or janitorial services staff, Landers cautions. All "people ... who might have access to equipment and who have control over access to locations where protected health information is stored" must be clear on what the limitations are. Failing to train them could result in serious security breaches.

Write it down: Also, make sure to maintain accurate documentation of your training. "The administrative director or other designated individual is responsible to maintain a record of training," reminds Hubbartt.

Documentation can save you in the long run, says John Parmigiani, National Director of HIPAA Compliance Services for CTG HealthCare Solutions in Cincinnati, OH. "If there's an alleged violation somewhere down the pike, [documenting our training efforts proves] we attempted to get this across and embed it in our day-to-day operations."