Furthermore, they must also develop an action plan relating to compliance with each HIPAA rule and develop technical and managerial oversight for sufficient compliance and implementation of action plan components (Stanhope & Lancaster 2004). Under HIPAA requirements, covered healthcare entities must implement a comprehensive implementation action plan that is sufficient to develop new policies and procedures to comply with patient privacy rights; generate business associate agreements that are consistent with HIPAA objectives; institute a secure information infrastructure; use standard claims and codes as required; continually update the safety and security of information systems; provide appropriate training for all employees who may reasonably be anticipated to have access to PHI; and manage Internet privacy and security through the appointment of both a Privacy Officer and a Security Officer (DHHSOCR 2003).

Covered healthcare entities must also maintain procedures for receiving patient complaints arising from HIPAA issues, which must include formal designation of a specific individual to whom patients may submit complaints. Finally, healthcare entities must include compliant procedures in its written privacy practices notice, including advising patients of their right to submit complaints directly to the Health and Human Services (HHS) Secretary.

HIPAA Training Requirements:

In addition to appointing or designating a specific individual to act as a Privacy Official, covered healthcare entities must also provide comprehensive workforce training programs for every individual associated with the entity who may acquire access to PHI in performance of normal workplace duties; for this purpose, the requirement is not limited to paid employees, but includes interns and trainees as well. That training must include transmission of a basic understanding of HIPAA, the entity's...

Additionally, federal law imposes fines up to $25,000 for certain patterns of repeated violations within a single calendar year as well as fines up to $250,000 and/or imprisonment up to 10 years for purposeful misuse of individually identifiable health information (Stanhope & Lancaster 2004).
Generally, employee HIPAA training includes general awareness of privacy rules, principles, and organizational policies designed to ensure the privacy of PHI; more specifically, elements of that training may differ among different employees based on their job description and their degree of access to PHI, as well as on the different types of PHI they can be reasonably be expected to encounter in performance of their vocational duties and responsibilities (Kutkat 2004). REFERENCES

DHHSOCR (2003) Summary of HIPAA Privacy Rule. Retrieved June 22, 2008, at http://www.hhs.gov/ocr/hipaa

Kutkat, L. (2004) the HIPAA Privacy Rule and Research. Retrieved June 22, 2008, from: www.cdc.gov/phin/conference/04conference/05-24-04/Session%201%20F-%20Lora%20Kutkat.pdf

Phoenix Health Systems (2006) HIPAA Primer. Retrieved June 22, 2008, at http://www.hipaadvisory.com/REGS/HIPAAprimer.htm

Stanhope, M., Lancaster, J. (2004) Community and Public Health Nursing (6th ed.) St. Louis: Mosby.

Thacker, S. (2003) HIPAA Privacy Rule and Public Health: Guidance from the CDC and the U.S. Department of Health and Human Services. Retrieved June 22, 2008, at http://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm