It's important to pay more attention to HIPAA training. A huge portion of health data breaches occur because staff members lack knowledge, make mistakes or act out of malicious intent. Organizations can effectively mitigate the first two factors, and impact the third, with effective training and ongoing awareness.
Each employee and contractor who has been authorized to have access to patient information literally has the security of that information under their control. Remember these three points:
People are not born knowing how to effectively safeguard information.
Many executives express the flawed opinion that implementing information safeguards is just basic common sense, and so minimal resources need to be dedicated to such education. If this were true, we would have a fraction of the privacy breaches that we see reported (see: Far More Health Breach Victims in 2013). Simply applying common sense is not so common - especially with all the new and increasingly complex technologies being used (some lacking security and privacy controls), the increasing types of mobile devices being used, and the many locations outside of the organization's walls, and outside its network, from which information is accessed.
Most people have a tendency to want to share information and to be helpful by providing information to anyone who asks. Each person who is given access to protected health information must be provided with education about how to protect that information appropriately, and share it appropriately, in all situations in which they have access to it.
Technology alone cannot secure information.
Computer systems and applications must be built with more robust and more transparent security capabilities. But when it comes to effective information security and privacy protection, you cannot create a computer technology so secure that no training is necessary for those using the computers. It's like saying you can build a car so secure that you don't need to teach people how to drive safely. Who wants to be on the road with those folks? And then there are the millions of paper documents that absolutely depend upon staff taking proper precautions.
Last, but not least, many legal requirements exist for information security and privacy awareness and training.
A growing number of laws and regulations, HIPAA included, contain requirements for organizations to provide some type of information security and/or privacy awareness and training to not only their personnel, but also, in some instances, to their customers.
Common Weak Spots
Too many covered entities and most (practically all that I've seen) business associates think training means simply regurgitating verbatim the HIPAA regulatory text to employees, or boiling down HIPAA into a few sketchy, incomplete and non-specific statements. They usually fail to actually explain what the workers must do within their everyday work activities to effectively protect information. The weakest spots I've seen over the years are:
- No targeted training for the IT staff;
- No targeted training for those in customer service areas who communicate directly with patients;
- No training tied to the use of new and emerging technologies, such as social media, cloud computing and big data analytics; and
- No targeted training for executive management. Too many executives have stated that they don't need training - even though a huge chunk of breaches occur as a result of executives doing things out of security ignorance.
Online Training vs. In-Person Classes
So what is more effective: online training or in-person classes? The answer depends upon the topic of the training, the target audience, the availability of the target audience and the risks associated with the topic.
Organizations must determine the best method of training based upon those four considerations. Remember, one type of training will not be most effective for all audiences, nor for all topics. Here is what I recommend for most:
- Provide initial training for information security and privacy basics to all employees. This can be done with well-constructed online training modules.
- Provide additional training of various types to targeted groups - such as customer service reps, nurses and doctors, and IT staff - with specialized education on their particular job responsibilities. Often videos can be effective for these targeted groups of learners. Classroom training is also effective because it allows them to ask questions, practice using role playing and have group discussions about the topics with their peers.
- Provide ongoing in-person awareness activities as well as awareness message updates using a variety of media. You can't expect training to stick with your personnel forever after training. That's why it's important to provide ongoing reminders to keep information security and privacy tips top-of-mind during their everyday job activities.
By building a multi-layered, varied-delivery and targeted training approach, healthcare organizations can help build a culture of information security and privacy awareness that results in employees safeguarding PHI as a part of their daily job responsibilities.
Information security and privacy specialist Rebecca Herold is a partner at the Compliance Helper and CEO of The Privacy Professor. She is also author of more than 15 books, including, Managing an Information Security and Privacy Awareness and Training Program.