Healthcare Compliance Training: What to Train On and How Often
Healthcare Compliance Pros (HCP) often receives questions regarding compliance training requirements. Typically, the questions we receive ask what compliance training is required and how often it should be completed. There are several training requirements to be considered, depending on the area of compliance in question. For instance, HIPAA and OSHA are two examples of compliance training provided at the time of hire and annually thereafter. Training should also be provided when changes are made to an organization's policies and procedures or when regulatory changes occur.
OSHA and HIPAA Training Requirements
While OSHA requires annual training, HIPAA training requirements aren't quite as straightforward. In fact, HIPAA doesn't specifically state annual training is required, but it does mention training should be provided "periodically." While it's open to interpretation, a best practice and HCP's recommendation is to provide annual HIPAA training as well.
Even though the HIPAA Privacy Rule doesn't specify annual training, it does say that training must be provided to "each new member of the workforce within a reasonable period of time after the person joins the covered entity's (or business associate's) workforce" and to "each member of the covered entity's (or business associate's) workforce whose functions are affected by a material change in the policies or procedures within a reasonable period of time after the material change becomes effective."
Privacy Rule training is only part of the HIPAA requirements. Under the HIPAA Security Rule, covered entities such as healthcare organizations and their business associates must provide security awareness training periodically. This requirement, as stated above, ensures that training is updated to include any regulatory changes. Also, training on an organization's Security Rule policies and procedures should occur when an organization has implemented new or upgraded hardware or software that impacts the security of the ePHI under their control.
The Importance of Completing Compliance Training
When considering the requirement of providing a security awareness and training program, there are many real-life examples from which to learn. For example, recently, an Office for Civil Rights (OCR) investigation of an entity found long-standing non-compliance with HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures. As a result of this investigation, the entity agreed to pay the Office for Civil Rights (OCR) $65,000 and adopt a corrective action plan to settle these violations of the HIPAA Security Rule.
We mentioned that OSHA training requirements are very much more straightforward than those of HIPAA. Training is required at the time of hire, and annually thereafter, failure to do so can have consequences! For example, by not adhering to this OSHA requirement a hospital recently received a citation for $32K. The citation was issued due to the hospital exposing employees to workplace violence and other hazards, including failure to provide annual training as well as deficiencies in the content of the bloodborne pathogen training.
Healthcare Compliance Pros Recommends Compliance Training at the Time of Hire and Refresher Training Thereafter
Healthcare Compliance Pros (HCP) encourages all of our clients to complete HIPAA and OSHA training at the time of hire and each year afterward. In addition to HIPAA and OSHA training, other compliance training such as Corporate Compliance, including Fraud, Waste, and Abuse training, as well as Sexual Harassment training, may be necessary. When providing training, it is critical to ensure training is provided to the entire workforce, including administration, providers, front office, and back-office employees. The training should be provided whether the workforce is full-time, part-time, permanent, or temporary.
HCP recognizes the importance of training obligations for healthcare organizations. For this reason, in the event our Clients perform and follow all requirements provided by HCP under their compliance program (including training), HCP agrees to then indemnify our Client(s) and pay up to $1,000,000.00 for any such damages (e.g., fines or other penalties for non-compliance). This indemnification remains in place so long as our Clients have an active subscription to HCP's compliance services.