— Wes Rhea, Chief Compliance Officer, BioIQ —
In addition to having solid technical safeguards in place, what can we do to ensure our employees know how to protect our sensitive information? In the world of hackers, worms, viruses and phishing scams, security awareness starts with some very non-technical and inexpensive methods of communicating your organization’s message.
Here are some simple and effective steps to get the word out:
Policy: Develop a comprehensive HIPAA privacy and security policy to ensure your organization is following the HIPAA and HITECH Act requirements. Keep the policies as straightforward and simple as possible. After the policies are developed and approved, make sure they are publicly accessible to all employees and contractors. For example, use your company’s intranet to post all policies.
Training: Training is a great way to ensure your employees and contractors understand your HIPAA privacy and security policies. Depending on the size of your company, you may decide to train all new employees and contractors within 30 days, 45 days, or 90 days of hiring them. Also, it is recommended that all employees and contractors receive annual training. Make sure you can provide evidence of training for every employee and contractor.
E-mail: E-mail messages are an effective and inexpensive way to communicate privacy and security awareness messages to your employees and contractors. In my experience, sending one new message each month is a good frequency.
Posters: Posters are another great way to spread the message. Have fun with your posters so they catch your employee’s attention. Also, place your posters in high-traffic areas such a break rooms and bulletin boards. Change them on a regular basis to keep them fresh.
Newsletters: Privacy and security awareness newsletters are another great way to communicate to the masses. Believe it or not, most people enjoy reading them! Quarterly or bi-annual newsletters seem to be a good frequency for distribution.
A few tips for your newsletters:
- Keep your topics short and to the point.
- Try to make them fun and relevant.
- Find tidbits of interesting information or factoids.
- Include contact information, such as names, titles, phone numbers and e-mails for your compliance team.
Urgency: With the recent changes included in the HIPAA Omnibus Rule, it’s critical to have a strong balance of technical and administrative safeguards. As part of these regulations, healthcare organizations must be prepared for potential risk assessments and HIPAA audits for their facility. Make sure your employees are not caught off-guard! Be consistent in your communications about the importance of security.