There was a time when risk managers and regulators were just happy to see that hospital staff had been trained in Health Insurance Portability and Accountability Act (HIPAA) compliance, and they assumed that what worked for one facility would be fine for the next. That’s not the case anymore.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has indicated that it now expects healthcare providers to use HIPAA training that is tailored to the specific needs of the employer rather than an off-the-shelf program, says Edward Buthesium, JD, director of the Berkeley Research Group in Philadelphia. He advises clients on a variety of business, regulatory, operational, intellectual property, litigation, transactional, and compliance matters.

"The typical training that people receive from a canned program you bought somewhere is not adequate, and OCR is not going to accept it as sufficient," Buthesium says. "The main reason for that is those programs do not identify your specific role in the privacy transaction and then train you accordingly."

HIPAA compliance requirements differ according to your role in the transaction, he explains. A generic training program must address all of those players, meaning the hospital staff members must sit through material that does not apply to them, and the material that they most need to hear might not be included at all. That material would drill deeper into the specifics of their own responsibility in the privacy transaction, Buthesium explains. (See the story on p. 116 for more on how to customize your HIPAA compliance program.) "If you’re collecting data and aggregating it for treatment purposes, that is different from aggregating that data for research, and if you’re collecting it with the intent of selling that information in some form, that’s different altogether," he says. "Depending on which one you’re doing, different rules will apply."

The amount of time, effort, and money required to customize your HIPAA program properly will depend on the size of your organization, whether it is mostly one central operation or many facilities in a large region, and how much your training needs to be changed from its current state, Buthesium says. Health systems that have expanded in recent years might be most in need of a thorough analysis and customization program, he says.

"Hospitals grow through acquisition, and every time you take on a new facility, you are taking on that hospital’s HIPAA training program," Buthesium explains. "It’s going to be a good process or a bad process — nothing in between. And it is going to be a different process, better or worse than yours."

Tailoring HIPAA education to your needs does not necessarily mean you cannot use an off-the-shelf product, notes, Jeanne Oronzio Wermuth, assistant vice president with The Graham Co., insurance brokers and consultants in Philadelphia. If you go that route, however, make sure it covers your specific needs or can be modified to do so, she says. Also check that it addresses technological advances such as the use of mobile devices and social media.

"With those potentially problematic platforms, any education program needs to ensure that employees are aware of the risks and how to avoid them," Wermuth says. "That is different from employees just being aware that the hospital has a policy because you required them to read it. The training should be specific in how those policies apply in your facility and how situations might appear that require them knowing how to respond."

One common problem with off-the-shelf programs is that they lack documentation that individuals were trained, notes George W. Bodenger, JD, partner with the law firm of Saul Ewing in Philadelphia. Bodenger often represents hospitals and other organizations in cases regarding HIPAA compliance. HIPAA training must be documented with the date and time, and employees should be required to sign in and out.

"OCR takes that very seriously, because otherwise there is no way to prove that someone has been trained," Bodenger says. "The training also needs to be geared to the type of personnel. There will be very different training for nurses and for housekeepers, and if you’re providing the same stock training to both groups, you’re not serving either one well."

Meeting the bare minimum for HIPAA training never was OCR’s intent, Buthesium says, and it certainly won’t pass muster today.

"They don’t want to see something off the shelf that you are waiting to hand to them when they come to your institution," Bodenger says. "In order to get credit for having a program, you’re going to have to have something far more specific, something that shows you are taking HIPAA seriously."


Edward Buthesium, JD, Berkeley Research Group, Philadelphia. Email:

George W. Bodenger, JD, Partner, Saul Ewing, Philadelphia. Email:

Jeanne Oronzio Wermuth, Assistant Vice President, The Graham Co., Philadelphia. Email: