Why Security Technologies Are Not EnoughA Compliance Officer Offers Workforce Awareness Tips
The majority of healthcare organizations have the ability to protect their sensitive information via technology. Firewalls, intrusion prevention systems, encryption and anti-virus softwares can be purchased to protect data. These tools are very important to have, especially in the healthcare industry. Once they are in place and configured correctly; they will work. Of course, they cost money.
However, firewalls do not e-mail patient information to the wrong individual; intrusion prevention systems do not leave patient information on a restaurant table; encryption systems do not forget to follow the clean desk policy; and anti-malware software does not share participant information with unauthorized participants.
Security awareness starts with some very non-technical and inexpensive methods of communicating your organization's message.
So, other than having solid technical safeguards in place, what can we do to ensure our employees know how to protect our sensitive information? In the world of hackers, worms, viruses and phishing scams, security awareness starts with some very non-technical and inexpensive methods of communicating your organization's message.
Here are some simple and effective steps to get the word out:
Policy: Develop a comprehensive HIPAA privacy and security policy to ensure your organization is following the HIPAA and HITECH Act requirements. Keep the policies as straightforward and simple as possible. After the policies are developed and approved; make sure they are publicly accessible to all employees and contractors. For example; use your company's intranet to post all policies.
Training: Training is a great way to ensure your employees and contractors are understanding your HIPAA privacy and security policies. Depending on the size of your company, you may decide to train all new employees and contractors within 30 days, 45 days or 90 days of hiring them. Also, it is recommended that all employees and contractors receive annual training. This will help your workforce stay abreast of any changes and keep compliance fresh on their minds. You can conduct paper-based training or training via learning management systems developed internally or utilizing a third party training vendor. It just depends on the size of your company and what makes sense to effectively train your workforce. Make sure you can provide evidence of training for every employee and contractor. Most electronic training systems can automatically store evidence of completion.
E-mails: E-mails are a very effective and inexpensive way to communicate privacy and security awareness messages to your employees and contractors. In my experience, monthly e-mails seem to be a good frequency. In your e-mails you can highlight a policy, discuss a story in the news, recognize an employee or explain why it is important to protect your company's sensitive information. This is a great way to show your due diligence in communicating to your employees.
Posters:Posters are another great way to spread the message. You can create posters yourself or purchase them from a third party. Have fun with your posters so they will catch your employee's attention. Also, place your posters in high-traffic areas such a break rooms and bulletin boards. Change them out on a regular basis to keep them fresh.
Newsletters: Privacy and security awareness newsletters are another great way to communicate to the masses. Believe it or not, most people enjoy reading them. Quarterly or bi-annual newsletters seem to be a good frequency for distribution. This is another very inexpensive method to communicate awareness to your employees and contractors. Most of the time a word document or PDF will do just fine. Also, post them to your company's intranet site.
A few tips for your newsletters:
- Keep your topics short and to the point.
- Engage your reader; try to find topics that are work-related as well as personally helpful.
- Try to make them fun and relevant.
- Find tidbits of interesting information or factoids.
- Include contact information, such as names, titles, phone numbers and e-mails for your compliance team.
- Encourage employees to reach out to their managers and the compliance team for guidance.
With the recent changes included in the HIPAA Omnibus Rule, it's critical to have a strong balance of technical and administrative safeguards. So, also make sure to review your business associate agreements and requirements for breach notifications, conduct regular risk assessments and be aware of the higher penalties for HIPAA non-compliance.
Wes Rhea, CISM, CRISC, CGEIT, PMP, CHP, is the compliance officer and HIPAA privacy and security officer at Alere Health, a provider of health diagnostic and monitoring products and services. Rhea provides executive leadership for information security policies, privacy policies, procedures, privacy laws, regulations, awareness and management of business associates.