Submit your HIPAA questions to Editor Jaclyn Fitzgerald at firstname.lastname@example.org  and we will work with our experts to provide the information you need.
Q: What is the most common practice for annual HIPAA training (e.g., videos, tests, online training)? I am responsible for training clinical and clerical staff annually. Do you have any recommendations for job-specific HIPAA training?
A: HIPAA doesn’t require a set style of training. At minimum, most industry experts recommend that organizations conduct new employee orientation training (including temporary staff members, students, interns, and volunteers) and annual refresher training for existing staff members. A number of good vendors on the market provide training tools, ranging from PowerPoint presentations to hosted webinars to interactive online training. Whatever your choice, track attendance. Administering a test to gauge knowledge retention is also a good idea.
Several reputable vendors offer role-based training (i.e., training customized specifically for IT staff, nurses, administrators, etc.). Providing that specialized training is wise, especially for employees who are entrusted with a high level of responsibility when it comes to PHI. For example, HIM staff should receive additional training given that these employees are the custodians of patient medical records.
Try to avoid using the same refresher training year after year because the training will no longer sink in after a while. Focus training on certain topic areas such as mobile device security and social media use. These are high-risk areas; the more employees know, the lower the risk of breaches and other adverse events.
Consider other laws that may also be applicable such as the Red Flags Rule, 42 CFR Part 2 (alcohol and chemical dependency) and state privacy and security laws. Few training packages available from vendors include this level of training. If you are subject to other federal and state privacy and security laws, add training material on these subjects to any vendor-provided training you may use.
Training does not need to be complex. Security reminders may be as simple as, “Don’t open the attachment if you don’t know the sender.” It can include articles in staff newsletters, fun posters, pop quizzes, and headlines of breaches that appear in the news. The more training you provide, the greater the staff retention and the lower the risk of noncompliance.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA . This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.