If you work in any company that either provides a form of health service, traditional or otherwise, or a firm that is a business associate of such a company, then you should receive HIPAA training. A business associate may be a health insurer, a provider of software designed to store and disseminate health information or even a contractor whereby you may have access to files storing such information – more on this later.
If you run a business that deals directly or indirectly with health care services that maintain protected health information (PHI), then you have a legal obligation to train your staff in the requirements of HIPAA and also to maintain HIPAA procedures within your business. Failure to do so could cost you from $25,000 to $1.5 million under the 2010 HITECH Act that is designed to extend HIPAA to the business associates of health services and tighten up the application of HIPAA in those business to which it relates.
Let’s assume that you have identified your business as coming under the terms of HITECH. How do you conform to the requirements of HIPAA? The first step is learning what HIPAA is about and how it affects your business. If you run a dental surgery, a pharmacy or even a private care home, then it will affect you directly, and you will already be in breach if you have not already trained all your staff in HIPAA and how it affects them.
If you supply health insurance, you may also be in breach if you hold the personal health details of your clients, and such breaches can cost anything from $25,000 upwards even if you are unaware of them. Under the terms of HITECH, you have to train your employees in HIPAA if you provide or even service the software that maintains such records or if you are in any other way associated with the health service in a manner whereby you or your employees could have access to such information.
Here is the definition of a business associate, paraphrased from the regulations themselves:
Someone participating, performing or assisting in an activity or function involving the use of health information that can be identified to an individual, including data processing or analysis, quality assurance, benefit management, billing, claims processing or practice management or any other function that the regulation covers (that’s a cover-all statement!).
Also, anybody providing actuarial, accounting, administration, financial services, consulting for any health care service or ‘covered entity’ – meaning covered by the regulations - including any business associate of the above. In practice, this also covers software providers and maintenance engineers and any other who may conceivably have access to protected health information.
HIPAA Compliance Training should not only be designed to train employees of a business involved in primary or secondary health care, but also anybody involved in any business that could give them access to such health information. Such training should be given to everyone in any such establishments or businesses and training records should be maintained in their personnel records. New employees should be provided with the same level of HIPAA training, including maintenance staff.
If you are considering the question whether or not you need HIPAA training you should have a close look at your job. Maybe it’s not you, but another employee working with you that requires training. Is there any situation in the course of your work where they could conceivably have access to an individual’s medical records? Is it possible, even if it wasn’t part of their normal job? For example, might they have access to the software package that holds such records, and are able to use that to access the actual records, even if it is not their normal job?
That should be part of your HIPAA procedures: to make sure that you are not missing something that could result in your company breaching regulations. Under HITECH, if an employee does this and you are unaware of it, you will be fined $25,000. You may think this unfair, but the best way to avoid this is to offer all employees HIPAA training, even if your firm is a business associate of a relevant company.
Play safe: that’s the best way to deal with HITECH and HIPAA, and there are many relatively inexpensive HIPAA compliance training courses online that can enable you to demonstrate that you have done all you could to make your employees aware of their obligations and how to play their individual roles in your HIPAA policy. Inexpensive relative to the financial penalties that is!