
Online Hipaa Training for Early Stage Employees - ramarkable
Does anyone have a suggestion for a simple, reputable online HIPAA training course for Business Associates? Ideally &lt;$30 a head? I&#x27;m looking for an online course that will be required for all future hires- most of whom will be working with de-identified data.<p>I came across HIPAAtraining.com and Supremus Group&#x27;s training, but can&#x27;t quite figure out what&#x27;s legit. We&#x27;re too early stage to warrant creating our own program.<p>Thanks for any ideas anyone may have!
======
paulcole
Here’s the thing with HIPAA consultants and training: it’s mostly bullshit but
people pay for it because they’re afraid. Afraid of what? Who knows.

Remember The Simpsons episode where Homer wants to pay Lisa for her magic rock
because it keeps tigers away — “You don’t see any tigers here, so it must
work, right?” — that’s HIPAA training and consulting in a nutshell.

There’s no point offering HIPAA consulting/training for anything but
exorbitant prices. Get people scared enough and they’ll pay it.

Are you a giant research university or a hospital that’s also a household
name? If not, you’ll never have a problem with HIPAA unless you royally fuck
up or piss someone off who has the time and energy to follow through on a
complaint. Even if you do invest in HIPAA compliance and pay through the nose
to become 100% compliant, ask another HIPAA consultant and they’ll find a
million more problems you need to fix.

~~~
relaunched
This isn't legal advice and I'm not a lawyer.

Your advice is kinda true, but your sentiment is dangerous. With all
regulatory issues, you can get away with them up until you can't. However, the
difference between cripple fines or jail or gross negligence is whether or not
you made reasonable or better attempts to do the right thing. As a company,
you never know when something terrible is going to happen and telling people
not to worry about it is dangerous and irresponsible.

That being said, compliance programs are put together based on best practices
and litigation. The more litigation occurs, the better we understand the
legislation / guidance that is often poorly written / defined. That's why GDPR
/ CCPA consultants are just best guessing - but, it always helps to have a
reputable, 3rd party attest to the validity of your methodology - it shows
that you tried hard to do the right thing. 3rd party audits are even better.

Trying to do the right thing is a cost of doing business - if doesn't have to
be prohibitively expensive and it's part of doing business, responsibly.

------
DoreenMichele
I've left two comments and deleted them both. For a lot of reasons, I feel
like an idiot for wanting to weigh in here. Those include: no one takes me
seriously, I get no respect, I'm compulsively helpful and it doesn't do a
fucking thing for me because no one takes me seriously or thinks a woman has
any right to make any goddamned money, so sharing what I know on HN absolutely
never constitutes "networking" or "establishing a professional reputation for
myself" or similar. Also, I'm short of sleep, running a fever and -- in case
you can't tell! -- I'm in a really lousy mood.

In addition to my personal crap, I suspect a random question on the internet
is not the best way to address this, never mind that it's HN. You are still
trusting internet strangers to recommend a thing critical to your business
that involves legal compliance.

But I worked at a Fortune 500 insurance giant for over five years. I had
annual training in HIPAA, information security, fraud training and Gramm-
Leach-Bliley (a different federal regulation that you may not be subject to --
it regulates financial services, like banking, and also applies to insurance).
And, well, you aren't getting any good replies. So here I am for the third
time.

First, you can't ignore HIPAA. It's a legal requirement, fines can potentially
run into the millions and if they decide your handling of privacy is a
criminal offense, you can even go to jail for it. (I imagine "Fuck this noise.
I can't be bothered." would make it a criminal offense. Have fun with that.)

Having said that, my first-hand experience was that large hospitals had good
awareness of HIPAA, but many small medical practices were pretty clueless. If
you are a small fry, you may go unnoticed.

If you intend to be a "start up" and pursue rapid ("exponential") growth,
absolutely do not act like this does not matter. You need to get this right to
grow rapidly in a medical related space.

I no doubt had world class training, what with working at a mega Corp. Yet I
routinely bitched to my sons about its shortcomings. I homeschooled them, so
under California law I ran a two student private school for years. I also was
Director of Community Life for The TAG Project and a low level presenter one
year at a conference, probably Beyond IQ.

So I have a background in education and I felt the training sucked. If I ran
the company, the annual training would have been done -- because I believe
it's a requirement of compliance -- but there would have been much more
emphasis on reinforcing best practices and awareness as part of the culture.

Some of my annual training involved an online course of like video and slides
followed by a multiple choice quiz. It's a format aimed at proving compliance.
But it's a lousy format for actually making sure employees know all this and
do the right things consistently.

If I were the bitch in charge, there would be a checklist on the wall with the
most common basic practices and every single shift would start with a huddle
in front of that sign and a minute reminding people of best practices and why
they matter. I would also have a handy reference manual where people could
readily look up the key points covered in the annual training.

I think if you work with medical information daily, you ought to be able to
pass a quiz on this stuff at the drop of a hat because you do it all day every
day, not after your annual refresher course. But I've always had "unreasonable
expectations," like actual competence.

However, much of the world literally insists I'm insane, so you are quite free
to ignore my whacky opinions. Best of luck in getting an actual recommendation
for a course.

(FWIW, I looked at the websites for the two courses you listed and I liked the
demo on HIPAAtraining.com. But I know absolutely nothing about who does this
well. The company I worked for probably did in house training and it's been
several years since I worked there.)

I will add: if you have people making phone calls, they should get phone
training. I had my job a few years before I got phone training. I absolutely
hated making phone calls. Phone calls are a huge point of vulnerability. It's
excessively easy to blurt out the wrong thing on the phone. Ugh.

~~~
fasteddy760
Bravo! Thanks for sharing.

