EDUCATING STAFF ON PREVENTING HIPAA DATA BREACHES

ABOUT HIPAA

HIPAA data breaches are the most damaging and expensive type of breach. With fines reaching well into the hundreds of thousands, even at times stretching to millions, many corporations who handle this data have rushed to compliance through mandate and procedural oversight.

That being said, no amount of procedural oversight is effective without proper implementation, specifically through a regimented training and educational program designed specifically to brief current employees in the handling of such data. These programs are incredibly vital to the success of any organization but are especially important to those in the healthcare industry.

Today, we’re going to discuss how to implement an educational program to ensure proper training on HIPAA data breaches and general best practices. We’ll highlight some great methods to passively train, as well as discuss the dangers of over-training and how to avoid education fatigue.

Passive Training and Education

The easiest and best method for education in compliance methods for HIPAA is passive training. The idea behind passive training and education is to teach without letting your workforce know they’re being taught.

A good way of doing this is to simply give weekly reviews. Having senior staff shadow younger staff, give advice, and mentor, either unofficially or through official mentor programs, can build not only a sense of camaraderie but a web of understanding and education.

Offering incentives that result in testing are also very effective. Team retreats, half-day team building events, and other such occasions are great examples of time that can passively be spent educating, often without the staff even being aware.

Do note that passive training is not the end all be all – organizations will be required to prove compliance in certain legal situations, and as such, you must have an active accreditation system. That being said, using this secondary active system as an official means to verify training through a passive system is a great hybrid approach, and can lead to huge gains in workforce knowledge and expertise.

Active Training – Workshops and Activities

Passive training is great, but there is often a need for more direct, actionable education programs. In these cases, active training is the key. The idea here is that, unlike passive training, you can’t really obfuscate the training, so you need to do everything you can to make it as painless as possible.

Some programs, such as those in the US Air Force, use accreditation testing as a means to retain employment. While this is effective, it often leads to rote memorization or “learning to keep a job” mentality, in which information is learned and then forgotten the day after the test.

To avoid this, all active training should be spaced out over time and should be integrated into a system that uses milestones. Once a section is completed, test on that knowledge – if the knowledge is proven learned, move on to another section. Later in the course, return to this previous information, and test it again.

Routine testing is important regardless of the topic, but in something as complex as HIPAA and all the data regulation and compliance orders, this is even more true.

Workshops and activities can also make a huge dent here. Setting up group activities, theoretical data destruction or transfer orders, and even mock environments can not only inform you as to the health and education of your workforce in HIPAA compliance but to your processes and their real-world applications.

Shadowing

A great training technique is shadowing, wherein an employee follows an already accredited employee or manager to observe the topic at hand in real-world applications. This is very useful, especially for learners who diverge from the typical learning types (kinesthetic, visual, etc.). This real-world application allows for contextualization of the regulations and processes that you’ve created, and at the same time, allows for testing of the accredited member.

Requiring a report of all topics covered and shown will go a long way to not only documenting your educational steps for the employee doing the shadowing but testing the retention and knowledge of the staff doing the training. This is basically “killing two birds with one stone”, and is for that reason obviously hugely beneficial.

Do note that shadowing here necessarily includes some form of documentation. While this can be active, such as having a third person oversee these instances, having both the trained staff and the training staff fill out post-shadowing forms can help a lot. The important thing here is to remember that documentation will set you free – keep good documentation, and generate this documentation at each step in the training regimen.

TRAINING HIPAA COMPLIANCE – AVOIDING FATIGUE

First and foremost, all HIPAA training should be rooted in a single goal – complying with HIPAA regulations. While this might seem a no-brainer, managers tend to conflate topics with HIPAA, training on a great deal of information, whether or not that information is even relevant. When crafting effective training, the topic should be limited.

A topic should be limited due to the idea of education fatigue. When training and educating staff, there is a tendency to skim or “check out” when an abundance of information is present. This makes it very easy to avoid all the fine details and minutia of a topic, and when it comes to something as complex as HIPAA, that’s a very, very dangerous thing.

To avoid fatigue, you can take a few steps. First, apply passive training as already discussed. When passively training, the staff doesn’t even know that they’re learning, which significantly reduces associated fatigue. Secondly, limit the scope of each piece.

A great example of this would be creating stepped training levels for staff before they are allowed to handle certain data. Requiring certification internally of HIPAA compliance through four ranks, i.e. “Step 1 HIPAA Compliant”, “Step 2 HIPAA Compliant”, etc., allows for gradual education and testing the amount of information retained.

Additionally, test in small increments. Once a particular topic is covered, test this topic, and see if it “sunk in”. Group sessions can definitely help in this regard, as you can test understanding by employing simple discussion techniques and asking general questions, avoiding the “test fear” that is common in such certification programs.

Conclusion

HIPAA compliance is likely going to be the most important thing to assure any healthcare provider. As such, this needs to be treated as seriously as it is. There is no “silver bullet” here, nor is there some “90 days to HIPAA compliance” program – this is going to take serious work and to integrate a system of verification, testing, and accreditation.

That being said, with a little bit of know how, even the most intense educational and training programs can be made passive in many respects. For those respects that can’t, active shadowing and other training solutions can aid in preventing training fatigue, and can multiply results to greater heights.

HIPAA is costly – not complying is more expensive than simply complying. It’s not just economics, though, it’s also morality – protecting the information of your clients and safeguarding their data is not only good business, it’s basic common good sense. Establishing strong training can help build brand awareness through positive word of mouth, making your offerings truly something valuable and attractive.

Clarabyte offers a process based approach to meet all HIPAA requirements for data destruction.  This is done by empowering companies with the highest level of control possible by removing all data from devices before they’re unplugged. An automatic, auditable, serialized report combined with world leading assurance doesn’t just provide an improved process, it provides peace of mind.

ClaraWipe meets or exceeds all major national, international and technical standards.  Because many of these standards overlap with HIPAA, and ClaraWipe allows for custom patterns, you can easily introduce the HIPAA standards into your process.  ClaraWipe also supports a wide range of equally powerful standards, including:

• Sarbanes-Oxley (SOx)

• HIPAA & HITECH

• The Fair and Accurate Transactions Act of 2003 (FACTA)

• US Department of Defense 5220.22-M

• CSEC ITSG-06

• Payment Card Industry Data Security Standard (PCI DSS)

• Personal Information Protection and Electronic Documents Act (PIPEDA)

• EU data protection directive of 1995

• Grann-Leach-Bliley Act (GLBA)

• California Senate Bill 1386

• and others

Adopting ClaraWipe can make incorporation of this standard supremely easy, granting you the power of a great, proven standard, with minimal added complexity to your overall system and the sanitization processes included.