December 2001 cover

From the December 2001 Issue

The Power of PKI

CIOs: Their Challenges and Satisfactions

E-learning and the Enterprise

One System Fits All

Educating the Organization

So Long, Logbooks

 

HIPAA logoHIPAA Watch for December 2001

Educating the Organization

It’s not just about software. A healthcare organization’s best strategy for HIPAA compliance lies with a well planned and comprehensively developed education program.

Randa UphamBy Randa Upham is the director of educational services for the Global Healthcare Division of Covansys, Farmington Hills, MI. She serves as a co-chair within the WEDI/SNIP Education Workgroup. Contact her at rupham@covansys.com.

A key challenge for healthcare organizations is how to effectively educate employees about HIPAA. Determining answers to the following questions may be useful for developing a successful HIPAA education plan for your organization.

Who Should Be Trained?

While the legislation mandates training, the actual verbiage about HIPAA education is very limited. Nevertheless, HIPAA does imply a more complex level of education by holding organizations accountable for their regulatory compliance, including the behavior of their employees. The following should be trained:

  • any member of the organization who has the ability to access protected health information;
  • any individual who is under the control of others who work for a covered entity or on behalf of a covered entity; and
  • any person whom the organization allows to function in a manner that could result in a compliance risk.

Use of such criteria results in the realization that the entire “workforce” must be trained, including volunteers and other individuals not actually employed by the organization.

What Information Should Be Included?

The regulations mandate training in two distinct areas.

Privacy regulations specify training requirements in Section 164.530(b)(1), stating that the organization must implement a system for certifying that any individual in their employ has received training on privacy. The regulations further require that there must be documentation indicating that employees have received training on HIPAA, including date(s) when that training was delivered. If the organization changes its policy and procedures surrounding privacy, it is required to retrain all impacted parties.

Training regulations related to security/electronic signatures can be found in Section 142.308. HIPAA mandates that an organization must provide training regarding the vulnerabilities of protected health information, including the procedures it has implemented to protect that information. Training requirements include:

  1. awareness training for all personnel including password maintenance, incident reporting, viruses/other malicious software;
  2. routine periodic reminders about security;
  3. user education including virus protection, password management, login procedures and monitoring; and
  4. customized training to include use of protected health information and responsibilities for security and confidentiality.

More “Need to Know”

Mandated training indicates the minimum education necessary, but there are many implied areas of HIPAA education as well. Each organization must design a HIPAA education plan that incorporates mandated training and also addresses its specific needs.

Benefits and Challenges of HIPAA. Executive management and decision makers in the organization should understand the costs and the advantages of implementing HIPAA.

Awareness and Action. Organizations should include a general HIPAA overview for “operational management.” Training should include a broad presentation of the key HIPAA components, typical areas within a healthcare entity that will be affected, details on intent of the specific regulations, and a discussion of strategies to consider in planning for HIPAA.

A HIPAA awareness program for the general workforce is a must, to provide them a solid understanding of the organization’s policy and procedures for implementing the legislative mandate. Most organizations will find that they need to structure a variety of HIPAA awareness sessions to address different operational groups in the organization.

E-health Standardization: Transactions, Code Sets, Identifiers (TCI). The core of the HIPAA administrative simplification elements is TCI. Standardizing formats for conducting healthcare business through EDI necessitates enormous changes in information systems and the business processes that support those systems.

Those individuals charged with remediating information systems must thoroughly understand the implementation guides for TCI. Those individuals who work with any of the elements covered under TCI mandates require a different sort of training, focusing on changes that will occur within routine business operations to accommodate implementation of the standard formats. This group includes departments such as patient accounting, medical records, patient registration, data processing, and medical and nursing staff.

Privacy & Security Requirements. Decision makers and operational management must understand the regulations for privacy and security to strategically plan for HIPAA. Workforce training should include the topics specified in the regulations and how the organization will address the regulations.

Individuals charged with developing and redefining protocols that organizations will implement to safeguard the privacy and security of protected health information will require intensive training including:

  • conducting HIPPA assessments for organizational compliance;
  • establishing a HIPAA program management office;
  • organizational impacts of HIPAA;
  • role of business partners; and
  • remediation activities.

What Is the Best Method?

Traditional classroom instruction is useful for delivering HIPAA awareness training and in-depth education on implementing the legislation. Many organizations are selecting computer-based training for providing awareness training to large workforces. For the more intensive training required for HIPAA task force teams, classroom instruction will comprise the majority of training conducted.

Supervisory sessions are valuable for explaining the organizational impacts of implementing HIPAA, although this method is only successful if the supervisor has substantial HIPAA expertise.

Distance learning options include online courses, Web casts, informational websites, posting of FAQs and discussion threads. Using computer-based training via an organization’s intranet or through alternative Internet options, such as commercial learning management sites, provides employees a consistent message about HIPAA and tracking features ensure training was delivered to the entire workforce.

Workgroups and Beyond

Regional HIPAA workgroups are cropping up to provide assistance to local healthcare communities in implementing HIPAA regulations. Most regional workgroups are structured in accordance with the model established by the Workgroup for Electronic Data Interchange, Strategic National Implementation Plan (WEDI/SNIP), a volunteer organization that promotes industry readiness to implement HIPAA standards.

SNIP has organized its activities into major workgroups (transactions, security, privacy, and education) to address its objectives which include:

  • recommend an implementation time frame for each component of HIPAA for each stakeholder (health plan, provider, clearinghouse, vendor) and identify the best migration paths for trading partners;
  • establish opportunities for collaboration, compile industry input and document the industry’s best practices; and
  • identify resolution or next steps where there are interpretation issues or ambiguities within HIPAA administration simplification standards and rules.

Organizations should research existing state regulations to determine if they supersede HIPAA mandates and, if they do, define for their employees the manner in which they must comply with specific mandates.

Also, organizations should develop strategies to integrate professional standards and ethics into HIPAA implementation. Although HIPAA is often perceived as yet one more compliance mandate by the government, opportunities to align HIPAA strategies with JCAHO and NCQA accreditation standards and CMS requirements do exist and should be supported by organizations.

Steps to Successful HIPAA Training

  • Obtain management endorsement.
  • Avoid “one size fits all” training. Create a multidimensional approach for training geared towards various sectors within the workforce.
  • Use HIPAA experts as trainers.
  • Ensure train-the-trainer programs create qualified training individuals.
  • Create an organizational HIPAA communication plan that keeps workforces updated on related legislative events and organizational activities.
  • Identify employer-endorsed websites that employees can reference for HIPAA information.
  • Avoid conducting training for certain audiences too early. Stage training sessions in accordance with compliance timelines and “need-to-know” requirements of workforce.
  • Support employee involvement in regional HIPAA workgroups.
  • Integrate HIPAA training into the organization’s overall education planning.

© 2001 Nelson Publishing, Inc