Given the significant financial and reputational costs that result from security breaches, healthcare providers must understand the importance of expanding and enhancing employee data security training before a breach event occurs, said Brian Lapidus, COO of the Fraud Solutions division of Kroll, a New York City-based risk mitigation company.
“Strong data security policies and procedures are only as effective as the employees who implement them. For that reason, it is critical that companies train their employees to be privacy advocates for the organization,” said Lapidus. “The best training programs show employees how to take an active and personal role in the data security of your organization, while demonstrating what’s at stake, from an organizational and regulatory standpoint, when a security gap occurs.”
Here are Lapidus’ top 10 tips for securing what is arguably the most sensitive data your organization possesses – medical records:
1. Make sure all employees are trained. HIPAA and HITECH both set forth requirements for training all new and current workforce members, including contract workers, temporary workers and volunteers. It’s smart business, and it’s also the law.
2. Plan your data security employee training in lockstep with overall employee education. Incorporating data security training into your company’s overall employee education program is vital to its proper documentation and implementation. Making data security training part of your official employee education program also ensures that courses get evaluated and refreshed periodically, and that program effectiveness is monitored regularly.
3. Use roles-based training. Everyone needs training, but not everyone needs the same program. Training should be tailored and weighted per the volume and sensitivity of the patient healthcare information and personal identifiable information to which each individual has access. The best practice is to develop a basic training program for all employees with tailored elements for different employee tiers and categories.
4. Don’t make data security training a one-off. It is critical that organizations make data security training an ongoing activity. HIPAA and HITECH have provisions for initial training of new and current employees, as well as incorporating ongoing training in instances where policies or procedures may have changed or for the dissemination of new information.
5. Verify and document all training to maintain compliance. HIPAA requires a covered entity to be able to verify training through specific documentation requirements. These records need to be retained for a period of six years.
6. Pay special attention to business associate training. It’s likely that you won’t be providing training directly to your business associate (BA) employees; however, it will be the covered entity’s responsibility to include this in the BAA (Business Associate Agreement) as part of your requirements for doing business. Further, it’s your responsibility to make sure the BA’s training plan meets your requirements and provides proper documentation.
7. Build job-specific scenario exercises into training. Beyond the minimum requirements of HIPAA privacy and security rules, covered organizations should take into consideration job-specific scenarios that employees are most likely to encounter. Make sure that the roles-based training addressed in tip 3 (above) includes exercises that challenge employees to think about how they might handle situations likely to arise in their current roles.
8. Don’t forget breach detection and escalation. For covered entities, the 60-day stopwatch starts when the organization knew or “reasonably should have known” that a breach occurred. It’s important to train employees to recognize a potential breach and escalate information to key administrators who are designated first responders.
9. Include data security wisdom in all your employee communications channels. To keep privacy and security top of mind, engage in ongoing communication with employees via newsletters, emails, login reminders, notices posted in conspicuous areas or other internal channels.
10. Create a cultural shift within the organization. To be truly effective, training and education should be part of the culture rather than just the “required” act of signing an agreement. Organizations must demonstrate a top-down commitment to understanding privacy and security requirements and to keeping data safe.