Communication Training and Curriculum Development

Annual Compliance Training's - Who should take them (Contractors/Employees)

  • 1.  Annual Compliance Training's - Who should take them (Contractors/Employees)

    Posted 08-13-2019 04:12 PM
    It was brought to my attention that my company does not require all contractors to take the compliance training.  Currently the rule is, if a contractor does not touch PHI and only access to PII they are not required to take the annual compliance training's.  My opinion is that everyone regardless of who you are should be required to take the training's.

    What are your thoughts?

    Thanks
    Brian

    ------------------------------
    Brian Haines
    Corporate Compliance Manager
    ------------------------------
    2020 SCCE Membership


  • 2.  RE: Annual Compliance Training's - Who should take them (Contractors/Employees)

    Posted 08-13-2019 04:29 PM
    What does the business associate agreement to their contract require?

    You should be able to back up your position with a risk assessment that points to the need for a documented policy that requires it to mitigate a specific risk.

    ------------------------------
    Chris Johnson
    Compliance Officer
    SyMed Corporation
    NAPA,CA
    ------------------------------

    2020 SCCE Membership


  • 3.  RE: Annual Compliance Training's - Who should take them (Contractors/Employees)

    Posted 08-13-2019 04:38 PM
    All the hospital and now insurance entities I have been involved with required everyone to take the annual training.

    My thoughts.

    Annual training isn't just about PHI.  It's about actions to take when they see something.  How to report it.  Non-retaliation.  Everyone is responsible for compliance and ethics.  ID the compliance/privacy officer.  Reminder that termination can occur if anyone is found in violation of these policies and procedures.


    ------------------------------
    Bill Wong, CHC, CHPC, CCS, CPC, CPMA, CDEO
    Corporate Compliance Supervisor
    Aon Hewitt - Healthpaws
    ------------------------------

    2020 SCCE Membership


  • 4.  RE: Annual Compliance Training's - Who should take them (Contractors/Employees)

    Posted 08-14-2019 09:29 AM
    I totally agree with you, Bill! It isn't PHI only.​

    ------------------------------
    Jodi O'Neill
    Deputy Compliance Officer
    Indiana Public Retirement System
    Indianapolis,IN
    ------------------------------

    2020 SCCE Membership


  • 5.  RE: Annual Compliance Training's - Who should take them (Contractors/Employees)

    Posted 08-22-2019 02:55 PM
    Who are you considering contractors? I have been a bit confused as to who we should be providing training to other than our employees. volunteers, students. etc. also. We do have certain organizations that handle PHI but sign lengthy contracts as to their compliance obligations.  Is it required to do more and what kind of training are you providing? It would be very burdensome to try and get training attestations from every employee at every company we do business with but I want to make sure we are covering our bases.

    ------------------------------
    Savannah Knuettel
    Compliance Officer
    Galen Medical Group
    Hixson,TN

    The views expressed herein are my own and do not represent those of my employer or clients. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    2020 SCCE Membership


  • 6.  RE: Annual Compliance Training's - Who should take them (Contractors/Employees)

    Posted 08-22-2019 03:50 PM
    We are a Telemedicine company and therefore we don't have volunteers or students that you might have in a Hospital or a Group.  However, to answer your question, we often will hire an individual  (contractor) to fill a role.  We will also outsource numerous things such as payroll which we also call contractors.  Depending on what type of access they have to our system determines if we require training.  If they are using our system and have access to PHI, then they are require to take the training.  Due to lack of bandwidth in our department, this is the first year we are enforcing this and we are getting push back mainly because they just don't want to do the training's.  The training we provide is the same we give to our employees and providers and we will be doing this annually.

    ------------------------------
    Brian Haines
    Corporate Compliance Manager
    ------------------------------

    2020 SCCE Membership


  • 7.  RE: Annual Compliance Training's - Who should take them (Contractors/Employees)

    Posted 01-15-2020 09:25 AM
    I was researching this topic and came across this older post.  I wanted to pose the question to this group for the issue I am currently dealing with.

    We have building security guards who are employed by a third party vendor that are located in our buildings, maintain logs of guests visiting our company and have company email addresses.  They do not have access to our PHI or PII but do have access to our internal information systems and other company data.  Info Security requires them to take training on the appropriate use of technology but I think they should take the Code of Conduct training and Insider Training that we require our associates to take.  OR the vendor should certify they get some sort of confidentiality/ code of conduct training.  I am getting alot of push back that as they don't access PHI we don't need to ensure training and wondered what this groups thoughts might be.

    Thank you!


    ------------------------------
    Darcy Green
    Director Compliance
    Benefitfocus.com
    Mt Pleasant,SC
    ------------------------------

    2020 SCCE Membership


  • 8.  RE: Annual Compliance Training's - Who should take them (Contractors/Employees)

    Posted 01-15-2020 09:33 AM
    Darcy,

    On some level I think you may have answered your question based on your description.  It also sounds like your Security Rule compliance is doing its job.

    By the security guards not having access to PHI, that takes them out of the HIPAA realm.  Here I take access to mean that if a security guard logs onto a computer, his or her access does not allow them to connect to or access such ePHI data repositories such as an EHR or other applications where ePHI may reside.

    I think that the position of making sure all users of computers (whether they are accessing ePHI or not) is something most organizations so because this way they clearly identify the expectations of how company assets (such as computers) may or may not be used...and also provide a way to promote accountability for those who use the computers.

    Though these security guards may not access ePHI, their use of the computers (depending on other factors as well) may still leave the door open that they could use the computers in a way that could present a threat to the IT system such as if they launched or download software off of the Internet that may represent malware.

    I suggest you present your suggestion that they get trained...and if the decision makers decide that such training is not required...you've done their job...the decision makers have done theirs...and onward you go to the next item on your "to do" list.

    Good luck!



    ------------------------------
    ► We don't fail unless we quit! ◄
    Saturday Study Session - 1/18/20
    --------Frank Ruelas---------
    ------------------------------

    2020 SCCE Membership


  • 9.  RE: Annual Compliance Training's - Who should take them (Contractors/Employees)

    Posted 01-15-2020 09:39 AM
    Thanks Frank... long time lurker here on the SCCEnet and am appreciative of the response and info.
    -Darcy

    ------------------------------
    Darcy Green, JD
    Dir. Compliance
    Charleston, SC

    The views expressed herein are my own and do not represent those of my employer or clients. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    2020 SCCE Membership


  • 10.  RE: Annual Compliance Training's - Who should take them (Contractors/Employees)

    Posted 01-15-2020 03:06 PM
    Question on the security guards not having access to PHI.  I can understand that their computer access limits their access to ePHI, but could they come in contact with paper or oral PHI that they would need to know how to handle?  May still need at least a high level HIPAA privacy training?

    ------------------------------
    Marie Wagner, CHC, CHRC
    Operations Manager, Corporate Compliance
    The Queen's Health Systems
    Honolulu, HI
    ------------------------------

    2020 SCCE Membership