NRPM: Standards for Privacy of Individually Identifiable Health Information. b. Training. (§ 164.518(b))


In proposed § 164.518(b), we would require covered entities to provide training on the entities policies and procedures with respect to protected health information. Each entity would be required to provide initial training by the date on which this proposed rule becomes applicable. After that date, each covered entity would have to provide training to new members of the workforce within a reasonable time period after joining the entity. In addition, we are proposing that when a covered entity makes material changes in its privacy policies or procedures, it would be required to retrain those members of the workforce whose duties are directly affected by the change within a reasonable time of making the change.

The entities would be required to train all members of the workforce (e.g., all employees, volunteers, trainees, and other persons under the direct control of all persons working on behalf of the covered entity on an unpaid basis who are not business partners) who are likely to have contact with protected health information

Upon completion of the training, the person would be required to sign a statement certifying that he or she received the privacy training and would honor all of the entity’s privacy policies and procedures. Entities would determine the most effective means of communicating with their workforce. For example, in a small physician practice, the training requirement could be satisfied by providing each new member of the workforce with a copy of the practice’s information policies and requiring members of the workforce to acknowledge that they have reviewed the policies. A large health plan could provide for a training program with live instruction, video presentations or interactive software programs. The small physician practice’s solution would not protect the large plan’s data, and the plan’s solution would be neither economically feasible nor necessary for the small physician practice.

At least once every three years after the initial training, covered entities would be required to have each member of the workforce sign a new statement certifying that he or she would honor all of the entity’s privacy policies and procedures. The initial certification would be intended to make members of the workforce aware of their duty to adhere to the entity’s policies and procedures. By requiring a recertification every three years, they would be reminded of this duty.

We considered several different options for recertification. We considered proposing that members of the workforce be required to recertify every six months, but concluded that such a requirement would be too burdensome. We considered proposing that recertification be required annually consistent with the recommendations of The American Health Information Management Association (Brandt, Mary D., Release and Disclosure: Guidelines Regarding Maintenance and Disclosure of Health Information, 1997). We concluded that annual recertification could also impose a significant burden on covered entities.

We also considered requiring that the covered entity provide “refresher” training every three years in addition to the recertification. We concluded that our goals could be achieved by only requiring recertification once every three years, and retraining in the event of material changes in policy. We are soliciting comment on this approach.