|
workforce
privacy training (HIPAA)
HIPAA's Privacy
Rule mandates that every covered
entity provide privacy training for "all members
of its workforce with
respect to the policies and procedures" on use and disclosure
of protected health
information, "as necessary and appropriate for the
members of the workforce to carry out their function within
the covered entity." (The
HIPAA Security Rule has
its own, separate training
requirement.)
Initial training
must be provided within a reasonable period subsequent to
hiring, with retraining thereafter as often as appropriate.
(The precise cycle is not specified. An earlier requirement
for at least triennial retraining of all workers was dropped
from the final regulations.)
Retraining is also
required for anyone "whose functions are affected by
a material change in the policies or procedures ... within
a reasonable period of time after the material change becomes
effective."
Covered entities
must document that such training has been provided, but HIPAA
regulations do not provide any guidance as to the form or
content of the educational efforts. DHHS has been clear in
its commentary that such specifics are left to the "reasonable
discretion" of the organization.
An earlier requirement
that workforce members sign a statement certifying training
completion and promising compliance with information protection
policies was dropped. Covered entities are free to use any
"appropriate mechanism" to document workers' compliance
with the training requirement.
HIPAA does not
provide DHHS with any authority to mandate training for business
associates' workforces, and covered entities are not required
to monitor business associates' training efforts. (Other,
more general monitoring obligations do obtain with regard
to patterns of activity and practices of business associates.)
See also:
Last modified:
11-May-2005
[RC]
|
