At Colington Consulting, we understand the importance of HIPAA compliance. We have a dedicated team with over 60 years of combined experience in law enforcement, regulatory compliance, inspections, and health information privacy. 

Our services include onsite and online HIPAA courses that meet all of the legal requirements set forth by the HIPAA Security Rule and the HIPAA Privacy Rule. 

The HIPAA Security Rule established federally-mandated standards to protect patients' electronic personal health information (e-PHI) created, received, used, or maintained by a covered entity or business associate. 

Aside from the protection requirements created by the rule, it also stipulates that all covered entities and business associates should undergo certain training requirements based on their contact with e-PHI. 

Similar to the HIPAA Security Rule, the HIPAA Privacy rule established mandatory standards designed to protect patients' e-PHI and non-electronic PHI. The rules set forth address individuals' health information use and disclosure. 

They also set standards for individuals' privacy rights. These standards allow patients to understand and control how their health information is used. Under the HIPAA Privacy Rule, specific training requirements were enacted.

A covered entity includes anyone who provides medical care, offers health insurance, or otherwise handles e-PHI or non-electronic PHI. Examples of covered entities include:

• Healthcare providers, including doctor's offices, dental offices, clinics, and psychologists
• Nursing homes, pharmacies, or hospitals
• Health plans, insurance companies, and HMOs
• Medicare and Medicaid
• Healthcare clearinghouses
• Employers and schools that handle PHI to enroll individuals in healthcare plans

Anyone who works for a covered entity and handles e-PHI or non-electronic PHI should undergo HIPAA training.

Under the HIPAA Privacy Rule, a business associate is defined as a person or entity that performs activities or functions that involve the use of e-PHI or non-electronic PHI on behalf of a covered entity. 

It's common for covered entities to outsource certain functions or to use third parties to process certain information. Business associates are entrusted with ensuring they adhere to the laws and regulations when they do so. Examples of business associates include:

• Third-parties that provide claims processing services
• Accounting firms that handle the data of a covered entity, including PHI
• Attorneys whose legal services involve access to PHI
• Independent medical transcriptionists
• Benefits managers who handle PHI

All business associates must comply with the HIPAA Privacy Rule and undergo training.

HIPAA Security Training includes topics related to the electronic protection of patient health data. Under the rule, all covered entities and business associates who store or otherwise use e-PHI must have implemented specific security procedures related to data storage. 

To ensure that e-PHI is continuously protected, HIPAA Security Rule advises that regular training is held. Topics covered include:

• Periodic security updates and reminders
• Guidance for protecting against, detecting, and reporting malicious software
• Procedures for monitoring log-in attempts and informing of any discrepancies
• Processes for creating, changing, and safeguarding all passwords

In addition to meeting the standards set forth by the Security Rule, training includes how to handle any discrepancies and who to report them to. 

To comply with the HIPAA Privacy Rule, individuals who handle e-PHI and PHI must undergo training that includes:

• How to identify PHI
• Knowing when and how PHI may be disclosed
• Understanding the importance of patient confidentiality
• Documenting any disclosures of PHI that have occurred
• Understanding patient rights and authorization

In addition to understanding PHI and knowing the rules for protecting it, training will cover the impacts that improperly disclosed PHI could have on an organization or patient. By choosing online HIPAA courses for covered associates, you can start immediately.

The topics covered in the HIPAA Security Awareness and Privacy Training for Business Associates meet the standards set forth by the HIPAA Security Rule and the HIPAA Privacy Rule. Training includes:

• Ensuring that the organization has proper protocols in place for protecting e-PHI
• Computer awareness and security training, including password protection
• How to notify the proper officers whenever there are discrepancies
• Handling patient PHI properly and understanding when PHI may be disclosed and to whom
• Specific responsibilities of business associates under HIPAA
• Penalties associated with not following HIPAA rules

The HIPAA training for business associates meets all requirements set forth by the regulations governing federal enforcement of HIPAA. You may enroll in our online HIPAA courses or choose a live solution.

Neither the HIPAA Security Rule nor the HIPAA Privacy Rule set specific timelines for training. Instead, the rules indicate that organizations should undergo HIPAA training whenever a new employee joins the business and whenever there is a material change in process or procedures.

In practice, most companies and healthcare organizations provide HIPAA training to new staff members immediately and current staff annually. Training that occurs annually allows staff members to stay up-to-date on any changes that have been made. 

It also provides them with a refresher of what they are responsible for and how to handle any discrepancies. There are online HIPAA courses available and customized solutions that can be designed to fit your company.

It's not unusual for covered entities and business associates to encounter an issue of a HIPAA breach. There are four categories that the Department of Health and Human Services' Office for Civil Rights (OCR) uses to assess financial penalties for violations of HIPAA laws and regulations. These include:

Tier 1 violations are the least severe. They may be imposed on a covered entity or business associate that has broken the HIPAA rules but done so as a mistake, usually due to lack of knowledge. 

Fines imposed begin at $120 per violation and extend to $60,226 per violation, with an annual maximum penalty of $1,806,757 to the organization.

A tier 2 violation assumes that the covered entity or business associate had reasonable cause to know that a patient data breach may occur. Fines begin at $1,205 per violation, with a maximum of $60,226 per violation. The yearly maximum penalty that may be imposed on the covered entity or business associate is $1,806,757.

Tier 3 violations involve willful neglect. The covered entity or business associate knew about the potential for a breach or realized a breach had occurred and did nothing about it. 

The minimum fine imposed per violation is $12,045, while the maximum is $60,226 per violation. The maximum fine that may be imposed on the entity is $1,806,757.

Companies that have allowed breaches to occur and did nothing about them within 30 days are subject to the stiffest fines. Minimum penalties imposed per violation are $60,226, while the maximum penalty per violation is $1,806,757. 

Like all other violations, the maximum fine that may be imposed per year on the covered entity or business associate is $1,806,757.

In addition to meeting the requirements of the HIPAA regulations, security training allows workers to understand the impact that a breach in data can have if the rules are not followed. 

Aside from the financial impact, data breaches of PHI can lead to a loss of trust from patients who expect covered entities and business associates to protect their data. There is also the potential for medical identity theft.

When a security breach is discovered, the first thing that a HIPAA inspector will ask to see is the records for training within the organization. If the organization can't provide these, or the training program appears lax, the company is more likely to receive steep fines for data breaches. 

Thus, regular HIPAA training for staff members can be viewed as a preventative tool to ensure that companies comply with laws and regulations.

As a covered entity or business associate, it is your responsibility to ensure that all staff that handles e-PHI or PHI are properly trained in security and privacy rules. Colington Consulting offers live, instructor-led training and online HIPAA courses to ensure you fulfill your obligations. 

We also offer customized training sessions that can be designed to fit your company's specific needs. To learn more, contact us for a free consultation.