Speaker 1: HR Party of One is brought to you by Burning Portal. Employees who aren't trained in compliance can pose an expensive risk to your organization. In June of 2023, curious security guards from Yakima Valley Memorial Hospital violated HIPAA code and accessed the private health information of 419 patients. The information accessed included names, dates of birth, medical record numbers, addresses, patient treatment notes, and insurance information. And it wasn't just a few security guards who were accessing this information using their personal logins. It was 23. Keep watching to find out what happened as a result. So what is compliance training? And how could Yakima Valley Memorial Hospital have avoided this compliance violation? In this episode of HR Party of One, we'll cover the major kinds of compliance training, what training your organization needs to go through and how often it's required, and how to ensure employee participation in compliance training. Let's get started. What is compliance training? Compliance training educates employees about the laws and regulations that apply to their industry. HR professionals tend to be the front lines of defense when it comes to making sure employees at a company are, firstly, treated fairly, secondly, treated legally, and lastly, that they are responsible for keeping the business out of legal danger. But compliance isn't always as easy as it sounds. Remaining compliant with federal and state law as an organization requires a team effort. Compliance training can help you ensure everyone on your team is protecting your organization. HR compliance is defined as a company's approach to regulations that meet and align with internal and external policies. This includes employment law compliance concerning employee notices, labor rules, and safety protections, all of which have specific and detailed requirements. Failure to comply with these requirements often leads to detrimental fines, penalties, and legal actions. Compliance training can either be general, industry-specific, or job-specific. Some compliance training is mandated by federal law and is very time-sensitive. There are also many state-specific compliance training requirements. Now let's dive into two kinds of compliance trainings, which include anti-harassment training, DEI training, HIPAA training, workplace safety or OSHA compliance training, and cybersecurity training. Harassment is considered a form of employment discrimination that can violate three major employment laws. Title VII of the Civil Rights Act of 1964, the Age Discrimination and Employment Act of 1967, and Americans with Disabilities Act of 1990. Harassment can be defined as any unwelcome behavior that is based on race, color, religion, sex, national origin, age, or disability. Harassment becomes unlawful when it is severe enough to make a work environment hostile or intimidating, and when enduring, the harassment becomes a part of the job. One form of workplace violence or harassment is sexual harassment. As of 2024, sexual harassment training is required in California, Connecticut, Delaware, Illinois, Maine, New York, Washington, the U.S. Virgin Islands, and the District of Columbia. The content and frequency of the training are also determined by these states. Even if your state does not mandate sexual harassment training, the EEOC highly recommends sexual harassment training and deems it essential. To learn more about your state's requirements for sexual harassment training, check out the EEOC's website. I'll link it below. DEI Training DEI training covers diversity, equity, and inclusion, and often goes hand-in-hand with federal anti-discrimination laws. All members of an organization's workforce need to comply with anti-discrimination laws. Failure to do so can result in penalties up to $100,000. So while DEI compliance training is not federally mandated, employers can require their employees to receive training. When implemented correctly, DEI training in the workplace can promote understanding and appreciation among employees while mitigating stereotypes and biases. DEI training covers topics like unconscious bias, intentional inclusion, accessibility, bystander intervention, racism, and disability awareness. HIPAA Compliance Training The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is a federal law that protects sensitive electronic health information from being disclosed to unauthorized persons. Penalties for HIPAA violations can range from $100 to $1.5 million, depending on the type of frequency of the violation. HIPAA training requirements apply to all employers that are HIPAA-covered entities or business associates. Healthcare providers, health plans, and healthcare clearinghouses who transmit PHI are considered covered entities. A business associate is anyone who creates, receives, maintains, or transmits PHI for a function related by HIPAA or on behalf of a covered entity. This definition of a business associate was expanded by the HIPAA Omnibus Rule. Any person who works in healthcare or has access to PHI must be trained in HIPAA compliance regardless of their role. So while those curious security guards from Yakima were not dealing with PHI regularly, they still needed HIPAA compliance training. If you are a covered entity, each new member of your workforce must receive HIPAA privacy training within a reasonable period of time after they join your organization and when changes in policies or procedures are made. Some states require that training be completed 30 or 90 days from employment, but refresher training is recommended at least annually. Both covered entities and business associates who have access to protected health information or PHI must receive security awareness training. According to the HIPAA Journal, HIPAA security awareness training should include periodic security updates, procedures for guarding against detecting and reporting malware, procedures for monitoring login attempts and reporting discrepancies, procedures for creating, changing, and safeguarding passwords. This implies that security awareness training should be ongoing. HR pros should keep a close watch on the Department of Health and Human Services for new rules and guidelines that may require implementation of additional HIPAA training. The HIPAA Journal has a great HIPAA compliance checklist. I'll link it in the description. Workplace Safety and OSHA Training No one should ever have to lose a limb, contract an illness, or die to receive a paycheck. But it's happened. The Occupational Safety and Health Act of 1970, or OSHA, was enacted to ensure safe and healthy working conditions for men and women by standardizing workplace conditions. OSHA compliance training is very industry-specific and typically most detailed for construction and manufacturing industries. Let's look at a few examples of OSHA-mandated training. Emergency Action Plans All employers must have an emergency action plan with an employee alarm system and review this plan with employees. An employer must designate and train employees to assist in a safe and orderly evacuation of other employees. Powered Platforms, Manlifts, or Vehicles All employees who operate heavy machinery or equipment must be trained in the safety hazards, emergency plans, machine inspection, and use of machinery needed to accomplish work tasks. These industries must follow very strict guidelines. Hazardous Waste All employees working on the same site as hazardous waste substances must be trained in the use of personal protective equipment, work practices that can minimize health risks, and recognition of symptoms and signs that may indicate overexposure to hazards. Workers must receive 24 to 40 hours of safety instruction on hazardous waste depending on their roles. Check out the training requirements in OSHA standards document for more information on industry-specific compliance training. I'll link it below. Keep in mind that some states provide their own OSHA compliance training rules. Your organization is required to adhere to whichever laws are most stringent. Cybersecurity Training Cybersecurity training can help you mitigate risk of data hacks and breaches at your organization. No business is too secure for a cyberattack. In March of 2017, Google and Facebook confirmed they fell victim to a massive phishing scam. A man posed as a manufacturer and was able to deceive Google and Facebook for nearly two years, 2013 to 2015. All it took were some well-written emails and seemingly official invoices to con $100 million out of two of the most popular domains in the world. Unfortunately, Google and Facebook are not isolated cases. Phishing scams and other cyberattacks have become very common and they are becoming increasingly difficult to detect. According to the World Economic Forum, 95% of cybersecurity breaches are caused by human error. While it's impossible to completely avoid breach attempts, compliance training can help mitigate costly human error. If your organization accepts credit card payments, you must comply with the Payment Card Industry Data Security Standard, or PCI-DSS, which is designed to reduce credit card fraud. Cybersecurity training should cover how to detect phishing attempts and spot suspicious activity across the web, the importance of using strong and unique passwords, how to report a suspected cyber breach, and the responsibility employees have for company and customer data. Make it a priority to teach your employees about common phishing attacks and how to identify them. You can even make phishing training part of your new hire orientation so employees feel prepared from day one. You might be thinking, this is a lot to keep up with, and it is. As employment law ebbs and flows with the needs of the workforce, human resource officers must stay up to date on the latest legal changes and requirements in order to administer new training and keep their organization fully compliant. Unfortunately, staying compliant isn't always a predictable process because it depends on one key variable, employee participation. Since each of your employees has their own set of responsibilities, sometimes your priorities aren't their priorities. As a result, administrators constantly find themselves expending significant effort to collect signatures from employees and to track employee participation in notices. That's why I like to use Burning Portal's compliance feature. With Burning Portal, I can digitally manage all compliance paperwork, distribute notices and reminders, collect signatures, consolidate data, and document compliance. Proper documentation ensures that the organization can easily respond to compliance-related inquiries from local, state, and federal authorities. For organizations that employ more than a handful of employees, maintaining all of these records without an HRAS can be a huge administrative burden. Burning Portal's compliance feature helps me protect the organization from liability in case an employee breaks policies. It's important to keep in mind that compliance training alone will not completely eliminate compliance violations. It takes a holistic effort to mitigate risk of violation. Auditing and filling gaps in your HR practices can also help your organization minimize lawsuits and regulatory violations. Check out our HR Scorecard for some help identifying these gaps. I'll link it below. Oh, and that Yakima breach? In June of 2023, the hospital paid $240,000 to settle the breach, and they had to completely enhance their HIPAA training programs and work hard to ensure employees know their limits. They are still being closely monitored by the Office of Civil Rights to ensure compliance with the HIPAA Security Rule. While some workplaces have more compliance risks than others, all employers have a duty to protect their organization by providing the proper compliance training. Remember, your role is as strategic as you make it. That's it for this episode. Subscribe to our channel and ring the bell to get notifications about our newest episodes, which are released every Tuesday and Thursday. As always, thanks for watching.