Staff training (HIPAA privacy rules)

February 6, 2004

Does HIPAA require a certain kind of staff training?

Q: Does HIPAA require a certain kind of staff training?

A: Yes. Any staff member who handles—or comes into contact with—medical information must be trained to understand both the general privacy requirements and the specific ways they're implemented in your practice. How you reach this goal, if you haven't reached it already, is up to you. For example, you could buy a HIPAA compliance guide (many state and county medical societies make these available) and ask your staff to read it, along with your own policies and procedures manual. You could also send staff members to HIPAA seminars. Whatever method you employ, be sure to document all steps you take to train staff members.

Q: Once these elements are in place, what other steps do I need to take to be HIPAA compliant?

A: The administrative requirements discussed above only address HIPAA's privacy regulations. On Oct. 16, 2003, another set of standards—which regulate the transmission of electronic claims and other transactions—also took effect. Fortunately, CMS has devised a temporary contingency plan for accepting noncompliant transactions. If you show you're working toward compliance, you can continue to use existing formats. How long this de facto extension will last is anyone's guess, so you need to move toward compliance. Beginning in 2005, you will also need to comply with HIPAA's Security Standards, which define the administrative, physical, technical, and other steps practices must adopt to maintain patient privacy and confidentiality.