Health Information Compliance Alert

Training employees on the intricacies of HIPAA can seem like the blind leading the blind when the Department of Health and Human Services can change the rules lickety split, but there are some tactics you can employ that will open your eyes to effective training procedures.

Health Insurance Portability and Accountability Act mandates will require covered entities to implement training procedures for employees who must comply with the rule. Unfortunately and a source of limitless frustration for privacy officers the HHS doesn't indicate how entities should proceed with that training.

There are a number of issues privacy and compliance officers must ruminate over when they're called upon to train employees, according to Tara Shewchuk, corporate compliance officer with Chicago-based Resurrection Health Care: "Training for HIPAA is challenging for many reasons, including the fact that no one has ever done it before," she points out.

Shewchuk lists a host of issues she must consider when training employees, including: defining exactly who comprises your workforce; breaking down any language barriers; creating a program that's flexible enough to be used for new hires but also one that meets specific departmental needs; tracking who has been trained and who hasn't; choosing a format or medium for training; and doing all of this with the foreknowledge that the privacy rule may be revised considerably.

And Shewchuk may be ahead of the game with regard to training, according to Michael Roach, an attorney with the Chicago office of Michael Best & Friedrich, who says he doesn't know anyone yet who has started to iron out a training program.

Roach says there are a number of things covered entities can think about to get a jump on HIPAA training. For small entities or for small physicians' offices, he thinks providing employees with a copy of the policies and procedures and just asking them to read those rules is sufficient.

But that flexibility comes to a grinding halt with larger organizations, where privacy officers are required to consider what type of training each employee should receive, since not everyone will need the same amount of detailed knowledge of HIPAA.

Roach tells Eli everyone who works at a covered entity must have some basic HIPAA training, but for larger organizations, such as hospitals, he envisions a type of modular training system in which employees are grouped into categories based on the information they require. Such training, he suggests, may rest on the creation of a compliance manual where "category A gets just the introduction something like 'HIPAA and our policies 101' and then category B might get [other sections] of the manual."

Roach warns that covered entities that implement a "one size fits all" policy training all employees to the same extent with HIPAA may find that method has its disadvantages: "Everyone has to be trained at the highest level, to make sure that the people who need that highest level [of information] get it." But Roach doesn't think large entities will go that route, and will probably target and customize training given certain classifications of employees.

As for the delivery of that training among staff, Roach says he's heard that some entities are planning to put their training courses on intranet sites. That medium allows privacy officers to reach vast numbers of employees and permits officers to keep track of who's completing the training. "And if there are modifications to the [privacy rule], you can revise it," he says. Shewchuk says she has a HIPAA video in the works that will discourage passive viewing by making use of several "pause points" in a facilitator-led training exercise, during which time the facilitator can break for a discussion.

But whatever method one uses to impart HIPAA training among one's work force, it's important to at least begin thinking about it now. For compliance officers like Shewchuk, training a force of over 14,000 leaves no time to dither. She says Resurrection will start developing its training program immediately, shoot the training video by September, and then roll out training by October or November in order to have all employees trained by April 2003.