How to improve your training program
Keep it simple, honest, fun, and interesting
HIPAA and HITECH have resulted in a whole new career for Tom Dumez, CHP. As human resources director at a records management company, Dumez's job in the last few years has taken a new direction-training others how to comply with HIPAA.
Dumez says he didn't know much about HIPAA when Congress enacted the HITECH Act in February 2009. However, the company he worked for, Kent Record Management in Grand Rapids, MI, realized someone had to find out about the HIPAA laws pretty quickly.
HITECH made Kent and other similar companies that handle PHI for covered entities (CE) into business associates (BA) that were now directly subject to certain HIPAA rules.
Since he handled compliance at Kent Record Management, Dumez was assigned the responsibility of learning about HIPAA and how to comply with laws the company was previously only required by contract to comply with.
Under HITECH, BAs are required to adhere to parts of the Privacy Rule and the entire Security Rule by statute.
Dumez became a Certified HIPAA Professional and, after months of research into HIPAA and HITECH, developed a training program for the off-site record storage company's workforce.
An expanding compliance audience
That's where it all began, but not where it ended for Dumez. He soon realized other record and information management companies needed to train their workers and developed a training program that he could take on the road. It's only continued to grow.
"[My employee HIPAA training program] continues to sell at a great pace," he says. Dumez has also gotten many invitations to speak at conferences and says he has yet to turn down any of those opportunities.
"That tells me that the people in the records and information management world are serious about learning more, as well as wanting to know how they can mitigate risks in an effort to make their organizations better and also to better protect information," he says.
He quickly expanded to include other types of BAs and has now developed a specific training program for CEs who want their workforce members to better understand what's required by the HIPAA Privacy and Security Rules, as well as HITECH. He is soon scheduled to train the workforce at a medical facility with about 350 staff members and is working with an insurance administrator to train that company's 18,000 workforce members.
In addition to training in the United States, Dumez expects to go international this year, with training expanded to include facilities in U.S. territories, as they must also follow HIPAA and HITECH laws.
Also, the HIPAA/HITECH world continues to grow. A notice of proposed rulemaking released by HHS in July 2010 extends compliance requirements to BA subcontractors by expanding the definition of BA to include them.
By defining subcontractors as BAs and clarifying that BA liability flows to all subcontractors, HIPAA requirements are "rolling further and further downstream," Dumez says. All the while, breaches of PHI continue to happen, he notes.
Training a tough challenge
It's probably no surprise that CEs and BAs are looking to experts like Dumez for help.
Training is a big challenge, according to many respondents to a November 2011 survey conducted by HCPro, Inc., and Medical Records Briefing, a sister newsletter of Briefings on HIPAA.
Despite their training efforts, many of the more than 400 survey respondents, which included HIPAA compliance officers and HIM directors, expressed worries about whether workforce members always comply with HIPAA.
One respondent said a big worry is "ensuring staff get engaged in what HIPAA means to the organization so they clearly understand how and why they must comply with our rules and regulations."
It's not an easy job.
"[It's] very complex and hard to teach," said one respondent about HIPAA compliance. Another respondent's big worry: "staff remembering to follow policies."
"Making staff understand how serious it is" is a major challenge, according to another respondent.
Dumez says he doesn't get that sense of frustration from his clients and suggests it's time for organizations to adjust their training methods.
He attributes much of the success of his own training program to the fact that he teaches at a level where the information makes sense to his students.
A need for better training
There are still lots of cases where workforce members are not adequately trained, says Chris Apgar, CISSP, CEO and president of Apgar & Associates, LLC, in Portland, OR.
In some cases, staff members don't understand how HIPAA works. "There are still a number of HIPAA myths floating around out there and training has, in my opinion, been inadequate. Either compliance is an issue or it is misunderstood," Apgar says.
Phyllis A. Patrick, MBA, FACHE, CHE, of Phyllis A. Patrick & Associates LLC, in Purchase, NY, agrees that organizations can do a better job.
"I think that training is not handled well in most organizations," she says. For instance, some organizations with large numbers of staff members often use only online learning methods. "They use the same tired, mind-numbing modules over and over again," Patrick says. Is it any wonder. she asks, that staff "game the system" in order to complete the training and then don't retain much useful information?
Dumez recalled the manager who told him he loves listening to webinars because he can multitask. If you're e-mailing and taking phone calls during a webinar, you have to ask how much you got out of the session, he says. You may get a certificate that you completed the webinar, but you probably didn't listen to much of it.
So given the challenge many organizations have with training, what can they do better?
- Keep it simple. Make your message easily understood, says Dumez. Your training sessions may include workforce members from a brain surgeon to a janitor, he says. Regardless of rank, everyone should still get the message.
You don't want your message to be "blah, blah, blah, coming from the boss," Dumez says. So don't read the HIPAA requirements word for word. And don't use lingo that your staff members won't understand. "Say it in such a way that everyone can understand it. Don't take training just to take training," he says. The idea is to educate your workforce.
- Make it personal. When it comes to fines and penalties your organization may face, employees need to know they are a real possibility, Dumez says.
A janitor who earns $8 an hour has access to areas of your facility where you store PHI. He may be tempted to steal records and sell them because of the value of medical identity theft. So you need to be sure he understands the consequences and that he could be hit with a fine for such actions, as well as criminal prosecution.
- Be extremely real with people. Focus on the everyday reality more than on your policy, Dumez says. For example, a records management company policy may require that employees make all deliveries with a company vehicle and that the vehicle must be locked when left unattended.
However, people continue to read in the news about tapes or records being stolen from an employee's car, Dumez says. So despite the policy, an employee may still transport records in his or her own car or truck. Regardless of what the policy says, you must deal with the reality, he says.
Not only do you need to explain what your policy requires, but you must make employees understand why the requirement exists, Dumez explains. So, for instance, show your employees a list of breaches that have occurred when an employee took records home and they were stolen from his or her car.
"The whole purpose to training is to lower and mitigate your risk," he says.
- Use a mix of training methods geared to what individuals need to know. Keep training interesting, says Patrick.
"Training needs to be a mix of modalities, geared to what individuals need to know in order to meet the requirements and expectations associated with their jobs," she says.
For instance, a registrar in an outpatient clinic does not need to know that HIPAA was passed in 1996. She does need to know who to call and what to do if she thinks the person she is registering is not who he says and may be using someone else's ID card, Patrick says.
Staff don't necessarily need to know the law, but they need to understand the ramifications, says Dumez.
- Use the relationships developed as a result of training to gain confidence to continue to train your workforce. If you bring in an outside trainer, use the lessons you learn to continue to train your staff members, says Dumez. For instance, be sure to train newly hired employees using the methods that worked on your existing staff.
- Keep your training lively. You don't want to bore your audience. "I walk and talk. I laugh and carry on. I think that's important," says Dumez.
Think about the kind of training you would want to sit through yourself, he says. Try and relate to everyone in your audience and be prepared to address their questions. Keeping learners engaged is key to effective training.
Finally, don't forget to document your efforts.