What is Required?With budget cuts and reorganization a common theme, annual compliance training may come under the knife. Unfortunately, for most, proving the requirements and need for annual training isn't always clear. Here are some excerpts from governmental documents and resources that may be used in justifying the need for not only ANNUAL training but ongoing and engaging training:
U.S. Sentencing Guidelines
The Office of Inspector General - Hospitals
The Office of Inspector General - Nursing Facilities
The Office of Inspector General - Small Group Physician Practices
Deficit Reduction Act
HIPAA Privacy Rule
HIPAA Security Rule
1. U.S. Sentencing Guidelines - §8B2.1.4(A)(B)
(4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subparagraph (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals' respective roles and responsibilities.
(B) The individuals referred to in subparagraph (A) are the members of the governing authority, high-level personnel, substantial authority personnel, the organization's employees, and, as appropriate, the organization's agents.
(More at the end of the page)
2. The Office of Inspector General: Compliance Program Guidance for Hospitals
(3) The development and implementation of regular, effective education and training programs for all affected employees;
Hospitals should require personnel to attend specific training on a periodic basis;
Managers of specific departments or groups can assist in identifying areas that require training and in carrying out such training by requiring participation in training programs and disseminating publications that explain in a practical manner specific requirements;
Training instructors may come from outside or inside the organization;
New employees should be targeted for training early in their employment;
A variety of teaching methods, such as interactive training, and training in several different languages, particularly where a hospital has a culturally diverse staff, should be implemented;
Targeted training should be provided to corporate officers, managers and other employees whose actions affect the accuracy of the claims submitted to the Government;
All relevant levels of personnel be made part of various educational and training programs of the hospital;
Employees should be required to have a minimum number of educational hours per year, as appropriate, as part of their employment responsibilities;
The OIG usually requires a minimum of one to three hours annually for basic training in compliance areas. More is required for speciality fields such as billing and coding;
Attendance and participation in training programs be made a condition of continued employment;
The hospital should retain adequate records of its training of employees, including attendance logs and materials distributed at training sessions;
a hospital’s outside contractors, including physician corporations, should be afforded the opportunity to participate in, or develop their own, compliance training and educational programs.
3. The Office of Inspector General: Supplemental Compliance Program Guidance for Nursing Facilities
As regulations change, so too should the training;
More than an initial employee ‘‘orientation’’ training on the nursing facility’s obligations to provide quality health care;
Nursing facilities consider training relating to compliance with their relevant States’ laws.
4. The Office of Inspector General: Compliance Program for Individual and Small Group Physician Practices
Education is an important part of any compliance program;
Ideally, education programs will be tailored to the physician practice’s needs, specialty and size and will include both compliance and specific training;
Training may be accomplished through a variety of means, including
in-person training sessions (i.e., either on site or at outside seminars),
distribution of newsletters, or
even a readily accessible office bulletin board;
Both initial and recurrent training in compliance is advisable, both with respect to the compliance program itself and applicable statutes and regulations;
There is no set formula for determining how often training sessions should occur.
5. Deficit Reduction Act of 2005
An entity shall establish written policies for all employees (including management), and of any contractor or agent of the entity, that include detailed information about the False Claims Act and the other provisions named in section 1902(a)(68)(A). The entity shall include in those written policies detailed information about the entity’s policies and procedures for detecting and preventing waste, fraud, and abuse. The entity shall also include in any employee handbook a specific discussion of the laws described in the written policies, the rights of employees to be protected as whistleblowers and a specific discussion of the entity’s policies and procedures for detecting and preventing fraud, waste, and abuse.
To comply with the requirements outlined in Section 6032 of the DRA, DHS now requires managed care plan contractors and health care providers who earn at least $5 million per federal fiscal year to do the following:
Establish fraud and abuse policies
Review those policies annually
Educate employees and subcontractors on these policies
(Oregon Department of Human Services - Guide to DRA Section 6032 Compliance - June 6, 2008)
6. HIPAA Privacy Rule - 45 CFR 164.530
Section 164.530 of the HIPAA privacy rule states:
(b) 1. Standard: training. A covered entity must train all members of its work force on the policies and procedures with respect to PHI required by this subpart, as necessary and appropriate for the members of the work force to carry out their function within the covered entity.
(b) 2. Implementation specifications: training.
i. A covered entity must provide training that meets the requirements of paragraph (b) (1) of this section, as follows:
To each member of the covered entity's work force by no later than the compliance date for the covered entity
Thereafter, to each new member of the work force within a reasonable period of time after the person joins the covered entity's work force
To each member of the covered entity's work force whose functions are affected by a material change in the policies or procedures required by this subpart, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section
ii. A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.
....
(j) 1. Standard: documentation. A covered entity must:
i. Maintain the policies and procedures provided for in paragraph (i) of this section in written or electronic form
ii. If a communication is required by this subpart to be in writing, maintain such writing, or an electronic copy, as documentation
iii. If an action, activity, or designation is required by this subpart to be documented, maintain a written or electronic record of such action, activity, or designation
(j) 2. Implementation specification: retention period. A covered entity must retain the documentation required by paragraph (j)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later.
7. HIPAA Security Rule - 45 CFR 164.308(a)(5)(i)
HIPAA's security standard 164.308(a)(5)(i) states:
...Implement a security awareness and training program for all members of its work force (including management).
(ii) Implementation specifications. Implement:
Security reminders
Protection from malicious software
Log in monitoring
Password management
More U.S. Sentencing Guidelines - Chapter 8: Effective Compliance and Ethics Program
Factors to Consider in Meeting Requirements of this Guideline.—
(A) In General.—Each of the requirements set forth in this guideline shall be met by an organization; however, in determining what specific actions are necessary to meet those requirements, factors that shall be considered include:
(i) applicable industry practice or the standards called for by any applicable governmental regulation;
(ii) the size of the organization; and
(iii) similar misconduct.
(B) Applicable Governmental Regulation and Industry Practice.—An organization’s failure to incorporate and follow applicable industry practice or the standards called for by any applicable governmental regulation weighs against a finding of an effective compliance and ethics program.
(C) The Size of the Organization.—
(i) In General.—The formality and scope of actions that an organization shall take to meet the requirements of this guideline, including the necessary features of the organization’s standards and procedures, depend on the size of the organization.
(ii) Large Organizations.—A large organization generally shall devote more formal operations and greater resources in meeting the requirements of this guideline than shall a small organization. As appropriate, a large organization should encourage small organizations (especially those that have, or seek to have, a business relationship with the large organization) to implement effective compliance and ethics programs.
(iii) Small Organizations.—In meeting the requirements of this guideline, small organizations shall demonstrate the same degree of commitment to ethical conduct and compliance with the law as large organizations. However, a small organization may meet the requirements of this guideline with less formality and fewer resources than would be expected of large organizations. In appropriate circumstances, reliance on existing resources and simple systems can demonstrate a degree of commitment that, for a large organization, would only be demonstrated through more formally planned and implemented systems.
Examples of the informality and use of fewer resources with which a small organization may meet the requirements of this guideline include the following:
(I) the governing authority’s discharge of its responsibility for oversight of the compliance and ethics program by directly managing the organization’s compliance and ethics efforts;
(II) training employees through informal staff meetings, and monitoring through regular "walk-arounds" or continuous observation while managing the organization;
(III) using available personnel, rather than employing separate staff, to carry out the compliance and ethics program; and
(IV) modeling its own compliance and ethics program on existing, well-regarded compliance and ethics programs and best practices of other similar organizations.
(D) Recurrence of Similar Misconduct.—Recurrence of similar misconduct creates doubt regarding whether the organization took reasonable steps to meet the requirements of this guideline. For purposes of this subparagraph, "similar misconduct" has the meaning given that term in the Commentary to §8A1.2 (Application Instructions - Organizations).