Do you train your staff about HIPAA privacy rules? Here are
three good reasons for doing this.
- It’s required by state and federal law. Texas law requires HIPAA training within 90 days of hiring employees "as necessary and appropriate for employees to carry out (their) duties." It requires additional training within a year after any relevant change in state or federal law regarding protected health information (PHI) takes effect. HIPAA has required training for employees since 2003 "as necessary and appropriate for them to carry out their functions," within a reasonable time after hiring, and updated as needed. Be sure you document the training, and keep signed attendance records for six year under state law.
- It’s good defense in the case of an audit. A federal pilot audit by the U.S. Office of Civil Rights (OCR) completed last year found that nearly a third of covered entities cited for noncompliance were unaware of requirements. Top among the violations were those relating to the notice of privacy practices, access rights of individuals to their medical record, and minimum necessary and authorization provisions in the privacy rule. Regarding the pilot, the American Bar Association's Health Law Section said, "OCR, via its auditors, has made it clear that the general theme of the audits is 'show me your written policy, and show me you followed it.'" OCR plans conduct a permanent audit program.
- It’s good insurance against privacy violation complaints, or against stiff sanctions if a slip-up in your practice occurs. If your practice has written policies and procedures, and your staff understands and follows them, a privacy violation is unlikely to occur. OCR does investigate complaints. And they don't come only from patients. One practice compliance officer warns that disgruntled or former practice staff members have been known report the practice's negligent privacy practices. For example:
- Do you still include protected health information (PHI) on your sign-in sheets? If you want to collect this information at sign-in, you should use peel-and-stick labels.
- Do you enforce a policy whereby anyone working with PHI paperwork puts it away when stepping away from it, even to grab a cup of coffee or an incoming fax? It should go into drawer or envelope as long as it is unattended.
The TMA Education Center offers these webinars you can use to help train your staff on privacy laws:
In addition, the new edition of TMA's customizable. Policies and Procedures: A Guide for Medical Practices is up to date with the latest HIPAA and Texas Privacy Laws and includes tools and forms you can use for your own guide. The new edition will be available in fall 2013.
And if you have questions, contact the TMA Knowledge Center at (800) 880-7955 or firstname.lastname@example.org.
Revised Oct. 25, 2013
TMA Practice E-Tips main page