When a federal agency provides healthcare services, there may be circumstances in which employees need to undergo both HIPAA and Privacy Act training. In addition, as an increasing number of states enact their own privacy laws, there may also be occasions when employees of state agencies require HIPAA and Privacy Act training.
The Privacy Act of 1974 governs the collection, use, storage, and sharing of personally identifiable information maintained by federal agencies. Under the Act, U.S. citizens have the right to request a copy any data held about them and request that any errors are corrected, federal agencies must only collect data “relevant and necessary” to accomplish the purpose for which it is being collected, and sharing data between agencies is restricted and allowed only under certain conditions.
People acquainted with the Health Insurance Portability and Accountability Act will find these privacy provisions familiar as they closely resemble Patients´ Rights under HIPAA, the Minimum Necessary Standard, and Business Associate Agreements. Indeed, there are many similarities between HIPAA and the Privacy Act. However, despite the similarities, separate HIPAA and Privacy Act training is required by law in circumstances where both Acts apply.
The Laws Governing Privacy Act and HIPAA Privacy Training
Privacy Act training is governed by Part 24 of the Federal Acquisition Regulation. Subpart 24.3 states training must be provided initially and annually for employees that collect, create, use, process, store, or dispose of personally identifiable information, have access to systems on which personally identifiable information is maintained, or who “design, develop, maintain, or operate” a system which collects, creates, uses, processes, stores, or disposes of personally identifiable information.
HIPAA privacy training is governed by the Administrative Requirements of the HIPAA Privacy Rule. 45 CFR § 164.530 states a HIPAA Covered Entity must train all members of its workforce on the policies and procedures designed to prevent the unauthorized disclosure of Protected Health Information when they start working for the Covered Entity, whenever there is a material change to the policies and procedures, and when a need for refresher training is identified in a risk analysis.
The circumstances in which both Acts apply occur when a federal agency provides healthcare services to either its employees, or contractors, or civilians. Examples of agencies subject to both Acts include the Defense Department, the General Services Administration, and NASA – but while Privacy Act training is only necessary for employees with access to personally identifiable information, all employees of a Covered Entity are required to undergo HIPAA privacy training.
HIPAA Privacy and Security Training
The HIPAA Security Rule also requires Covered Entities and Business Associates who provide a service for a Covered Entity to implement a security awareness and training program. However, as the healthcare industry becomes increasingly digitalized, HIPAA privacy and security training is often provided simultaneously. This makes sense rather than have separate HIPAA privacy and security training sessions for employees who access Protected Health Information via EHRs.
The content of a security awareness and training program will closely align with the content of Privacy Act training inasmuch as electronic records containing personally identifiable information are subject to physical, technical, and administrative safeguards similar to those present in the HIPAA Security Rule. Indeed, the language of the Privacy Act relating to the encryption of data, automatic log-off, and the disposal of electronic media are remarkably similar to the language of HIPAA.
State Privacy Acts and HIPAA Privacy Rule Training
Because the Privacy Act applies only to federal agencies, many states are introducing their own privacy legislation that will apply to state and local government agencies and – in some cases – private organizations. Consequently, employees of public health departments, state-run correction centers, and public school systems currently subject to HIPAA may also have to undergo state privacy act and HIPAA Privacy Rule training – if training is mandated in the state´s legislation.
The post HIPAA and Privacy Act Training appeared first on HIPAA Journal.