HIPAA Training Requirements, Spring 2014 NL

HIPAA was enacted to safeguard patient security and privacy. The act includes 2 key pieces: The Privacy Rule and the Security Rule. The Privacy Rule helps protect private patient information and the Security Rule standardizes security protocols for electronic health information. Covered groups, including health care providers must adhere
to all provisions, including training requirements. The Office of Civil Rights (OCR) oversees and enforces all

Training of your workforce is a requirement. I have divided this into four (4) training groups:

Written Policy

  1. The healthcare provider must implement written policies and procedures consistent with the Privacy and Security Rules. These policies must be shared with the workforce and other stakeholders.
  2. The practice/organization must also designate a privacy and security officer. This may be the same person or two separate individuals. The privacy officer is generally responsible for policy implementation and is the contact person for HIPAA complaints. This is part of the training information provided to employees. 

Workforce Training:

  1. HIPAA requires that Covered Entities (healthcare providers) train all employees (including physicians), volunteers, trainees and anyone else who represents the organization in privacy and security policies and procedures. Training should be tailored to each job function. 
  2. Train new employees immediately upon hire and conduct regular refresher training sessions for existing employees. 
  3. A reasonable sanction policy has to be created and utilized against workforce members who violate policies and procedures. 
  4. Practices are to coordinate and review policies, procedures and sanctions with management and employees. 

Data Safeguards:

  1. HIPAA requires that practices maintain technical and administrative safeguards to prevent the intentional or unintentional use or disclosure of protected health information. To meet this standard, practices must formally train employees and other stakeholders to use and apply appropriate data protection protocols. This may include document shredding procedures, lock or password security protocols or other necessary safeguards.


  1. Practices must create and share a privacy practice notice (NPP) with patients/families which includes detailed instructions for patient complaints regarding information use and disclosure as it relates to HIPAA.
  2. Train employees on how to properly direct patients with complaints to the appropriate contact person or office to mitigate confusion and ensure proper complaint documentation. 

How Arkansas Mutual Can Help:

Arkansas Mutual has many resources on their website to help with HIPAA compliance. Under the tab Risk Management, click on Training Resources, then HIPAA In-Service Training. You will currently find five (5) training programs.

  1. Video: HIPAA/HITECH: Steps to take, Pitfalls to Avoid – video and test
  2. Breach Notification Rule – powerpoint
  3. HIPAA Basics for Office – powerpoint and test
  4. HIPAA & Social Media – powerpoint and test
  5. HIPAA Omnibus Final Rule Changes to Breach Notification – link to powerpoint

These powerpoints and our new video (by attorney Todd Newton of the Mitchell Law Firm) can be used for new hires and for existing employees. The post-test will provide the required documentation.

Remember, the powerpoints and video are not the only training that must occur, but can provide each practice with the essentials of HIPAA.

The online HIPAA Guide can provide you with the information and guidelines on how to be in compliance
with the HIPAA requirements. You will find forms, policies and procedures and job descriptions for your use, under the Risk Management tab of our website.

We have finished our guide to the Security Rule and its requirements. We have set the program up a bit differently
than the Omnibus Final Rule. It is under the HIPAA Guide, and takes you on 25 steps to compliance.

As always, please feel free to contact me if you have any questions.