HIPAA Compliance Training — Is it Necessary?
HIPAA Certified Does Not Mean You Are Compliant.
Being HIPAA certified means that you have successfully undergone a course designed to train and teach you the information you need to enable your business or organization to become HIPAA compliant. It does not mean that you are compliant, but that you have been taught the terms of the Health Insurance Portability and Accountability Act and also the knowledge needed to apply these to your organization. Keep in mind no entity is currently recognized as an acceptable certification by HHS so you must do your research when looking for a good training company.
Here’s an excerpt from HHS.gov
There is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.
We should all know by now that HIPAA goes a lot further then just health insurance privacy, but that it extends to all forms of health care provision and the business associates they deal with such as software suppliers and even cleansing contractors that may be able to access private health information.
HIPAA Certification Courses
To become HIPAA certified you should take a HIPAA certification course, and there are many such courses available, both online and offline yet none are recognized by HHS as of 2015. Online courses are particularly convenient because they can be taken when it suits you. You can also undergo HIPAA certification training in specific aspects of the Act ranging from an overall understanding of its general, requirements, to training in specific regulations encompassed by the Act, such as those appertaining to security, administration and auditing.
This helps train specialists who will ultimately be responsible for managing these aspects of HIPAA in their own health care units or organizations. It is not only organizations that are directly connected with HIPAA that should receive HIPAA certification training, but also those that do business with them.
Be Aware of HITECH
Under HITECH, business associates should also become HIPAA trained, including pharmacies, ophthalmologists, medical laboratories and auditors, interpreters and even contract cleaning firms that may have access to private records even if only by accident. The Act has become all-encompassing over the years and any individual, business or organization that could conceivable have access to medical or billing records of any kind should become HIPAA trained by taking a relevant training course.
In fact, you will find that HIPAA should be a high priority, because the 2010 HITECH Regulations have applied sanctions of up to $1.5 million if your business is willfully negligent in its handling of health records. No business where health records are involved can afford not to make sure that at least certain employees are HIPAA certified.
How to Become HIPAA Certified
The initial step to becoming HIPAA certified is to choose a HIPAA certification course that suits those individuals that must undertake it. It makes sense to include all employees in such courses, but if that is beyond your capability, either in terms of releasing manpower or of finance, then selected employees who could be selected to be trained as trainers. Keep in mind no entity is currently recognized as an acceptable certification by HHS.
‘Train the Trainer’ is a common means of solving situations where every employee cannot be trained by a professional training company. Your selected HIPAA certified individuals can then hold training courses on-site for the others, so that a working knowledge of the Act can be rolled out over your entire organization.
You should have compiled a HIPAA Policy, using much the same terms as in your Health and Safety Policy, and also have a fully documented procedure, selected sections of which are audited monthly or even more frequently if you choose. Audit results should be published along with remedial actions to ensure compliance, and at least quarterly HIPAA management reviews should be held where audit results are discussed along with the effect of the remedial actions. This is where senior management decisions can be made regarding investment into improving HIPAA compliance.
Without HIPAA trained personnel who are trained in implementation of the Act it would not be possible to implement any of this in a professional manner. Should you come under scrutiny for potential non-compliances that could cost you a great deal of money, it will help your case if you can demonstrate that your policy and procedures are in place, you have regularly audited your HIPAA Management System, and that management reviews have taken place and remedial actions taken to rectify incidences of non-compliance.
Had you done none of this then you would be liable to be hit hard, but having done so then a serious non-compliance might just be regarded as human error rather than endemic management failure to implement HIPAA properly.
HIPAA trained employees are very valuable assets in your company, and it is well worth investing in them. Select a training course suitable to you, and before long you will have people with the knowledge and training to apply HIPAA correctly – but they must have your support!
Related posts
