Human error is one of the biggest compliance and security threats to any organization—especially organizations in health care. That’s why setting expectations for your staff—and providing continual healthcare compliance training and education opportunities—is so important. And that goes for everyone on your team: front-office staff, clinical staff, billers, administrators, and executives should all receive regular Medicare and HIPAA compliance training and updates. After all, the reputation (and financial solvency) of your practice depends on your entire team’s compliance. Here are five strategies for training your clinic staff on compliance:

1. Build a compliance-focused culture.

As with all endeavours involving people, perfection will be hard to come by. Instead, focus on building compliance into your company culture and creating an employee code of conduct. As Heidi Jannenga, PT, DPT, ATC—WebPT’s Founder and Chief Clinical Officer—wrote here, “Having a documented compliance policy in place will go a long way.” That’s because, “even if you mess up here or there, having (1) a written and accessible plan and (2) regular discussions and education sessions with your staff can help foster a compliance-focused culture in your practice.”

With that in mind, the goal of your training program should be to “empower each individual employee to take ownership of the clinic’s compliance—and to hold their teammates accountable.” To accomplish that, you’ll need to be crystal clear about your expectations and the potential consequences for non-compliance. That way, compliance is baked into the foundation of your organization. It becomes a pillar of your culture—one that everyone on your team supports and understands, in terms of both the big picture (how it impacts the clinic, their teammates, and their patients) as well as their individual roles. 

2. Focus on the big picture—not just the task at hand.

As WebPT Chief Compliance Officer Veda Collmer, JD, OTR/L, explained in this post, “the goal of a compliance program is to reduce the risk of healthcare fraud, not to check a box.” Thus, “training and educating your staff about compliance in general—and your clinic’s compliance program in particular—is one way to ensure that your compliance program is a living, breathing thing that doesn’t exist solely on paper.” Now, how you go about implementing that training is up to you—and will depend on your practice and team preferences. Here are three possibilities adapted from Collmer’s post:

  1. Tap your compliance officer to schedule regular all-team training sessions over lunch (bonus points for providing that lunch). And if you haven’t already identified your compliance officer, that’s a good place to start.
  2. Create an online training program for your staff to complete at their convenience (before whatever deadline you set). 
  3. Provide your employees with copies of your compliance policies and procedures and request written acknowledgement that they read them, understand them, and are willing to adhere to them. 

If you go the second or third route, you may also want to offer a town hall-style follow-up meeting where staff have the opportunity to ask questions and clarify points in the documents. And according to this resource, you should consider building a train-the-trainer element into your curriculum. After all, the National Training Laboratories found that the average learning retention rate when teaching others is 90%—compared to only 5% when listening to a lecture and 10% when reading. 

3. Use the resources that are available to you.

As Collmer writes, “Training and education does not have to be fancy, exciting, expensive, or time-intensive. It just needs to happen.” With that in mind, you’ll want to use all the resources you have available to you—and that includes the free resources available from the Department of Health and Human Services Office of Inspector General (OIG) and the Centers for Medicare and Medicaid Services (CMS). According to Collmer, you can also turn to YouTube for “free, high-quality training videos from the [Health Care Compliance Association] HCCA and OIG.” 

Industry associations like the APTA, AOTA, and ASHA are also great sources for regular updates on compliance issues—as is the WebPT Blog. In fact, we recommend subscribing to our blog stay current on the latest industry news, which you can use as the basis for regular staff training sessions. For example, one session could focus on Medicare supervision guidelines to ensure your therapists are properly overseeing your therapy assistants. Another could be all about what constitutes protected health information (PHI) and your obligations as an organization for proper PHI handling. And yet another could be about ethically maximizing billing through proper use of CPT codes. 

(Looking for more specific training topics? Check out slides 13 and 14 in this deck for general subjects and specific ones for “high-risk areas and specialized personnel,” including the “code of conduct,” “non-retaliation policy,” “anti-kick back laws,” “conflicts of interest,” and defensible documentation.)

4. Identify potential weaknesses—and strengthen them.

Quite a few companies have made headlines as a result of data breaches, hacks, and other compliance missteps—many of which have been the near-direct result of human error. As Jan Elezian explains here, in 2018, Anthem agreed to pay a $115 million settlement after a phishing scam led to a breach of personal information that impacted 79 million people. According to Elezian, “Phishing is one of the top data breach causes; thus, it’s a prime training focus.” While this is more of a tactical strategy than some of the others in this list, it’s worth highlighting—because of the sheer cost a phishing scam can incur for an organization and how easy it can be for an untrained staff member to accidentally take the bait. 

To address that, Elezian shares the below “common characteristics of phishing scams, adapted from this blog post by Wendy Zamora, the editor-in-chief at Malwarebytes Lab”—and we think this would make a perfect topic for your next compliance training session: 

  • “Emails, text messages, or voicemails asking you to update or enter personal information—especially if those messages appear to come from a bank or government organization (e.g., the IRS)
  • “Messages (like those described above) that ask for login credentials
  • “Any difference between the URL shown on the message and the URL that displays when you hover over the link
  • “Messages in which the ‘from’ address is imitating the address of a legitimate business
  • “Different formatting than you’ve seen with previous emails sent by that specific organization (e.g., the logo is pixelated, the buttons are not the right color, or there’s odd spacing in the body of the message)
  • “Obvious spelling/grammatical errors, poor sentence construction, bad word choice, and the general vibe that the message was written by a computer or someone who is not fluent in English
  • “An urgent or desperate tone (e.g., claiming that your account will be closed or has been compromised)
  • “The presence of email attachments from unknown or unexpected sources
  • “Links to unsecured websites (i.e., the URLs do not begin with ‘https’ and/or do not have a lock symbol next to them in the address bar)”

5. Document it all.

According to Collmer, “An effective compliance program is a necessity in any healthcare organization, no matter the size of the company. Why? Because it protects your practice, your livelihood, and your patients.” Per the Federal Sentencing Guidelines, the very first action necessary to develop an effective compliance program is to “implement written policies, procedures, and standards of conduct.” 

Now, when you provide training on those (or other compliance-related topics), you’ll also want to keep written record of the subjects you discussed, the staff who attended, the date of the training, and who led the conversation—as well as any feedback you received. That way, you’ll know who to follow up with if someone wasn’t able to attend, and you’ll have a running log of the topics you covered—and when—so you’ll be able to identify potential gaps in your training program and optimize its effectiveness.


There you have it: five strategies for training your clinic staff on compliance. What compliance training strategies have worked for your clinic? Do you feel like you and your teams have a handle on HIPAA and Medicare rules and regulations? Share where you’re at in your compliance training journey below. We’d love to know.