Does your practice conduct annual compliance training or refreshers? Do you know what training is required versus nice to have? No worries – the College has you covered. Read on for all you need to know about required federal compliance programs and what you need to do.
Whether you focus on compliance at a specific time each year, or throughout the year at various touchpoints, do make sure compliance training is done regularly. “Annual compliance training is essential to maintaining the highest standards of patient care and professional integrity,” said Jean Owen, MBA, vice-chair of the Practice Management Committee. “By ensuring our entire team is up to date on compliance requirements each year, we strengthen our culture of accountability and safeguard both our patients and our practice.”
Must-have annual training and reminders
- HIPAA privacy & breach basics (all workforce)
The Guide to Privacy and Security of Electronic Health Information from HealthIT.gov provides a beginner’s overview of what the HIPAA Rules require, and the page has links to security training games, risk assessment tools, and other aids. - HIPAA security awareness & cyber hygiene (all workforce)
HHS created new resources in 2023 to help health care organizations manage cybersecurity risks. This includes free online education for staff and providers to improve cybersecurity awareness. HHS has other cybersecurity resources for small to large health care organizations as well as providers and IT professionals. The AMA also has a CME video training series “Cybersecurity for the Clinician,” which uses easy, non-technical language to educate physicians about cyberattacks. - Section 1557 civil rights and language access (for relevant staff) In 2024, the HHS Office for Civil Rights issued a final rule implementing Section 1557 of the Affordable Care Act, which prohibits discrimination based on race, color, national origin, sex, age, and disability in certain health programs and activities. Physicians and other qualified health care professionals who receive Medicaid and Medicare Part B payments must comply. Train employees within 30 days of implementing policies; train new staff and upon material policy changes.
- OSHA bloodborne pathogens (BBP) (for exposed staff)
Annual BBP training is required for workers with occupational exposure; keep your exposure control plan updated. - OSHA hazard communication (chemical hazards)
Train at initial assignment and when new hazards are introduced; provide refresher annually. Access the OSHA fact sheet on effective hazard communication programs. - Emergency action plan and fire safety (all workforce)
The College article Is your practice prepared for emergencies? has emergency planning advice for allergy practices. The United States government’s website ready.gov/business also has resources to help your practice prepare for a variety of hazards, including natural hazards, health hazards, human-caused hazards and technology-related hazards. - Medicare fraud, waste & abuse (FWA) (required for Part C and Part D providers)
If you contract with MA or Part D plans, complete FWA and general compliance training within 90 days of hire and at least annually. CMS provides materials at CMS MLN or via modules. - No Surprises Act (front office and revenue cycle)
Review staff workflows for required notices and Good Faith Estimates (GFEs) for uninsured/self-pay patients. Read the Advocacy Council’s Guide to Understanding the No Surprises Act and the CMS GFE template.
The College’s Risk and Compliance Toolkit has additional info on all these programs, as well as tips on safety culture, insurance and informed consent. Another great source of information is OIG’s General Compliance Program Guidance, which underscores training, communication, auditing, and response as core elements of an effective program.
