Many providers are seeing changes to their workforce during the pandemic. Hospitals are recruiting additional healthcare professionals; nursing homes are relying more heavily on agency staff as employees become ill or do not show up for work. CMS has changed rules, allowing expanded types of providers to order tests and perform other tasks. An increased number of students or volunteers are also being used.
With these workforce changes, HIPAA training must continue. The HIPAA privacy and security rule remain in place during the pandemic. OCR enforcement remains active. HIPAA requires providers to train their workforce on HIPAA requirements. Workforce means “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.” 45 CFR 160.103
HIPAA training reminders:
- Covered entities should routinely evaluate who is working on their behalf and determine who is included in their workforce (and needs training).
- The Privacy Rule requires covered entities to train all workforce members on policies and procedures related to PHI, as necessary and appropriate for the workforce members to carry out their functions. 45 CFR 164.530(b)
- The Security Rule requires covered entities to: “implement a security awareness and training program for all members of its workforce (including management)” 45 CFR 164.308(a)(5)
- Workforce members should also be trained to recognize breaches, how to report them internally, and who to report them to.
- All workforce member should be trained on appropriate social media use (this is especially important during a national emergency).