Question: Our office occasionally uses temporary workers and other nonpermanent employees. Is it necessary to have them undergo HIPAA training since they often come and go quickly? Georgia Subscriber Answer: You need to keep HIPAA in mind, regardless of whether they’re a full-time employee or temporary worker. No matter the status of the staff for a covered entity (CE), if the employees are interacting with patients and/or disclosing or using protected health information (PHI), they are subject to the HIPAA rules.
“For internal uses, a covered entity must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce,” the HHS Office for Civil Rights (OCR) reminds in online Privacy Rule guidance. “These policies and procedures must identify the persons, or classes of persons, in the workforce who need access to protected health information to carry out their duties, the categories of protected health information to which access is needed, and any conditions under which they need the information to do their jobs,” OCR adds. Tip: Compliance officers should adapt HIPAA training based on an employee’s role and how much PHI they’ll be handling daily. That being said, they should also ensure that staff are fully trained on the Privacy and Security Rules — and know the consequences for unauthorized access and disclosure.