What are HIPAA and OSHA?

The Health Insurance Portability and Accountability Act (HIPAA) was established to set national standards to protect individual’s medical records and other personal health information. The Occupational Safety and Health Administration (OSHA) was established to ensure safe and healthful working conditions by enforcing standards and by providing training, education, and assistance.

Both acts have mandatory training requirements that can often be a source of confusion for medical and dental practices. Are we required to train annually? Who does training apply too? How long should training be? What topics should be covered? If we do not hold training will we be subject to fines? 

The answers to many of these questions can be found at OSHA.gov or HHS.gov, however, some of these questions are not as clearly defined and can rely heavily on the interpretation of the law.

1) Does OSHA/HIPAA training need to be conducted annually?  

Yes, annual OSHA training for all employees is mandatory, and training for new-hire employees must be completed within ten days of hire. 

HIPAA requires organizations to provide training for all employees, new workforce members, and periodic refresher training. The definition of “periodic” is not defined and can be left open to interpretation. However, most organizations train all employees on HIPAA annually. This is considered to be a best practice. Regulations are updated yearly, so it can be difficult for practices to stay current. Failure to comply can result in fines or other consequences.

2) Who does training apply too? Should the doctor or dentist also be trained?

OSHA training is mandatory for all employees, including the doctor, nurses, receptionists and part-time employees. 

HIPAA training is mandatory for anyone who comes into contact with protected health information (PHI). This includes doctors, dentists, nurses, receptionists and part-time employees/interns. 

Employees in certain positions such as HIM, information technology network administration, or regulatory compliance staff members, may need more specialized training. 

3) How long should training be? 

HIPAA doesn’t specify a particular length for training.  What matters most is the content of the training and that the information is taught effectively.

Proper training for OSHA and HIPAA cannot be conducted in just a few minutes. However, it does not require weeks of training either.

4) What topics should be covered? 

Employers should refer to OSHA's web site (www.osha.gov) for specific training requirements of OSHA standards. Specific, HIPAA training requirements can be found at (www.hhs.gov). 

OSHA & HIPAA requirements as of 2013 include: 

  • Annual OSHA Employee Training
  • GHS: Global Harmonization System Proof of Training
  • HIPAA Omnibus Rule Employee Training & Implement Protocols

The following topics must be given to new employees, or if there is a change in the job procedures that introduces a new hazard:

  • General Office Safety – including injury and illness prevention program (IIPP), fire safety and emergency responses, eyewash stations, and washrooms.
  • Hazard Communication 
  • Ionizing Radiation 
  • Bloodborne Pathogens – including medical waste management information.

5) Are we required to keep proof of training? If so, what documentation is required?

Yes, it is very important that the training is documented. HIPAA requires that training is documented. Although it is not specific to how training must be documented.  

OSHA also requires training be documented. Records provide evidence of the employer`s compliance with OSHA standards. Training records should include:

  • Dates of the training 
  • Content of the training 
  • Names and qualifications of trainers
  • Names and job titles of attendees

Other requirements: 

  • Employee training records must be maintained for three years.
  • Employee training records must be available to employees.
  • If the practice is sold, employee records will be transferred to the new owner. If the practice is closed, employee records will be offered to the National Institute for Occupational Safety and Health (NIOSH).

6) Can we be fined if we don't conduct training, or fail to hold it annually?

Yes, OSHA failure to train citations can be issued if just one missed employee training. OSHA penalties can range from $0-$70,000, depending upon how serious the violation.

HIPAA issues penalties up to 1.5 million depending on the provision of HIPAA violated. Some HIPAA violations can lead to civil or criminal penalties for employees. If employees weren’t provided adequate training, it could cause a greater risk of litigation in the event of such termination.  Doctors and nurses can also be charged with ethical violations and might risk sanction or loss of license.

7) What are some example citations that can be given? 

Each year the Occupational Safety and Health Administration issues citations to employers in the healthcare industry. Below is a list of 10 frequent citations issued to physicians' offices and clinics in the last six months of 2011.

10 examples of OSHA citations for physicians' offices and clinics

  1. Failure to implement and maintain an exposure control plan 
  2. Failure to train 
  3. Failure to engineer out hazards/ensure hand washing 
  4. Poor housekeeping 
  5. Failure to implement and maintain a written hazard communication program
  6. Failure to make the Hepatitis B vaccination available under the BBP standard
  7. Failure to prepare exposure determinations 
  8. Failure to use personal protective equipment 
  9. Failure to provide post-exposure Hepatitis B vaccination under the BBP standard
  10. Failure to train employees under the hazard communication standard

10 examples of HIPAA violations

  1. Failure to promptly release information to patients.
  2. Improper disposal of patient records. Shredding is mandatory before disposing of patient’s record.
  3. Missing patient signature. HIPAA forms without the patient’s signature is invalid.
  4. Releasing wrong patient's information.
  5. Discussing information to friends or relatives about patients in the hospital.
  6. Discussing private health information in public areas.
  7. Discussing private health information over the phone in public areas.
  8. Not logging off a computer system that contains private health information.
  9. Including private health information in an email sent over the Internet.
  10. Releasing information about minors without the consent of a parent or guardian.

Medical and Dental practices that recognize and value the importance of training employees on HIPAA and OSHA laws and procedures are less likely to have any reported complaints, receive a citation, or fail an audit. Both HIPAA and OSHA training are crucial to ensuring safe and healthful working conditions for employees and patients and for protecting patient’s private health information.