Although small hospitals may have fewer resources than larger organizations, the nature of HIPAA training for small hospitals will generally be the same as that provided by larger organizations – the only potential difference being that small hospitals may have different policies and procedures with respect to PHI.
Small hospitals are classified as those with fewer than 100 beds, and although many now belong to networks, each is an individual HIPAA-Covered Entity required (by 45 CFR § 164.530) to train members of its workforce “on the policies and procedures with respect to PHI […] as necessary and appropriate for the members of the workforce to carry out their functions with the Covered Entity”.
In addition to training members of the workforce on policies and procedures, small hospitals must provide further HIPAA training “when functions are affected by a material change in policies and procedures”, when a risk analysis identifies a threat that could be mitigated by further training, and when further training is a requirement of an OCR corrective action plan.
As these may be infrequent events, compliance experts recommend HIPAA training for small hospitals should be repeated annually. While this can be built into the ongoing security and awareness training program required by 45 CFR § 164.308, it can be beneficial to separate Privacy Rule training from Security Rule training so individuals better understand HIPAA compliance for times when technology cannot prevent HIPAA violations.
Why Separate Privacy Rule and Security Rule Training in Small Hospitals?
Small hospitals tend to be more patient-centric than larger organizations; and, and while it is important that all Covered Entities train their workforces on how the Privacy Rule applies to interactions with patients and their families, the relationships between healthcare staff and their patients can be a lot closer in small, community, or rural hospitals.
Consequently, patients in small hospitals may be more willing to disclose information about themselves to healthcare staff they know well. Recipients of unexpected or unsolicited information (whether from a patient, a family member, or a friend) need to record the information compliantly and securely if no policy or procedure exists to deal with such an event.
Privacy Rule HIPAA training for small hospitals can help healthcare staff make HIPAA-compliant decisions in such circumstances, whereas Security Rule training might not cover such events due to focusing on technological safeguards rather than people and processes. Therefore, separating the two elements of HIPAA training for small hospitals can result in healthcare staff being more focused on the requirements of the Privacy Rule when faced with unforeseen events.
Balancing HIPAA Training for Small Hospitals with Limited Resources
When you consider the possible frequency of HIPAA training for small hospitals and the fact that some staff will require additional – or different – training from other members of the workforce, it is not difficult to imagine how a small hospital with limited resources could be overwhelmed by the HIPAA training requirements.
However, much of the training can be provided online in a modular format to minimize disruption and ensure members of the workforce only receive training on subjects that are relevant to their roles or that help prevent HIPAA violations. (For example, all members of the workforce should receive training on the Disclosure Rules regardless of their access to PHI).
Although prepackaged HIPAA training for small hospitals cannot fulfill every training requirement (because each Covered Entity has its own policies and procedures), it has the advantages of being cost-effective, convenient, and scalable. It is also repeatable, so can be used for annual “refresher” training to help fill knowledge gaps in order to prevent threats attributable to a lack of training being identified in a risk analysis and patient complaints resulting in an OCR corrective action plan.
HIPAA Training for Small Hospitals FAQs
If small hospitals do not provide the same range of services as larger organizations, why are the HIPAA training requirements the same?
The purpose of HIPAA training is to protect the privacy of PHI and ensure the confidentiality, integrity, and availability of ePHI. Therefore, regardless of the services being offered, members of the workforce still need to be trained with this purpose in mind.
Why would members of the workforce with no access to PHI require training on the Disclosure Rules?
Not all PHI is written down or stored electronically. Members of the workforce can see or hear information about patients that should not be disclosed without authorization – for example, a member of the maintenance team could disclose a famous patient is staying at the hospital on social media. This type of HIPAA violation can be prevented with training on the Disclosure Rules.
If training consists of some modules for some people and other modules for other people, how you keep track of who has been trained on what?
With most online modular training, each module concludes with a test to ensure the trainee has understood the content of the module. When the trainee passes the test, a record of their score is maintained on the Learning Management System to help Covered Entities comply with the HIPAA documentation requirements.
What is an OCR corrective action plan and why might it result in further training?
Each year, the HHS´ Office for Civil Rights (OCR) receives in excess of 20,000 reports of HIPAA violations. One of the ways in which OCR responds to HIPAA violations is by issuing the Covered Entity against whom the report has been made with a corrective action plan. In many cases, the plan includes a requirement for further training if will help eliminate the cause of the HIPAA violation.
Whose responsibility is it to organize HIPAA training for small hospitals?
Privacy Rule training is most often organized by the HIPAA Privacy Officer and Security Rule training by the HIPAA Security Officer. In large organizations, these positions are usually filled by individuals with a depth of compliance experience. However, in small hospitals, the role of Privacy Officer may be assigned to a hospital administrator, while the role of Security Officer assigned to an IT manager.
