HIPAA and Privacy Act Training

When a federal agency gives healthcare services, there may be situations in which workers must go through both HIPAA and Privacy Act training. Furthermore, as a growing number of states enact their own privacy regulations, there may likewise be instances when workers of state agencies call for HIPAA and Privacy Act training.

The Privacy Act of 1974 governs the collection, utilization, storage, and sharing of personally identifiable information (PII) kept by government agencies. The Act gives U.S. citizens the right to request a copy of any data held concerning them and request that any errors are corrected, federal agencies should only collect information “relevant and necessary” to carry out the goal for which it is being gathered, and sharing data between agencies is restricted and permitted only under particular conditions.

People familiar with the Health Insurance Portability and Accountability Act will find these privacy terms familiar since they tightly look like Patients´ Rights under HIPAA, the Minimum Necessary Standard, and Business Associate Agreements. Certainly, there are a lot of similarities between HIPAA and the Privacy Act. Nevertheless, in spite of the commonalities, different HIPAA and Privacy Act training is mandated by law in situations where both Acts apply.

The Regulations About Privacy Act and HIPAA Privacy Training

Privacy Act training is under Part 24 of the Federal Acquisition Regulation. Subpart 24.3 says training should be provided at first and yearly for any of the following personnel:

  • those that collect, create, use, process, keep or dispose of personally identifiable information (PII)
  • those who have access to systems on which personally identifiable information is maintained,
  • those who “design, develop, maintain, or operate” a system that collects, creates, uses, processes, holds, or disposes of PII

HIPAA privacy training is covered by the Administrative Requirements of the HIPAA Privacy Rule. According to 45 CFR § 164.530, a HIPAA Covered Entity needs to train all members of its labor force about the policies and protocols intended to stop the unauthorized disclosure of Protected Health Information when they begin being employed by the Covered Entity, when there is a material change to the policies and procedures, and whenever a need for refresher training is found in a risk analysis.

The circumstances wherein the two Acts apply to happen when a government agency delivers healthcare services to either its staff members, or contractors, or civilians. Examples of institutions subject to both Acts are NASA, the Defense Department, and the General Services Administration – however, while Privacy Act training is just required for workers having access to PII, all workers of a Covered Entity have to undertake HIPAA privacy training.

HIPAA Privacy and Security Training

The HIPAA Security Rule additionally demands Covered Entities and Business Associates who offer a service for a Covered Entity to follow a security awareness and training system. Nonetheless, as the healthcare sector becomes more and more digitalized, HIPAA privacy and security training is usually offered at the same time. This is sensible instead of having separate HIPAA privacy and security training sessions for workers who access PHI through EHRs.

The information of security awareness and training program will directly be related with the material of Privacy Act training in as much as electronic records that contain personally identifiable information is governed by physical, technical, and administrative safeguards much like those existing in the HIPAA Security Rule. Indeed, the language of the Privacy Act associated with the encryption of information, automatic log-off, and the discard|removal} of electronic media is amazingly comparable to the language of HIPAA.

State Privacy Acts and HIPAA Privacy Rule Training

Since the Privacy Act is applicable only to federal agencies, several states are launching their own privacy laws that will cover state and local government agencies and – in a number of cases – private companies. As a result, staff of public health departments, state-managed correction centers, and public school systems currently covered by HIPAA may likewise need to go through state privacy act and HIPAA Privacy Rule training – when training is mandated in the state´s regulation.

About Christine Garcia 1200 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA