The Question: What about Training? The Answer: What was the Question again?

By: Susan Pretnar, President KeySys Health, LLC

Title: The Question: What about Training? The Answer: What was the Question again?

I recently saw a great poster about two options the healthcare industry might employ to secure data (think PHI). To paraphrase:

Option 1) - Completely remove the human element

Option 2) - Train them

While autonomous healthcare might be in our future, Option 2 is at least a viable solution to building a culture of security and giving yourself a fighting chance against some of the ingenious ways cyber criminals are acquiring protected health information from even trusted employees. HIPAA requires that you train your new hires, and continue training with annual reminders as well as supplemental reminders throughout the year. The takeaway: you are really always training.

This may seem too simplistic an answer, but don’t throw in the towel already. If you don’t have a formal training program that addresses initial training for new hires, plus provides frequent reminders throughout the year, start with the basics. Assure that everyone you hire has been introduced to your policies regarding HIPAA, even if they are ad hoc and not documented. Create a checklist of the critical information they need to understand, especially patient rights. Would your staff know what to do if a patient asked for an ‘accounting of disclosures’? Focusing only on technical solutions leaves a gaping hole in the effort to manage protected health information and secure it.

Every organization needs at least one person who has a rudimentary understanding of its technical architecture, how it is supposed to work, and what it takes to maintain it. Outsourcing the actual implementation is normal, but blindly trusting your outsourced IT vendor to implement whatever you need to be secure is the same as trusting your home contractor to put on a roof without ever looking at the color of proposed shingles or questioning the price. Even technical solutions require that those impacted by those tools be educated about the ‘why and how’ of restrictions that affect them or the practice. ‘Because I told you so’ works somewhat with preschoolers but is rarely effective with adults. If your employees don’t understand that the security features on their mobile devices must be turned on at all times, or if your employees don’t know how to identify phishing emails and telephone scammers, you increase your breach exposure.

Accomplishing greater ‘awareness’ of possible security and privacy threats to the practice increases diligence by everyone in the organization. HHS publishes frequent free email updates that any organization can use for training. You can’t guarantee that every employee will read an email that you forward, but doing nothing is a form of communication that says the privacy and security of patient information is something you are just required to do, not something you are committed to doing.

If you are not already on this listserv, here is the cheapest training tool you’ll ever find: http://www.hhs.gov/hipaa/for-professionals/list-serve/