Sep

27

Security - The Pieces that are Missing - Training

In my last blog I referenced five significant areas most organizations are deficient in when looking across the board at what should be included in a sound security program and to remain in compliance with HIPAA, GLBA, SOX, etc. I addressed the first two areas, policies and procedures and disaster recovery planning in my last blog. I will address the next of the remaining three (training, risk analysis and audit) – training – in this blog.

Many organizations have implemented training programs that address privacy and security. A fair amount of the training material floating about, though, has not been updated for some time and may contain myths or misinterpretations of HIPAA and related regulations. As a good example, I discovered that in the training material for a large county, the county indicated it is a HIPAA mandate that if you are faxing PHI to another entity, you were required to make sure someone was standing at the fax at the time you faxed the documents to the other entity. While it is true you need to take the necessary precautions to reasonably ensure the fax does not get into the wrong hands, it is not a HIPAA requirement that someone continuously watch fax machines receiving confidential information (just make sure the fax you are sending to is in a secure location, you’ve entered the correct phone number and use a confidential fax cover sheet and you’ve in essence addressed privacy/security concerns).

Also, a number of organizations only provide one-time general training to new employees. This does not address the need to provide at least brief training to contractors, temporaries and volunteers. It does not address the need to provide specialized training for workforce members in certain areas of the organization such as health record management, network administrators, etc. It does not address the HIPAA security rule implementation specification regarding security reminders. Finally, training, which is critical to reasonably ensure your workforce remains vigilant and adheres to appropriate policies and procedures, is not a one-time event. Training needs to be conducted for all staff on a regular basis and not just when they first become a member of the workforce.

Most security breaches occur from within an organization. People are your biggest security risk. That is why training is so important. It includes not just classroom training, but also training on specific policies, procedures and practices workforce members are required to follow. You may have a very sound security program but without following through with the appropriate training, all may be for naught (and also don’t forget to document the training occurred).

It is likely that an external auditor (hopefully someone assisting you with compliance and not OIG) will ask for your training material and information about your training program. This training material and related policies and procedures need to address regulatory compliance and just plain old sound security practices. Also, you will likely be asked to provide documentation regarding how often training occurs, who is trained, what specialized training is offered and how often you review your training material for accuracy. It’s wise to review your training material at least once a year and make sure training actually occurs.

In an ideal world, a new workforce member should receive the appropriate training before he/she is allowed access to any PHI. This is not necessarily always feasible but it is not a wise idea to wait months before providing new workforce members the appropriate training. Also, it’s wise to make sure workforce members transferring to another area in the organization receive appropriate training on the security and privacy policies that may be specific to that part of the organization as well as any specialized training related to a specific position or department. More to come in my what’s missing series…