Federal HIPAA Regulations Require Staff Training

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), administered by the U. S. Department of Health and Human Services (HHS), applies to any health care entity that transmits patient information electronically.

HIPAA Regulations include a Privacy Rule, which requires that employees in health care settings receive training from their employers about confidentiality:
“A covered entity must train all members of its workforce [see definition below] on the policies and procedures with respect to protected health information [PHI] required by this subpart, as necessary and appropriate for the members of the workforce to carry out their function within the covered entity” (45 CFR 184 530 (b) (1)).

HIPAA Regulations also include a Security Rule and a Transaction Rule , both of which have implications for how confidential information can be stored and transmitted by clinicians and/or members of their “workforce.” (See definition below.) The Security Rule requires practitioners to safeguard electronic protected health information in their practice from unauthorized alteration, destruction or disclosure, both intentional and unintentional. That means practitioners need to protect their electronic data, such as patient notes, e-mail with or about patients, and insurance or financial records with identifying patient information, from potential security risks. Under the Security Rule’s “contingency planning standard,” you must also develop an emergency plan to address how employees should respond to a loss of electronic information in the event of a disaster or emergency. This would include training employees about what to do if they are involved in an emergency situation and who they should contact to assess the seriousness of the situation. A disaster recovery plan should also encompass procedures such as developing an employee phone list to use in an emergency and procedures for patient contact in the event that appointments need to be verified or rescheduled.

The HIPAA Enforcement Rule (effective March 16, 2006) explains the circumstances under which a clinician may be held accountable for the HIPAA violations of (a) a member of your ” workforce ” or of (b) an ” agent .”

“WORKFORCE” = defined as paid employees PLUS trainees, supervisees and volunteers who are under direct control of the HIPAA-covered clinician. It is not necessary for every employee, trainee, supervisee or volunteer to know everything about HIPAA and patient privacy; but each should be trained about what is necessary for carrying out his/her own duties and trained not to handle patient information beyond their job description and training, unless specifically so authorized. The training must occur for all employees and others within a reasonable time after they join the workforce. The training must be tailored to the clinical setting, the employee’s responsibilities, and the confidentiality policies and procedures within that specific setting. This training must be documented, and the employee must demonstrate that the training has been understoo d. The employer may use a written test or an oral examination to insure that the employee has understood the material. The employee must then sign a Confidentiality Contract. If an employee who violates patient confidentiality will be subject to disciplinary actions or will be removed from his/her position, this should be explicitly stated in the Confidentiality Contract

“AGENT or “BUSINESS ASSOCIATE” = defined as anyone acting on the clinician’s behalf and at his/her discretion, including billing services, accountants, answering services, etc.

“BUSINESS ASSOCIATES AGREEMENT:” Contacted agents and business associates with access to identifiable client information must sign a “Business Associates Agreement” which includes confidentiality & security statements, as above, indicating that they understand and will abide by your HIPAA-compliant privacy and confidentiality policies. [Note: You are usually not considered liable for HIPAA violations of contracted agents or business associates if you have in place a HIPAA-compliant “Business Associates Agreement” which defines your expectations. However, you are not protected if you knew that they violated the privacy/security obligations of that Agreement and you failed to take reasonable steps to remedy the problem.]

FINES & PENALTIES: The HIPAA Enforcement Rule allows HHS to impose fines of up to $100 per violation, up to a maximum of $25,000 for violations of an identical requirement during one calendar year. (A continuing violation is deemed a separate violation for each day it occurs.) In considering the amount of the fine, HSS will consider factors such as nature and circumstances of the violation; your compliance history and financial condition (including the size of your business and whether or not the fine would put you out of business)..

—————————————————————-
Portions of this summary were provided by Samuel Knapp, Ph.D. Director of Professional Affairs of the Pennsylvania Psychological Association, and are used or adapted here with the authorization of the Pennsylvania Psychological Association : “What Should Your Employees Know About Confidentiality?” and “HIPAA Training Guide for Employees of Psychologists.”

*NOTE: In addition to the HIPAA-required training described here, employees in state agencies should also receive training in other legal requirements, including those from the Virginia Code & Regulations governing their own setting.