A Well-Trained Workforce Can Mitigate Risks and Vulnerabilities A Well-Trained Workforce Can Mitigate Risks and Vulnerabilities

A Well-Trained Workforce Can Mitigate Risks and Vulnerabilities

With the recent media emphasis on external threat sources such as phishing, ransomware, and other web-borne malware, it is easy to forget that many, if not most, data breaches and security incidents are rooted in simple human negligence – or ignorance. Whether it’s clicking a bad link, failing to secure a laptop, or misdirecting a fax or email, unintended acts can have enormous consequences for individuals, covered entities, and business associates alike. In a 2015 survey by the Ponemon Institute, health care organizations listed “employee negligence” as their most troubling security threat, and a full 95% of organizations surveyed had experienced a security incident involving a lost or stolen device. Patient privacy can suffer, as well, if well-meaning but uninformed workforce members impermissibly use or disclosure protected health information (PHI), do not allow individuals to adequately exercise their rights under the Privacy Rule, or do not provide individuals with timely notifications of breaches, as required by the Breach Notification Rule.
While it is impossible to eliminate all risks to PHI and each of the organization’s vulnerabilities, a well-trained workforce goes a long way toward helping CEs and BAs manage risks and vulnerabilities to an acceptable level. The Privacy Rule, Security Rule, and Breach Notification Rule each contain standards and implementation specifications related to workforce training:
  1. Privacy Rule: “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by [the Privacy Rule], as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.” The CE must provide this training within a “reasonable time” of onboarding, and must re-train within a “reasonable time” of a material change to policies or procedures that affect a workforce member’s functions. The CE must document this training as the Privacy Rule requires.
  2. Security Rule: “A covered entity or business associate must …. [i]mplement a security awareness and training program for all members of its workforce (including management).” This includes implementing (a) periodic security updates; (b) policies and procedures for guarding against, detecting, and reporting malicious software; (c) procedures for monitoring log-in attempts and reporting discrepancies; and (d) procedures for creating, changing, and safeguarding passwords.
  3. Breach Notification Rule: The Breach Notification Rule incorporates many of the Privacy Rule’s administrative requirements by reference, including those regarding workforce training. A covered entity, therefore, must train workforce members on its policies and procedures related to complying with the Breach Notification Rule and document workforce members’ receipt of such training.
While the Privacy, Security, and Breach Notification Rules tell CEs and BAs what they must do (i.e., train), they do not tell regulated entities how to do it. Rather, the HIPAA Rules are flexible and scalable to accommodate CEs and BAs of all types and sizes. Like almost every aspect of the HIPAA Rules, there is no “one size fits all” way to comply. However, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) offers suggestions for compliance with the Security Rule training requirement that translate effectively to the Privacy Rule and Breach Notification Rule, as well:
STEP 1: Conduct a Training Needs Assessment

(A) Determine your organization’s training needs, and
(B) Interview and involve key personnel in assessing needs.

Ask yourself: 
  • What awareness, training, and education programs are needed? Which are required?
  • What are our current efforts in this space, and how
  • well are they working?
  • What gaps exist, and what more do we need to do?
  • How will we prioritize content and audience?
STEP 2: Develop and Approve a Training Strategy and Plan

(A) Address the specific Privacy Rule, Security Rule, and Breach Notification Rule policies and procedures that require awareness and training; and
(B) Outline your program’s scope, goals, target audience, learning objectives, deployment methods, evaluation and measurement techniques, and frequency.

Ask yourself:
  • What procedure will we implement to track training, and ensure that everyone who needs training receives it?
  • What training is needed to address specific topics
  • based on job responsibility?
  • When should training be scheduled?
  • How will we ensure that non-employees (trainees, contractors, interns) are trained?
STEP 3: Security Rule: Protection for Malicious Software, Log-in Monitoring, and Password Management

(A) As reasonable and appropriate, train workforce members on procedures for (1) guarding against, detecting, and reporting malicious software; and (2) monitoring log-in attempts and reporting discrepancies; and (3) creating, changing, and safeguarding passwords; and
(B) Incorporate information about roles and responsibilities into training and awareness methods.

Ask yourself:
  • Do workforce members understand the importance of timely application of system patches to protect against malware and exploitation of vulnerabilities?
  • Are workforce members aware that log-in attempts may be monitored?
  • Do workforce members that monitor log-in attempts know to whom to report discrepancies?
  • Do workforce members understand their roles and responsibilities in selecting a password of appropriate strength, changing their password as required, and safeguarding their password?
STEP 4: Develop Appropriate Awareness and Training Content, Materials, and Methods

(A) Select topics for inclusion in training materials;
(B) As reasonable and appropriate, incorporate new information from trusted outside sources (e.g., online IT security websites; email news alerts); and
(C) As reasonable and appropriate, use a variety of media and avenues based on workforce size, location, job responsibilities, etc.

Ask yourself:
  • Do workforce members have access to your Privacy Rule, Security Rule, and Breach Notification Rule policies and procedures?
  • Do workforce members know whom to contact, and how to handle, a privacy or security incident?
  • Do workforce members understand the consequences of noncompliance with your policies and procedures?
  • Do workforce members who travel with PHI know how to handle portable media physical security, and other information security?
  • Have you researched available training resources? Who will deliver the training?
  • What is your training budget?
STEP 5: Implement Training

(A) Schedule and conduct training outlined in your strategy and plan;
(B) Implement reasonable techniques to disseminate privacy and security messages throughout the organization: newsletters, screen savers, videos, email blasts, staff meetings, and computer-based training;

Ask yourself:
  • Have all workforce members received adequate training to fulfill their job functions?
  • Are sanctions consistently applied for failure to complete required training?
STEP 6: Implement Reminders: Provide periodic privacy, security, and breach notification updates and reminders to workforce members and business associates.
Ask yourself:
  • What methods are available, or already in use, to make or keep workforce members and business associates aware of privacy and security (e.g., posters, booklets)?
  • Do you perform all-workforce refresher training at least annually?
  • Do you reinforce privacy and security topics during staff meetings?
STEP 7: Monitor and Evaluate Training Plan

(A) Keep your privacy, security, and breach notification training programs current;
(B) Re-train on material changes to policies and procedures, as well as the organization’s threat and vulnerability environment;
(C) Monitor training program implementation to ensure all employees participate; and
(D) Implement corrective action when problems arise.

Ask yourself:
  • Do you monitor and document workforce training and professional development programs?
  • How are new workforce members trained?
  • How are new business associates trained?
Thoroughly training your workforce on your HIPAA policies and procedures is necessary to not only satisfy regulatory requirements, but also reduce the occurrence of security incidents, breaches, and consumer complaints. Investing in a robust and meaningful HIPAA training program will go a long way to ensuring that your organization creates a culture of compliance.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
View Full Site View Mobile Optimized