Wes Rhea is the Chief Compliance Officer and Privacy and Security Officer at BioIQ. He provides executive leadership to help BioIQ meet growth challenges through centralization of all privacy and information security.
This article was originally published on the HITRUST Blog.
The majority of healthcare organizations have the ability to protect their sensitive information via technology. Firewalls, intrusion prevention systems, encryption and anti-virus software can be purchased to protect data. These tools are very important to have, especially in the healthcare industry. Once they are in place and configured correctly; they will work. Of course, they cost money.
However, firewalls do not email patient information to the wrong individual; intrusion prevention systems do not leave patient information on a restaurant table; encryption systems do not forget to follow the clean desk policy; and anti-malware software does not share participant information with unauthorized participants.
So, other than having solid technical safeguards in place, what can we do to ensure our employees know how to protect our sensitive information? In the world of hackers, worms, viruses and phishing scams, security awareness starts with some very non-technical and inexpensive methods of communicating your organization’s information security message.
Here are some simple and effective steps to get the word out:
Develop a comprehensive HIPAA privacy and security policy to ensure your organization is following the HIPAA and HITECH Act requirements. Keep the policies as straightforward and simple as possible. After the policies are developed and approved; make sure they are publicly accessible to all employees and contractors. For example; use your company’s intranet to post all policies.
Training is a great way to ensure your employees and contractors are understanding your HIPAA privacy and security policies. Depending on the size of your company, you may decide to train all new employees and contractors within 30 days, 45 days or 90 days of hiring them. Also, it is recommended that all employees and contractors receive annual training. This will help your workforce stay abreast of any changes and keep compliance fresh on their minds. You can conduct paper-based training or training via learning management systems developed internally or by utilizing a third-party training vendor. It just depends on the size of your company and what makes sense to effectively train your workforce. Make sure you can provide evidence of training for every employee and contractor. Most electronic training systems can automatically store evidence of completion.
Emails are a very effective and inexpensive way to communicate privacy and security awareness messages to your employees and contractors. In my experience, monthly emails seem to be a good frequency. In your emails, you can highlight a policy, discuss a story in the news, recognize an employee, or explain why it is important to protect your company’s sensitive information. This is a great way to show your due diligence in communicating to your employees.
Posters are another great way to spread the message. You can create posters yourself or purchase them from a third party. Have fun with your posters so they will catch your employees’ attentions. Also, place your posters in high-traffic areas such a break rooms. Change them out on a regular basis to keep them fresh.
Privacy and security awareness newsletters are another great way to communicate to the masses. Believe it or not, most people enjoy reading them. Quarterly or bi-annual newsletters seem to be a good frequency for distribution. This is another very inexpensive method to communicate awareness to your employees and contractors. Most of the time a Word document or PDF will do just fine. Also, post them to your company’s intranet site.
A few tips for your newsletters:
- Keep your topics short and to the point.
- Engage your reader; try to find topics that are work-related as well as personally helpful.
- Try to make them fun and relevant.
- Find tidbits of interesting information or factoids.
- Include contact information, such as names, titles, phone numbers and emails for your compliance team.
- Encourage employees to reach out to their managers and the compliance team for guidance.
With the recent changes included in the HIPAA Omnibus Rule, it’s critical to have a strong balance of technical and administrative safeguards. Also, make sure to review your business associate agreements and requirements for breach notifications, conduct regular risk assessments, and be aware of the higher penalties for HIPAA non-compliance. The HITRUST CSF is a great framework to use for risk assessments.