We are often asked questions about training requirements. Questions that can be paraphrased like this:
Why should we train every year?
Thank you, Connie in Utah, for submitting your question for us to answer this week. Let's discuss the key requirements:
HIPAA Training Requirements
The HIPAA privacy and security rules require formal education and training of the workforce to ensure ongoing accountability for privacy and security of protected health information (PHI). There will be ongoing modifications in HIPAA that will require this regular, periodic training. This training must be documented by the covered entity. Under the HIPAA Privacy Rule "a covered entity must train all members of its workforce on the policies and procedures with respect to PHI required by this subpart, as necessary and appropriate for the members of the workforce to carry out their function within the covered entity." A covered entity must provide training that meets the following requirements:
- To each member of the covered entity's workforce by no later than the compliance date for the covered entity
- Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity's workforce
- To each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures required by this subpart, within a reasonable period of time after the material change becomes effective.
OSHA Training Requirements
Under OSHA's bloodborne pathogens standard, "employers having employees with exposure to blood or other potentially infectious materials (OPIM) must train employees annually regardless of the employees' prior training or education." Training must be provided at the time of initial assignment to tasks where occupational exposure to blood and OPIM may occur. Training will also be conducted at least annually thereafter. Training must be provided during work hours and at no cost to your employees. In the event employees are given new tasks, or existing tasks are modified, additional and appropriate training must be conducted.
Corporate Compliance / Fraud, Waste and Abuse Training Requirements
Initial training and education on Corporate Compliance and fraud, waste and abuse training should be completed during the orientation process for new employees. All employees should complete annual General Corporate Compliance refresher training thereafter. The "deeming" exception of enrollment/participation in Medicare Parts A or B of the Medicare program, or accreditation as a supplier of Durable Medical Equipment, Prosthetics, Orthotics, and Supplies applies to fraud, waste and abuse training requirements. Unless this exception applies to your organization, fraud, waste and abuse training should be completed annually. In addition to training requirements, all entities contracted to perform work related to Medicare programs are required to have appropriate policies and procedures to address fraud, waste, and abuse.
Workforce Training is Ongoing and Consistent
Initial and annual training on HIPAA Privacy, HIPAA Security, OSHA, and Fraud, Waste and Abuse should be completed for each member of the covered entity's workforce. The HIPAA Privacy and Security Rules require formal education and training of the workforce to ensure ongoing accountability for privacy and security of PHI. Employers having employees with exposure to blood or other potentially infectious materials (OPIM) must train employees annually regardless of the employees' prior training or education. Unless the deeming exception applies to your organization, fraud, waste and abuse training should be completed annually. In addition to training requirements, all entities contracted to perform work related to Medicare programs are required to have appropriate policies and procedures to address fraud, waste, and abuse. In addition, it is important for administrators to review policies and procedures to determine if there have been changes or updates. Because there is a possibility there were updates, it is a good practice for training on your organization's policies and procedures to be completed on an annual basis. This will ensure the entire workforce has received the updated information. For example, your organization implements a Bring Your Own Device (BYOD) policy. Your organization may provide additional BYOD training.
If you have any additional questions about annual training requirements please do not hesitate to contact one of our professional representatives.
November 5, 2014