Transcript – Episode 412: Staff HIPAA Training in Year 2, and Beyond

 

Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton and we are Person Centered tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and Electronic Health Record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments, and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user, go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 412: Staff HIPAA Training in Year Two, and Beyond.

 

Liath Dalton 

I have to admit that I did make the special request that Evan say the “beyond” in  that particular way.

 

Evan Dumas 

I do requests yeah, it’s true.

 

Liath Dalton 

Yes. Because

 

Liath Dalton 

it brings a smile to my face. And you know, it’s always good to have a smile on your face when you are talking about HIPAA and team training and all those kind of essential pieces that need to be managed in a group practice context.

 

Evan Dumas 

Mhmm, mhmm.

 

Liath Dalton 

So today, we are talking specifically about training for your team members, after they have done whatever comprises your initial year one, whether that be year one as a team member, or year one of your practice having been engaged in the sort of formal and intentional HIPAA compliance process

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

and establishment of your security and risk management programming.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

So, Evan, what is a question that we get all the time

 

Evan Dumas 

Haha.

 

Liath Dalton 

and are constantly needing to provide an answer for, and like, situate contextually?

 

Evan Dumas 

Oh, yeah, it’s the general question of, hey, why can’t I assign the exact same course to the exact same person for the second year, it’s time for our annual HIPAA trainings, and they’re gonna do the thing. And our system doesn’t allow you to assign the same course to the same person. And so this is how we segue into telling them about our recommendations for a year two trainings.

 

Liath Dalton 

Exactly. Because on the more, you know, sort of principle or philosophical level of things, we want the learning that your team members are doing to be something that is really supportive of them in their role within the practice. And whether that be, you know, specific around HIPAA security, compliance, or being a teletherapy provider, or clinical efficacy, we know that in order for trainings to really be engaging, and to lend themselves to being applied in practice, that what’s most conducive for that is building on a foundation, like, first of all, establishing a strong foundation and then building on it, rather than just repeating the same piece over and over.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Which, you know, of course, there can be benefits to revisiting something or or maybe getting a little bit of a refresher on a particular section of something. But for your general training program to consist of just doing the same training year after year, we find that that actually leads to folks kind of groaning and rolling their eyes about HIPAA and HIPAA training even more than they already do.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

And not really engaging with the content as as directly or, you know, in as much earnest.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

So, that leads us to what our recommendations for year two trainings are. Now of course, as with everything, there’s a, it depends. It depends what you picked for your year one training approach, and there are kind of two primary different flavors of how the group practices that we work with approach that.

 

Liath Dalton 

One is for practices that are really intentionally focused at the outset on the formal compliance process. And so typically, that is going to consist of our clinical staff foundational HIPAA training, which is Privacy Ethics and HIPAA Fundamentals for Mental Health Professionals in the Agency or Group pPractice Context. Now, that training is really oriented around giving the conceptual framework of HIPAA, pairing that with the ethics standards, and then translating all of that into the context of client care and how each of those HIPAA requirements or ethical requirements are really related to safeguarding the clients info and the mechanisms through which we do that.

 

Liath Dalton 

And then for admin staff, there is a parallel but non CE training that is specifically related to the admin’s role and what they need to know about HIPAA, and mental health ethics as a non-clinician, but someone who is tasked with handling client info and upholding those standards and requirements.

 

Liath Dalton 

So those are our sort of foundational, formal compliance trainings. And that is where many practices will start in year one.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

If that’s where you started, then what we would recommend for year two would be that you have them do our very in practice focused trainings, dedicated staff trainings, and those two trainings are the HIPAA Security Awareness: Bring Your Own Device,

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

and HIPAA Security Awareness: Remote Workspaces.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

So if if you have not yet had folks do that, that is the perfect training to have them do the next year. And we’ll build upon the already established foundation because it’s, again, really looking at the practical application.

 

Liath Dalton 

Now, if you started instead, with the in practice pieces of the device security and remote workspace security training, then year two would be the perfect time to have them do the formal compliance trainings. Now, many practices will actually do all of that in their first year.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And so that leads us to when you’ve done those kind of first two sets of trainings, the formal compliance and the in practice compliance focused ones, what then?Should you recycle those trainings, or come up with something new, or what’s the best way to approach that?

 

Liath Dalton 

And our guidance on that is that, again, it’s really best to build upon your already established foundation, and select a new topical training that is most relevant to the areas of need that you are seeing within your practice, or for those particular clinicians, or admin members of your staff.

 

Liath Dalton 

So one popular option is since we are in the age of teletherapy, is to have your team do our Clinical Staff, HIPAA or, Teletherapy Training, which, even though we’ve been doing teletherapy for a long time, at this point, or it feels like, it’s really beneficial to have a comprehensive and standards based training on all of the standards, that’s oriented to the clinician being clinically effective, and how to optimize their care delivery through that medium.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

So that’s a popular option. One that’s not quite as long is our HIPAA Compliance Considerations for Teletherapy from a Home or Mobile Office.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

That’s a very popular year two or beyond training. And then yet another one is a training on rethinking notes and strategies for making documentation simple and meaningful.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

It does bring in HIPAA, but some of the more kind of clinically relevant aspects that we see being a friction point for some, some clinicians, many clinicians, honestly, the majority, these days, especially in a time of burnout, so that’s another great option.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

If those different topical trainings don’t fit in, with an area of specific need, or you’re looking for something short and sweet, and also economical, a recommendation that we have for that year two or beyond training, would be our Security Awareness Grab Bag, which has three mini courses in it, that include, how to deal with social engineering and phishing attacks, and that sort of thing.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

And particularly in our current risk landscape, where those threats are very present and are proliferating, if your team hasn’t had formal training on those pieces, now is a great time to do that.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So you know, I think maybe we should even make little, like cheat cards with these, these training recommendations for folks so you can have it at a at a quick glance.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

But basically, you want to get those core pieces of formal compliance training like conceptual framework, and then the in practice focus pieces. And then beyond that, it’s about selecting what’s most topically relevant, either to the current threat landscape, or to the needs that you’re identifying in in your team and, and just selecting what’s going to be most supportive of them. And as we said, we think the key to success is having fresh and topical trainings that that build on a foundation, rather than repeating the same basic things

 

Evan Dumas 

Over and over.

 

Liath Dalton 

 each year.

 

Evan Dumas 

Yeah. Oh, no, rote is not fun.

 

Liath Dalton 

Yeah, we’re human beings, not sponges, right? We don’t want to just absorb and then be squeezed.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Are there any other pieces that you would share with with folks as they’re considering how to manage their you year two trainings or beyond, Evan?

 

Evan Dumas 

Yeah, I love the you know, the classic, it depends language of really check in with your team to see what they want to learn. So this is a chance for it to shift from training as compliance and training as professional development. And so if you can find out what the needs of your folks are, you know, our system makes it decently easy to assign different trainings to different folks. So you could be like, if you were tracking saying, oh, yeah, you did this one year two. We’ll try this one oh, and your, your coworker wants a different one, okay, have them do a different one, etcetera.

 

Liath Dalton 

Mhmm.

 

Evan Dumas 

Because if that’s going to help them grow professionally, if that’s going to endear them to you and build trust, then great one person gets some training on notes and other person gets training on telehealth, etc. And also, I love our Security Technical Trainings Grab Bag, because it’s super cheap. So I always recommend that one to folks.

 

Liath Dalton 

Yes.

 

Evan Dumas 

Because it’s, you know, phishing scams are a huge source of risk. And most people say, yeah, yeah, I know what to do. And then I asked them, Okay, what would it look like? And I like? Something I’m cautious about. And, like, Oh, you don’t know. Okay, so you have this belief you are, but let’s, let’s get some training on it.

 

Liath Dalton 

Mhmm.

 

Evan Dumas 

So it can be a great, doable, quick little thing that helps people avoid and stay away from social engineering and phishing scams and things.

 

Liath Dalton 

Exactly. And it is our most economical training, as well, out of our whole course catalog. I shouldn’t say that, that training is not designated as CE.

 

Evan Dumas 

Oh, no, that’s why it’s cheap.

 

Liath Dalton 

That’s part of why it’s cheap. But, you know, for this sort of thing, if you’ve already done the other trainings that we discussed, then your clinicians will have gotten CE from that.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

So it is a great option and something that we think every practice should should have in place is those security awareness, trainings now, so more than more than ever.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

Just because of the the current threat landscape and also what we’re seeing in terms of the cybersecurity performance goals for the healthcare sector,

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

and the focus that Health and Human Services and the Office of Civil Rights, the HIPAA regulators, what they are emphasizing is important now, too.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So that fits in very nicely with that. So hopefully this has been helpful

 

Evan Dumas 

Yeah!

 

Liath Dalton 

and equipping you to make informed decisions about what will be a good fit for your team’s training needs.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

And as always, if you have questions or could use further guidance and support in making those selections, reach out to us.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

Our team is always happy to make specific training recommendations.

 

Evan Dumas 

Totally.

 

Liath Dalton 

If you, you know, give us the context of what it is that you’re after, we can say, Ah, here’s what’s best way to meet that need.

 

Evan Dumas 

Yeah, exactly.

 

Liath Dalton 

All right, folks, we will talk to you next time. In the meantime, take good care.

 

Evan Dumas 

Yeah, see you next time, everybody.

 

Liath Dalton 

This has been Group Practice Tech, you can find us at PersonCenteredTech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.