Ophthalmology and Optometry Coding Alert

Question: Our practice occasionally uses temporary workers. Is it necessary to have nonpermanent employees undergo HIPAA training since they tend to come and go quickly?

Connecticut Subscriber

Answer: It’s important to keep HIPAA in mind, regardless of whether they’re a full-time employee or temporary worker. No matter the status of the staff for a covered entity (CE), if the employees are interacting with patients and/or disclosing or using protected health information (PHI), they are subject to the HIPAA rules.

“For internal uses, a covered entity must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce,” the HHS Office for Civil Rights (OCR) reminds in online Privacy Rule guidance. “These policies and procedures must identify the persons, or classes of persons, in the workforce who need access to protected health information to carry out their duties, the categories of protected health information to which access is needed, and any conditions under which they need the information to do their jobs,” OCR adds.

Tip: Compliance officers should adapt HIPAA training based on an employee’s role and how much PHI they’ll be handling. That being said, they should also ensure that staff are fully trained on the Privacy and Security Rules — and know the consequences for unauthorized access and disclosure.