HIPAA training for dental offices is a requirement of the Privacy Rule and the Security Rule due to dental offices coming under the definition of a Covered Entity in the Administrative Simplification Provisions of the HIPAA Privacy Rule. Consequently, all members of a dental office´s workforce must receive some form of HIPAA training.
Exactly what form of HIPAA training for dental offices needs to be provided will depend on the roles of workforce members. Those with access to PHI must receive training on the dental office´s policies and procedures in respect to PHI “as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity”. These individuals will also require further training “when functions are affected by a material change in policies and procedures”.
In addition, all members of a dental office´s workforce have to undergo awareness and security training in respect of electronic PHI (ePHI) – even those who may not have access to ePHI. This is because entire systems can be crippled by malware and ransomware regardless of the point of entry, so it is important all members of the workforce receive training on password management best practices and reducing susceptibility to phishing in order to mitigate cyber threats to ePHI.
Other Occasions When HIPAA Training for Dental Offices May be Necessary
There are two other occasions on when HIPAA training for dental offices may be necessary – when a risk analysis identifies a threat that could be mitigated by additional training, and when additional training is a requirement of a corrective action plan.
Covered Entities are required to conduct periodic risk analyses to identity potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI and implement measures that are sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. In the event that a risk or vulnerability is identified attributable to a lack of knowledge, it will be necessary to provide further HIPAA training for dental offices´ workforces to mitigate the risk.
With regards to corrective action plans, the HHS´ Office for Civil Rights (OCR) receives more than twenty thousand complaints each year in relation to HIPAA violations such as the failure to provide patients with access to their PHI within a reasonable time frame and impermissible uses and disclosures of PHI. In most cases, complaints are resolved by the OCR providing technical assistance to Covered Entities or requiring a corrective action plan – which often involves additional training.
Using Refresher Training to Fill Knowledge Gaps and Reduce Necessary Training
While it is not a requirement of HIPAA to provide refresher training beyond “material change”, “risk assessment”, and “corrective action” training, many Covered Entities provide refresher training to fill knowledge gaps and reduce necessary training.
Knowledge gaps can exist when a member of the workforce who does not ordinarily have access to PHI (and thereby has not undergone training on policies and procedures) hears or sees something about a patient that they then share without authorization. This is a violation of HIPAA that can be prevented by providing all members of the workforce with refresher training on topics such as allowable uses and disclosures, the Minimum Necessary Standard, and the basics of the Privacy Rule.
Providing refresher HIPAA training for dental offices can also reduce the likelihood of a threat attributable to a lack of knowledge being identified in a risk analysis, or a patient complaint leading to an OCR investigation and the need for corrective action training. To reduce the amount of “necessary” training, refresher training might include subjects such as patients´ rights, computer safety rules, and best practices for being a HIPAA-compliant employee.
Reducing the Training Overhead with Online Modular HIPAA Training
Most dental offices are relatively small operations that lack the training resources of larger healthcare systems and consequently the training overhead can be considerable. Dental offices can reduce the training overhead by taking advantage of off-the-shelf online modular HIPAA training packages that cover the primary aspects of the HIPAA Privacy and Security Rules.
Although training packages cannot train members of the workforce on policies and procedures in respect of PHI because these are unique to individual Covered Entities, online modular HIPAA training can meet the awareness and security training requirements of the Security Rule and provide refresher training in modules that dental offices can mix and match to meet their requirements.
In addition, because training is provided in bite-sized online modules, members of the workforce can complete separate modules individually when there is a gap in their schedules. There is no need to take large groups of the workforce away from their roles for classroom-style training sessions – reducing the disruption to operations and ensuring training is provided as cost-efficiently as possible.
HIPAA Training for Dental Offices FAQs
Why wouldn´t all members of a dental office´s workforce receive the same HIPAA training?
While it is more feasible to provide the same training to all members of the workforce in a dental office than in a large healthcare system, it may be the case that some training may be superfluous to members of the workforce who do not have access to PHI and the overload of unnecessary training may cause other – more important – elements of training to be overlooked.
Why might you include subjects such as the basics of the Privacy Rule in refresher training?
Including subjects such as the basics of the Privacy Rule training in refresher training can help provide context to other elements of HIPAA training for dental offices. For example, a better understanding of the Privacy Rule could help members of the workforce better understand when certain policies and procedures exists – helping with retention and compliance.
How often should HIPAA refresher training be provided?
Many compliance experts believe HIPAA refresher training should be provided at least annually. However, when Covered Entities use modular refresher training, refresher training does not have to be scheduled with any particular frequency. Modules make it possible for refresher training to be ongoing and easy for each individual´s progress to be monitored and documented.
What if some modules are not relevant to my dental office´s operations?
There are no one-size-fits-all HIPAA training programs, and so it is likely there may be some training modules that are not relevant every area of a Covered Entity´s operations. As mentioned above, one of the advantages of modular HIPAA training for dental offices is that modules can be mixed and matched to meet the organization´s requirements.
If we allow students to provide treatments to patients, do they also have to undergo HIPAA training?
Yes. The HIPAA training requirements apply to all members of a Covered Entity´s workforce. Workforces are defined by HIPAA as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity, is under the direct control of such Covered Entity, whether or not they are paid by the Covered Entity”.