Emerging Health Insurance Portability and Accountability Act (HIPAA) compliance regulations require companies to train employees and certify that they comprehend the appropriate laws and are skillful in their own actions under such policy guidelines. A study from the Centers for Medicare and Medicaid Services (CMS) has indicated that by April 2003, only 400,000 out of 2 million health care organizations will be out of compliance. (See Figure 1.) These so-called “covered entities,” which include claims processors, health plans, hospitals, physicians and suppliers, are required to develop training and compliance practices that adequately protect them from liability.
Figure 1: Covered Entities That Applies for October HIPAA Privacy Deadline Extensions
Covered entities must make certain that they can articulate to managers, auditors and other assurance bodies that conformance to HIPAA federal and local regulatory standards can be effectively institutionalized so that an informed decision regarding funding levels for process, personnel and technology controls can be made, or else accept risks from non-compliance.
These risks will be similar to those following the privacy violations of Eli Lilly, DoubleClick and Delta Airlines—fines, prosecution and lawsuits, as well as revenue loss and brand erosion due to negative media attention.
Enacted in August 1996, HIPAA has numerous provisions, including the electronic transaction standards, designed to reduce the volume of paperwork and streamline the processing of health care claims. The submission of a model compliance plan by Oct. 16, 2002 allowed physicians a one-year extension on the implementation of the electronic transactions portion of HIPAA only. Extensions are not available for other portions of HIPAA, such as the medical privacy rule, which goes into effect in April 2003.
Within the HIPAA privacy regulations, training requirements are outlined for all covered entity employees. (See Figure 2.) Privacy regulations affect every communication of protected health information (PHI) within a covered organization, even beyond its “walls.” Employees must understand the behavior requirements around new policies and procedures necessitated by the regulations and the “new” e-environment. Attention should be paid to employees’ need for recertification and the continually evolving state and federal HIPAA regulations, and organizations should integrate this with skill and competency management.
Figure 2: HIPAA Training Topics
HIPAA awareness and education continue to be a major focus of ongoing compliance activity in all major compliance areas. According to a report from the Healthcare Information and Management Systems Society (HIMSS) and Phoenix Health Systems (see Figure 3), across all industry segments organizations reportedly are involved in HIPAA awareness and education activities as follows:
- Security (62 percent)
- Privacy (60 percent)
- Unique Identifiers (55 percent)
- Transactions (53 percent)
Figure 3: Organizations Involved in HIPAA Training
In addition, the study found that 42 percent of respondents were currently using outside consultants to support HIPAA initiatives and that 19 percent of consulting support is focused on training and other HIPAA-related objectives.
A good example of companies finding success on this tack is Duke University Health Systems’ work with IBM Global Services to deliver a blended training program to educate approximately 20,000 employees on HIPAA.
Our research shows that mandated training must be provided to the following:
- To each workforce member no later than the compliance date.
- Thereafter, to each new workforce member within a reasonable period of time.
- Within a reasonable period of time to each workforce member whose functions are affected by a material change in policy or procedure.
General training must be provided for every workforce member. Advanced training must be provided based on specific job functions (e.g., customer interaction representatives who deal with PHI during every customer contact will need different training than a member of the billing department who may not have contact with members and may not have access to PHI as part of his or her job description). In conjunction with privacy training, employees must also be aware of the security regulations and their responsibilities around compliance. All training must be documented, records must be maintained, and training must be updated as regulations are clarified and amended. It should be noted that the HIPAA training must be continual and part of a long-term training strategy. (See Figure 4.)
Figure 4: Training Compliance Requirements
It is critical for affected organizations to ensure that privacy training is linked into HR records via their training management system (e.g., LMS, virtual classroom, human resource information system) beyond standard performance appraisal and management-by-objectives (MBO) process. It must also be tied to analytic measures and reporting to ensure both upper managers and auditors that compliance training is penetrating different personnel levels. By 2005-2006, we envision compliance to be aligned with compliance measures and metrics reported to managers via a dashboard or scorecard that links this to an analytics/business intelligence (BI) effort.
Covered entities must also design training programs in light of state laws, which may be stricter and pre-empt federal legislation. Processes must be put into place to ensure that employees switching state jurisdictions (e.g., an employee moves to a new state but works for the same company, or a telephone representative now handles calls from a different state) are profiled to catch state training needs. For most covered entities, existing privacy or security training programs should be augmented to cover HIPAA regulations. HIPAA privacy regulations have been modified and clarified by the government. It is expected that clarifications will continue; therefore, businesses should be mindful of the ongoing changes to the regulations. Beginning in the second quarter of 2003, the Office for Civil Rights will begin compliance monitoring. The results of these audits should be monitored, and training programs should be modified accordingly, providing various learning options (both off-line and online) to ensure that each employee is able to access training and gain certification. An LMS or other training and administration tool is important in tracking training for high-turnover employees, managing high-transaction volume and providing consistent updates to HIPAA training content.
While the long-term financial intent of the HIPAA law is to reduce the cost of delivering health care through simplification and standardization of business processes, the short-term financial cost to a healthcare organization could be substantial. Chief learning officers and other e-learning stakeholders must work with health care financial managers to be able to predict accurately the budget impact of HIPAA training on their organizations. The use of e-learning as part of an overall compliance training strategy enables Global 2000 organizations to more efficiently address professional development and skills management, brand protection from public miscues and, most important, risk management (from the legalities of not being in compliance).
Jennifer Vollmer is a lead analyst for learning management for the META Group, focusing on health care, insurance and financial industries. For more information, visit www.metagroup.com.