One of the most important tasks any healthcare organization has is maintaining HIPAA compliance and the inadvertent disclosure of protected health information (PHI). Some estimates suggest that nearly 94% of healthcare organizations have had at least one breach in the last two years, and most of these were preventable. The single best way to prevent a breach is by building staff awareness of healthcare security. At a minimum, staff members have to understand the importance of creating strong passwords and being careful about opening email attachments. But they also have to have a basic understanding of why they are the main firewall that can prevent compromising sensitive healthcare data.
It’s not enough to make sure that staff members know what HIPAA is and why patient privacy monitoring is so important. They also have to be equipped with tools that help them understand what they can do to maintain security on a daily basis. These five steps can help a healthcare organization ensure that they are regularly building staff awareness of healthcare security.
Train Staff Early and Often
Establish a training model that all new hires are required to complete, and retrain staff at least once a year on proper security protocols. Without regular reminders about the importance of healthcare security and HIPAA compliance, it’s easy for staff members to lapse into careless behavior. To prevent this, make sure staff members are required to attend training on a regular basis. This should include all staff, regardless of their level of experience or seniority.
Make Training Materials Engaging
We have all been in the middle of a long training module that doesn’t particularly hold our attention. It’s easy to lose focus and simply click through information pages to get to the final quiz as quickly as possible. To keep this from happening, make sure your training modules use a variety of different approaches. Staff training should be engaging. Instead of presenting long, text-heavy training modules, break information up into smaller units that users have to interact with in order to advance.
Routinely Remind Staff About Security
In addition to periodic formal training sessions, provide staff with daily reminders about the importance of security compliance. Staff newsletters and meetings should include details about security breaches in other institutions. Visual aids about proper document disposal and IT security compliance should be posted around the office. Email and computer login information should be updated every four to six weeks.
Establish and Enforce Strict Security Protocols
Preventable breaches that include PHI often occur because of simple carelessness: a misplaced laptop, a lost USB drive, or paper files not discarded correctly. To prevent this, establish strict security protocols around any and all PHI, and make sure staff members are aware of them. Protocols are useless without enforcement, however. Make sure progressively serious consequences exist for staff members who do not follow security protocols.
Develop Procedures for Managing Security Breaches
In spite of your best efforts to prevent them, there is always a possibility that a staff-involved breach may still occur. The best thing, in that case, is to make sure your practice has a management plan already in place to deal with it. Before a breach occurs, establish an incident response team in charge of managing it. Establish a workflow for notifying third parties including HIPAA-protected entities, law enforcement, business associates, and patients.