HIPAA – the Health Insurance Portability and Accountability Act – is federal legislation passed in 1996 that addresses various elements of healthcare in the United States, including health insurance reforms and several other areas not related to privacy or security.
However, this law also includes a mandate for the US Department of Health and Human Services ("DHHS") to issue regulations that specify privacy and security protection for healthcare information about individuals.
HIPAA compliance requires training of almost all individuals who work for a healthcare organization – even those who may only be incidentally exposed to such information. Examples of people who should be trained in the HIPAA regulations include:
- physicians, chiropractors, nurses, technicians
- administrators, clerks, order processing staff
- staff employees such as custodians, transportation, security
- volunteers, independent contractors, consultants and vendors
And the rules also require that these training programs are fully documented.
Cosaint’s courses offer an effective and economical way to meet the training requirements of HIPAA. And Cosaint’s hosted learning management and policy signature management systems make record-keeping and periodic reminders simple for hard-pressed administrators.
The HIPAA Privacy Rule
The HIPAA Privacy Rule was finalized during the summer of 2002. Under this rule, healthcare organizations across the country must train all employees in the basics of patient privacy and confidentiality including concepts such as "Protected Health Information" (PHI) and the "Minimum Necessary" principle.
The HIPAA Security Rule
The final version of the HIPAA Security Rule was issued by the DHHS in February, 2003. This rule specifies a wide range of provisions to improve the way that patient information is secured against disclosure, modification or loss including security awareness training for all staff (including management) with access to patient information. These (addressable) measures include user training on:
- malicious software (viruses & worms)
- creating and managing passwords
- monitoring for and responding to login failure
as well as the provision of periodic security reminders.
Recently, the Centers for Medicare and Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) published their Recommendations for Complying with the HIPAA Security Awareness Training Requirements. The document includes advice on setting up security awareness programs including new hire training for employees, contractors, temporary workers and volunteers, as well as the provision of annual refresher training. It also recommends that "if possible, [Covered Entities] should deploy an automated tracking system to capture key information regarding program activity (e.g., individuals’ completion dates)."