Health Information Compliance Alert

Published on Fri Oct 20, 2006 PDF

Check your program for these 3 basic components.

If you're planning to educate only your managers on privacy compliance in hopes that the crucial information will trickle down to your front-line staff, you need to reassess your strategy.

Get everyone on board: "You can't say, 'OK, I'm going to train the top three people in my organization and therefore I'm going to be done with my HIPAA privacy training because they will to understand everything and will be there to answer questions," warns attorney Kristen Baum of Joliet, IL-based Murer Consultants. "That's not going to cut it. The rule is very specific about having everyone in your organization trained on privacy."

Tailing to train everyone on your staff comes with a hefty price tag, warns attorney Michael Murer also with Murer Consultants. "[HIPAA training] requires the involvement of everyone who is associated with your institution, because the penalties are harsh," he cautions.

How harsh? Civil penalties under HIPAA carry fines of $100 per incident, capped at $25,000. However, the cap applies only to violations of the same requirement: If you violate different sections of the rule, you could face multiple civil violations.

Violations of the regulations carry criminal fines of as much as $50,000 or a year in prison. In addition, tort lawyers are likely to use the law to sue providers for damages.

Murer recommends that an effective training program should be: 

• Functional. A training program that takes a purely theoretical approach won't work. Instead, it should be built around real-life examples. "Make them interesting," Murer urges. "Give a lot of detail so [trainees] say, 'This is like a case we had. This is like something that we've seen.'"

• Analytical. It's important that trainees be allowed to talk about how to apply the rule in different cases, not only to improve their understanding of the rule, but also to improve your organization's compliance efforts. "You need to be able to find the people who understand what it is that you're trying to teach them, so that they can be the [knowledge] base for that part of the organization," he explains. 

• Matrixed. Murer points out that health care organizations deal with many different kinds of staff, professional and nonprofessional, as well as outside contractors, and that creates a complex matrix of relationships. "Who can have what information, who can't have what information, where are the limits, how is the information transmitted: All of these are concerns of your training program," Murer notes.

For example, he describes a scenario where a facility accountant reviews a patient's file for billing purposes, then attends a cocktail party where he sees the patient's physician. What, if anything, can the accountant say? And what happens when a janitor sees a patient's records lying on a clinician's desk? Effective HIPAA training would address these situations. 

"Organizations in health care know how to treat patients, how to bill, how to administer," Murer says. "Now they have to learn how to protect individually identifiable health information."