Question

Welcome to a Bite-Size HIPAA® Q&A article, where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:

“Hi Todd! I have an employee who refuses to complete their assigned privacy and security training modules. I’ve asked over and over, for months. What do I do?”

Thank you for your question! I realize that being the Privacy Official for your practice is a tough job and unfortunately, you sometimes have to push, pull, and maybe even drag some of your team members along on the compliance journey. Let’s see what the HIPAA law has to say about employee training requirements and what to do if an employee doesn’t cooperate.

The HIPAA Law

There are two sections of the HIPAA law that apply to employee training. Section 164.308(a)(5) is in the Security Rule, and it requires providers to implement a security awareness training program for all staff and management. It should cover things like passwords, malware, and other security reminders. Section 164.530(b) is in the Privacy Rule, and it requires providers to train all staff on the privacy policies and procedures. The law does not go into much detail about how this training is to be done, but it does state it needs to be done within a reasonable time after the person joins the workforce and then updated regularly as things change. It also states that the training must be documented, keeping in mind that HIPAA requires all documentation to be kept for 6 years.

There are no exceptions in the law, so if you have an employee who has not completed his or her training within a reasonable amount of time following their initial hire, or according to your team’s regular training schedule, you are not in compliance. Training is that important. If there is a breach due to this person not knowing or not adhering to a published privacy or security policy, this could be viewed as willful neglect which can lead to enhanced penalties and fines.

With that bit of context on HIPAA training requirements, let’s address the question of what to do as a Privacy Official to shepherd training compliance.  This question, or challenge, is not uncommon. Referring back to the law, section 164.530(e)(1) and 164.308(a)(1)(ii)(C) state that dental practices must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy and security policies including the required HIPAA training procedures of the practice. I know sanctions aren’t fun and can cause friction in the office, but the law requires that the Privacy Official document the fact that this employee is not complying with the practice’s training procedure and apply appropriate, fair, and consistent sanctions to that team member.  In other words, if the carrot isn’t working, you need to get out the stick. Work with ownership and human resources (if available) to determine what this sanction process should be. Be consistent in how and who sanctions are applied to, and make sure to document, document, document.

Summary

To summarize- privacy and security training is a HIPAA requirement. One of the big ones. Because you’re working with sensitive patient information and medical records it is not optional. It’s the law. It needs to be completed by everyone on the team, from practice owners and doctors to temp employees, and it needs to be completed within a reasonable amount of time following the employee’s start date and periodically thereafter. To clarify, days to weeks are reasonable, months are not. A team member who refuses to complete their training should be considered a risk to both your patients and the practice.  You may think this sounds extreme, but it’s not and therefore, you may need to apply escalating sanctions up to and including termination, if necessary. It should be that important to your practice.  

Have a HIPAA Question?

If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted - but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.