How to Refine Privacy, Security TrainingPrivacy Officer Describes a Tailored Approach
"We have everyone from janitors to senior executives ... who have different needs to access systems and have different levels of access to PHI," Eremia says.
MedStar Health formerly used a standard PowerPoint presentation to educate employees. But now it uses a new platform that identifies, by role-specific types, targeted training education. MedStar also uses e-mail for an ongoing awareness campaign.
After annual training, staff members are tested to make sure they are competent in the areas for which they are responsible. Plus, MedStar holds special events to reinforce its privacy and security policies. "For instance, we have on-site awareness events where people will get a pen, cookie or some other reward if they are able to answer a series of questions properly," Eremia says.
In an interview with Howard Anderson [transcript below] following his presentation at a recent health information security conference sponsored by the Department of Health and Human Services' Office for Civil Rights and the National Institute of Standards and Technology, Eremia:
- Offers details on his approach to role-based annual training;
- Describes how MedStar distributes e-mails to build awareness of various topics, like addressing security when transmitting or storing patient information;
- Notes that updating policies and guidelines to keep up with advances in technology is a major challenge. For example, physicians want to use text messaging, and "we really struggle to find cost-effective, optimal solutions that enable us to comply with our HIPAA privacy rule and security rule obligations."
In addition to serving as chief privacy officer, Eremia is vice president and deputy general counsel at MedStar Health. He provides counsel on a wide range of legal, regulatory and compliance matters, including the health information privacy and security requirements under HIPAA. He is an adjunct professor at Georgetown University's School of Nursing and Health Studies, where he teaches a course on the law of healthcare administration.
The attorney previously served as associate counsel at the Civil Recoveries Branch in the Office of Counsel to the Inspector General at the U.S. Department of Health and Human Services.
HOWARD ANDERSON: Why don't you briefly describe MedStar for us?
ALEX EREMIA: MedStar is a large, decentralized health system in the mid-Atlantic states. We have nine hospitals, about 26,000 associates and 3,300 beds.
Root Cause of BreachesANDERSON: You mentioned in your presentation today that it's important to capture meaningful metrics on privacy incidents so you understand root cause, and then you can tailor the training based on that. Can you walk us through how you do that?
EREMIA: Even though we're a decentralized organization, we have a centralized system for capturing privacy incidents as they occur. A local privacy liaison logs in to an Internet site and fills out an online form that captures the different types of privacy and security incidents that occur across the system.
Of course, we first investigate the case and respond. But then we take that data and try to understand what may have been the cause of the incident. We try to break it down into fundamental components and then use that information to tailor our training and education efforts toward areas where we might have deficiencies or ongoing problems.
ANDERSON: So your training then can be altered based on the patterns you're seeing over time?
EREMIA: Sure. One example of something that has occurred was we had a series of incidents where employees were snooping into other employee patient records. We found that there was an ongoing pattern of that, which we think resulted from a misunderstanding, or maybe a lack of focus and training in that area. We were able to tailor some specific training and education materials directly to that type of incident across our systems.
Privacy, Security TrainingANDERSON: You described what you called role-based training. Tell me about that. Do different types of staff members get different types of training?
EREMIA: Yes, as you can imagine when you have 26,000 associates. We have everyone from janitors to senior executives, clinicians, administrators and billing folks who have different needs to access systems and have different levels of access to PHI [protected health information]. Historically, we had basically a PowerPoint presentation. We've moved to a new platform that identifies, by role-specific types, targeted training education. It's more focused for those individual users' needs.
E-Mail for EducationANDERSON: You described the use of frequent e-mails for continuing education over the course of the year. Walk us through how that works and how others might do that.
EREMIA: There is certainly an educational component to the e-mails. I actually think of them more as part of our awareness campaign along the lines of our posters. They are basically one- to two-page PDFs of discrete topics that are a series of FAQs that are focused on particular subject matter, whether it's the transmission of e-PHI or the secured storage of e-PHI, for instance.
Annual Privacy, Security TestingANDERSON: Describe how you test staff after they've been through your education programs.
EREMIA: The testing really comes in at the annual training phase at the end - the targeted role-based training session. We certainly test the employees to make sure that they have competency in the area that they're responsible for. Beyond that, there is not a formal testing mechanism per se, but obviously we do a lot of things through our education and awareness campaign that gives individuals the opportunity to be rewarded if they answer questions properly. For instance, we have on-site awareness events where people will get a pen, cookie or some other reward if they are able to answer a series of questions properly.
Evolving TechnologyANDERSON: You mentioned the difficulty in addressing the issue of technology evolving faster than policy at some point. That's got to be an ongoing challenge for you in your role. How do you go about tackling that?
EREMIA: That is one of the biggest challenges. Technology is evolving faster than we can keep up with our policies and guidelines, and it's something we struggle with. It's something we spend a lot of time with. One of the things that they're finding now, for instance, is that clinicians have a real desire to use text messaging and mobile media, and there are a number of solutions on the market that are web-based that may or may not be secured. But patients are really eager to use them because they think that it's important for patient safety or patient quality of care. We really struggle to find cost-effective, optimal solutions that enable us to comply with our security rule and privacy rule obligations.
ANDERSON: You can come up with all kinds of examples like that as technology continues to evolve.
EREMIA: Absolutely. There are a number of different EMR solutions, health information exchange solutions and patient portal solutions. We're constantly struggling with assessing those technology deployments in trying to comply with our legal obligations.
Building a PlanANDERSON: Any other final advice you'd give to others who are creating or updating a privacy and security program, based on the experience you've had and gone through?
EREMIA: You have to set your goals in advance and see what your current strengths are and what your weaknesses or areas of opportunity are. Then build a plan that is focused on achieving those goals. Whether it's making sure that your employees are more aware of their security and privacy obligations, or they need more emphasis on a technical understanding of the rules, or whether it's a need to reassess and evaluate operational processes, you can be sure that you're baking in as much as you can protections for patient privacy and security.
Whatever your goals and objectives are, set those out in advance and determine what the most cost-effective and efficient way to do it is. That gets your senior leadership and executive support; otherwise it won't be sustainable.