The HIPAA privacy rule requires health care organizations to train their workforce to protect the confidentiality of patient medical records. The rule is one of a group of regulations enacted in the Health Insurance Portability and Accountability Act, a 1996 law that established privacy and security standards to protect sensitive patient health information from unauthorized use and disclosure.
Who Is Trained?
Hospitals, health care insurers and health care clearinghouses subject to the privacy rule must train personnel who interact with patients and access medical records. In addition to health care professionals, the U.S. Department of Health and Human Services, the agency that drafted the rule, requires students and trainees in areas of health care to learn about the regulation and their organization's privacy policies. Training also is required for non-health care professionals, including health data analysts, administrators and computer programmers who handle patient health information.
What Is the Curriculum?
Health care professionals should receive instruction on the various provisions of the privacy rule. Training generally gives workforce members an understanding of the type of information the privacy rule protects, how to use and disclose patient health information and the rights HIPAA grants to patients to access information in their medical records. Health care organizations also might tailor HIPAA privacy rule training to the role and rank of each employee, according to HHS.
When Is Training Required?
HHS requires training to new workforce members within a reasonable time after they join the organization. HHS proposes retraining to employees affected by significant changes in the organization's privacy policies or procedures. The privacy rule also requires organizations to document the training.
How Is Training Provided?
Even as HHS has provided general training materials on its website, it doesn't prescribe the content of HIPAA privacy rule training. A small physician practice might satisfy the training requirement by providing each new staff member a copy of its privacy policies and documenting they have reviewed the policies, while a large health plan may provide training through live instruction, video presentations or interactive software programs. The organization's privacy officer, a role the rule established, might determine the training program. The passage of the HIPAA privacy rule spawned a cottage industry of businesses and associations that may provide specialized training for different classes of the health care industry that must comply with the privacy rule.
Why Is Training Required?
HHS included the requirement for staff training in the regulation to make health care professionals aware of the privacy rule standards, their health care organization's policies with respect to protecting the confidentiality of patient health information and the consequence of violating the privacy rule.
Member Comments