This document outlines the importance and requirements for healthcare organizations to conduct privacy training for employees and business associates. It discusses how federal regulations, such as HIPAA, require covered entities to provide training on privacy policies and procedures. It also notes that training should be provided initially during orientation and annually thereafter, with supplemental training for significant policy changes. The document recommends training be multi-modal, interactive, tailored to job functions, and include competency testing. It provides examples of topics that should be covered in privacy training programs.

1. KATHRYN SMATHERS
MHA690: HEALTH CARE CAPSTONE
DR. ROCKIE MCDONALD
AUGUST 21, 2014
*

2. *
* Critical to protect patients and practice.
* Establishes shared understanding of expectations for employees & business
associates
* Adhere to federal requirements –
Health Insurance Portability and Accountability Act (HIPAA) Section 164.530 of
the privacy rule states:
“A covered entity must train all members of its work force on the policies and
procedures with respect to private health information required by this subpart,
as necessary and appropriate for the members of the work force to carry out
their function within the covered entity”
* In accordance with Joint Commission Standards
Standard IM.1.20 – “Information security, including data integrity, is
maintained”.
Wiedemann, 2010

3. *
*Employees
*Contractors
*Volunteers
*Affiliates
*Students/Residents
*Anyone else who are likely to have contact
with protected health information

4. *
*Provided to new hires during orientation or affiliation (first
2 days of employment/joining organization)
*Continuing education annually (refresher course with
competency exam)
*Supplemental training provided within 30 days of any
significant changes to material

5. *
* Effective privacy training must be multi-modal and ongoing
(Cline, 2010).
All training should be interactive & eye catching to catch
and maintain attention
Tailor modules to individual job functions. Computer based
training for core content/ in-classroom training depending
on job function (i.e. Release of Information Staff,
Management)
Passing competency test required to document
understanding
Periodic e-mail reminders to all staff – privacy protection
campaign awareness & quarterly reminder messages
Annual “refresher” courses with competency exam required

6. *
*Description of different forms of
sensitive information
*Real life examples of sensitive
information
*Description of various locations of
Private Health Information (PHI) (i.e.
print, public conversation, computer
applications, laptop computers & mobile
devices, email, remote access, portable
storage devices)
*Definition of appropriate access – (i.e.
“need-to-know” basis)

7. *
* HIPAA Privacy and Security Rules explanation
* Description of unauthorized access
* Real life examples of unauthorized access
* Password management/workstation securement
protocols
* Clear description of employee/associate responsibilities
* Disposal of PHI protocols
* Suspected/known violation reporting process

8. *
* Real life scenarios of information breaches &
privacy violations
* Description of penalties
* Description of reporting process
* Description of auditing process
* Privacy Officer contact information
* Printable job aid (easy to understand form of
organization’s Notice of Privacy Practices &
potential violation reporting process

9. *
Cline, J. (2010). Privacy Training Gone Awry.
Computerworld, 44(3), 24.
Weidemann, L.A. (2010, Nov). HIPAA privacy and security
training (updated). American Health Information
Management Association. Retrieved from:
http://library.ahima.org/xpedio/groups/public/documents
/ahima/bok1_048509.hcsp?dDocName=bok1_048509