Data security is a serious concern in the healthcare industry, where a data breach can result in financial loss for a hospital and, more important, serious damage to its reputation. And, as noted by senior contributing editor David Raths in his article on HIPAA audits in the August issue of Healthcare Informatics, proposed rules aimed at strengthening privacy and security points to a more pro-active approach by the HSS Office of Civil Rights in attempting to prevent breaches of patient data—and more frequent audits of hospitals.
One thing that hospitals can do to avoid the monetary and reputational costs of a data breach is to make sure that hospital employees receive the proper training. Brian Lapidus, chief operating officer of the Nashville, Tenn.-based Fraud Solutions division of Kroll, offers his top 10 tips for implementing a successful data security training program, which I’ve posted here. They are worth considering.
1. Make sure ALL employees are trained. HIPAA and HITECH both set forth requirements for training all new and current workforce members. This includes contract workers, temporary workers, volunteers—basically, anyone who has access to PHI. Not only is it just smart business, it’s also the law!
2. Plan your data security employee training in lockstep with overall employee education at your organization. We recognize that employee education covers a variety of different topics and data security is just one of them. For that reason, incorporating data security training into your company’s overall employee education program is vital to its proper documentation and implementation. If training is scheduled too close to other educational programs, employees might suffer from training overload and not get the maximum benefits of the session. If training isn’t promoted in a way consistent with other educational programs, employees might ignore it altogether. Making data security training part of your official employee education program also ensures that courses get evaluated and refreshed periodically, and that the effectiveness of the program is regularly monitored.
3. Utilize roles-based training. Everyone needs training, but not everyone needs the same program. Training should be tailored and weighted per the volume and sensitivity of the PHI and PII to which each individual has access. This can be determined through evaluation of job description and job function, access logs, and other records of data usage. For instance, receptionists who have limited access to sensitive data might only require basic training, whereas nurses or financial services representatives who regularly come into contact with medical records and financial data would require additional levels. The best practice is to develop a basic training program for all employees with tailored elements for different employee tiers/categories.
4. Don’t make data security training a one-off. It is critical that organizations make data security training an ongoing activity. HIPAA and HITECH have provisions for initial training of new and current employees, as well as incorporating ongoing or “refresher” training in instances where policies or procedures may have changed, or new information needs to be conveyed. Most organizations require only annual training, although some types of training can be performed on an ad-hoc basis when new threats are identified and employees need information immediately, or in the wake of immediate policy and procedure changes.
5. Verify and document all training to maintain compliance. HIPAA requires a covered entity to be able to verify training through specific documentation requirements. Generally, this is done through a certification form, but it could also be accomplished through sign-in sheets for in-person training, audit logs for online programs, among many others. All of these records will need to be retained for a period of six years.
6. Pay special attention to Business Associate training. It’s likely that you won’t be providing training directly to your Business Associate’s (BA) employees; however, it will be the Covered Entity’s responsibility to include this in the BAA (business associate agreement) as part of your requirements for doing business. Further, it’s your responsibility to make sure the BA’s training plan meets your requirements. BAs will also have to provide proper documentation according to HIPAA standards.
7. Build job-specific scenario exercises into training. Beyond the minimum requirements of HIPAA privacy and security rules, covered organizations should take into consideration job-specific scenarios that employees are most likely to encounter. For instance, front desk employees that directly contact patients will have different experiences from the administrative assistant handling BA contracts or the researcher working with aggregated data. Make sure that the roles-based training addressed in No. 3 includes exercises that challenge employees to think about how they might handle a given situation likely to arise in their current roles.
8. Don’t forget breach detection and escalation. For covered entities, the 60-day stopwatch starts when the organization knew or “reasonably should have known” that a breach occurred. So it’s important to train employees to recognize a potential breach and escalate information to key administrators that are designated first responders.