Learner Seat Time:
Approximately 30 Minutes

Primary Learning Method:
Information-Based

Course Objectives

• Describe the basic history and background of the HIPAA rule..
• Determine how HIPAA applies to you and/or your organization.
• List the areas of impact HIPAA has on your organization.
• Identify the key points of the HIPAA rule.
• List key HIPAA administrative and compliance requirements.
• Locate additional HIPAA resources.

Learner Seat Time:
Approximately 90 Minutes

Primary Learning Method:
Scenario-Based

Course Objectives

• Identify the requirements and regulations for accessing and sharing protected health information as it applies to your job tasks.
• Identify the requirements for safeguarding protected health information applicable to your team's environment.
• Describe the balance between public responsibility and privacy protection.
• Recognize the penalties for non-compliance in accessing and sharing protected health information.

The final regulation requires covered entities, like yourself, to train all members of your workforce on the policies and procedures with respect to protected health information required by this rule, as necessary and appropriate for these members of the workforce to carry out their functions within the covered entity.

Training is required for both existing and new members of the workforce, or when material changes in the covered entity's policies and procedures occur. Covered entities are responsible for implementing policies and procedures to meet these requirements and for documenting that training has been provided.

Each entity is required to provide initial training by the date on which this rule became applicable. (The final rule took effect on April 14, 2001. As required by the HIPAA law, most covered entities had two full years - until April 14, 2003 - to comply with the final rule's provisions).

After that date, each covered entity would have to provide training to new members of the workforce within a reasonable time after joining the entity. In addition, the regulation requires when a covered entity makes material changes in its privacy policies or procedures, it would be required to retrain those members of the workforce whose duties were related to the change within a reasonable time of making the change.

2. Security Standard (Refer to 45 CFR 142.308)

The Security Standard currently outlines the following training (education concerning the vulnerabilities of the health information in an entity's possession and ways to ensure the protection of that information) that includes all of the following implementation features:

i. Awareness training for all personnel, including management personnel (in security awareness, including, but not limited to, password maintenance, incident reporting, and viruses and other forms of malicious software).

ii. Periodic security reminders (employees, agents, and contractors are made aware of security concerns on an ongoing basis).

iii. User education concerning virus protection (training relative to user awareness of the potential harm that can be caused by a virus, how to prevent the introduction of a virus to a computer system, and what to do if a virus is detected).

iv. User education in importance of monitoring log-in success or failure and how to report discrepancies (training in the user's responsibility to ensure the security of health care information).

v. User education in password management (type of user training in the rules to be followed in creating and changing passwords and the need to keep them confidential).