4.4 DETAILED REQUIREMENTS

4.4.1

Under the privacy rule a covered entity must train the entire work force on HIPAA-directed privacy policies and procedures necessary to comply with the rule while executing organizational operations.

Under the security rule § 164.308(a)(5) the CE is required to implement a security awareness and training program for ALL members of it's workforce including management.

4.4.2 Ongoing Training

The Privacy Rule states that a CE must provide training ' to each member of the covered entity's work force whose functions are affected by a material change in the policies or procedures required within a reasonable period of time after the material change becomes effective.' The security rule requires 'periodic reminders.'

Ongoing training is the process of keeping the issues in front of the work force.

Periodic reminders may take a number of different forms, for example:

Sign-on security reminders,

Company newsletters,

Meetings,

Official training programs,

Lunchtime sessions, Promotional products,

e-mail messages,

Banners and screen savers,

Web pages,

Literature and case law circulation, if only to select groups.

There should also be a mechanism for updating the content of training to reflect policy and procedure changes for affected individuals. It is extremely important in order to demonstrate compliance to keep a complete audit trail of the training efforts undertaken by the CE i.e. retention of e-mail message, attendance sign in sheets, signed statements acknowledging the receipt and understanding of training materials, test scores etc.

4.4.3 Audience and Content

It is extremely important to note that training should be tailored to meet the requirements under each of the rules and that these requirements are different for the various constituencies or audiences within each organization, for example:

4.4.3.1 Training Under the Privacy Rule Example

All Employees, New Employees and Volunteers would be trained on (Partial list)

General confidentiality
Patient rights (general)
Reporting known or suspected breaches
Training requirements
Sanctions
e-mail
Faxing
Complaints
Special Record Handling

However

4.4.3.2 Management would be Trained on (Partial list)

Federal and state laws
Consents and exclusions
Psychotherapy notes
Uses and disclosures / authorizations
Patient rights
Subpoenas, court orders
Privacy assessments

4.4.3.2.1 If appropriate, constituencies can be segmented even further i.e. by role and training can be tailored to the individuals specific role in the organization

4.4.3.3 Training under the Security Rule (example)

4.4.3.3.1 All Employees, New Employees and Volunteers would be Trained on (Partial list)

General security policies
Employee rights
Physical and workstation security
Audits
Department security procedures
Software discipline
Periodic security reminders
Virus protection
Importance of monitoring log-ins
Password management
Incident reporting

however

4.4.3.3.2 Management would be trained on (Partial list)

Monitoring procedures
Audit trails
Role in ongoing awareness training
Security system assessment
Incidence handling and reporting

4.4.3.3.3 If appropriate, constituencies can be segmented even further i.e. by role and training can be tailored to the individuals specific role in the organization

4.4.4 Documentation and Retention Periods:

Under both rules evidence of compliance must be documented in either written or electronic form and be retained for a minimum of six years from the implementation date. This retention period also applies to all associated Policies, Procedures, Standards and Guidelines.

4.4.5 Compliance Due Dates

Training under both of these rules must be completed by their respective implementation dates:

4.4 DETAILED REQUIREMENTS