Has your agency started the implementation of security policies and procedures to meet HIPAA Security Rule requirements? What about other laws for essential security requirements? Have you developed your security training plans? Just what are these requirements? The answer comes right from the final security rule....
Has your agency started the implementation of security policies and procedures to meet HIPAA Security Rule requirements? What about other laws for essential security requirements? Have you developed your security training plans? Just what are these requirements? The answer comes right from the final security rule:
163.308 (a)(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
If you are like most agencies, you aren't in a hurry to start this training. More likely, you are probably not even thinking about training your staff and certainly not before the beginning of 2006. After all, the rule does not affect small health plans until April 20, 2006, so why rush it? Waiting, however, may not be the best approach.
Consider that the true goal security training and awareness is to modify future behavior. The real benefits aren't in the act of training, which makes you "compliant" with the rule, but in the proactive value in protecting the confidentiality, integrity, and availability of your data. You begin to receive those benefits only after you successfully change the thinking of your employees.
Here are four more good reasons why you shouldn't wait to begin the required security training:
Remember that you are already held accountable to the "mini-security" requirement of the Privacy Rule 164.530 (c), which requires the covered entity/business associate to "reasonably safeguard protected health information from any intentional or unintentional use or disclosure..." It's hard to imagine a more "reasonable" security control than proper training of the staff.
Consider that there is no better security measure than a well-trained staff. Alert, cautious staff members can limit many security issues that arise. A great many more security issues are caused by actions on the part of uneducated staff. Such actions as loading software, disabling virus protection, or sharing passwords can be major contributors to risk.
You may also wish to consider the value of a well-trained staff from a different position. A broadly trained workforce can serve as a self-policing one, and will be more likely to identify and correct or report security issues that might otherwise go unnoticed for some time.
Finally consider that the rule calls for ongoing security awareness training. You know there is real value in repetition and reinforcement. There's no substitute for repeating yourself to make an important point, or for implementing appropriate ways to consistently reinforce your message.
Once you make the critical decision to begin training, you must carefully consider the content that makes up the security training. The Security Rule requires that, in addition to your security reminders (periodic security updates), you must provide training in the following:
• Protection from malicious software (Procedures for guarding against, detecting, and reporting malicious software);
• Log-in monitoring (Procedures for monitoring log-in attempts and reporting discrepancies); and
• Password management (Procedures for creating, changing, and safeguarding passwords).
The above issues represent only a subset of topics that must be included in training, not a complete list of security factors. If the point of security training ultimately is to reduce the risk of security breaches and violations, training must be broad enough to cover several other critical issues. Consider the following list as a much more inclusive starting point:
• Security policies
• Audit trail
• Sanctions
• Confidentiality
• Malicious code (viruses, spyware, worms)
• Unattended terminals
• Login monitoring
• Passwords
• Strangers and strange or unusual activity
• Pornographic computer files (a huge source of malicious code and other unfavorable human resources issues)
• Laptops, and physical security of the data on them (for managers and home health staff)
• Wireless devices
• Locks, keys, badges and other physical security elements
• Contingency plan and disaster recovery
• Reporting and responding to incidents
One final thought: You might argue that all of your agency's security policies should be finalized before you start your training. We disagree. You should begin with basic awareness training NOW. Many of your training items are dictated by technology that is already in place, such as password selection. Others, like safe computing practices to avoid malicious code, aren't policy dependent. If you begin sensitizing your staff members now to their security responsibilities, you will have a much better foundation upon which to train them later on your organization's new policies – and achieve longer and stronger retention.
Security and HIPAA are not one-time implementation projects. Security is an on-going responsibility, which needs to be part of the agency culture and business processes. For assistance in developing and implementing your Security Awareness and Training policies and procedures contact Judi Newman at Phaze II Consulting, Inc.
By Judith H. Newman, President of Phaze II Consulting, Inc. Judi has worked on site with over 500 agents across the nation on a variety of consulting projects. Phaze II Consulting, Inc. is the owner and publisher of "HIPAA All-In-One The Agent & Broker Compliance Toolkit" designed to simplify the compliance implementation process. Phaze II Consulting, Inc. is also the owner of the "Master Agency Manager," designed to be the most complete and easy to use agency management resource available today. The "Master Agency Manager" is a must have tool for anyone interested in the insurance agency business.
Phaze II Consulting, Inc. provides consulting services to independent insurance agencies in matters of management issues, operations, planning, valuations and customized projects for individual clients. You can contact Judi Newman at 800-438-7566 or judinewman@aol.com for additional information on HIPAA compliance and the "HIPAA All-In-One The Agent & Broker Compliance Toolkit".
Copyright 2005 by Phaze II Consulting, Inc. Used with permission.
All rights reserved. No part of this article may be reproduced in any form or by electronic or mechanical means without permission from the publisher.