Documented HIPAA compliance training is NOT an option for your Business Associates!
With the focus of the Office for Civil Rights (OCR) so squarely on the Business Associates of Covered Entities, it is more important than ever to hold your Business Associates feet to the fire when it comes to providing proof of their HIPAA training.
It is strongly recommended that Covered Entities require {45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)} all of their Business Associates to provide them with documented proof of their HIPAA compliance training. This documentation could come in the form of individual employee training certificates or (if the Business Associate does not have training certifications) a signed addendum along with your Business Associate Agreement (BAA) attesting to the fact that the Business Associate's HIPAA training program was completed and will continue to be on an annual basis to maintain a standard for ongoing compliance training and awareness of evolving standards.
Far too often, I have talked with Covered Entities who's Business Associates verbally claimed that all of their employees were HIPAA trained, but could not provided documented proof. Simply saying, "Yah sure, we do HIPAA training..." is not enough proof for OCR. It is vital that Covered Entities are able to provide documentation of their Business Associates claim that they have completed their HIPAA training. If a Covered Entity is working with a Business Associate who either does not have documented proof of their HIPAA training program or refuses to supply the Covered Entity with such documentation, then that Covered Entity has two options:
- Recommend a BA HIPAA Compliance Training Program to their Business Associate;
- Begin exploring the option of no longer doing business with that particular Business Associate
No comments:
Post a Comment