There are many, many things that medical practices (and anyone handling ePHI) have to do in order to maintain 'HIPAA Compliance'.  Most of them are, appropriately, aimed at making your data and all patient information safer and more secure.  But as much money as we all spend to buy firewalls, pay for security tests and subscribe to network management companies, we tend to miss some of the easiest places to help ourselves. 

In the HIPAA regulations, 164.308(a)(5) requires you to have a Security Awareness program in place.  While this may sound like the training you did when you hired your team or the annual 'HIPAA Training' that you are probably doing, it's not.  Security Awareness training happens much more often and has to be in place to help educate your staff on the pitfalls and methods of your ePHI data security.  There are 4 key reasons why you should love this idea!

1. It doesn't have to take long!

Security Awareness (SA) Training doesn't have to be formal education classes that require lots of time out of your office day.  SA Training can be quick, fun, educational moments or tidbits that help your staff understand security concepts and your security policies.  So, don't think of this as hours long classroom sessions.  They can be a few minutes each month in smaller groups (or 1 on 1) while standing at the nurses station or in a break room.

2. An educated staff helps stop breaches

By teaching your staff about security and helping them understand how breaches happen, you are creating a team of people who understand the ways they can get into trouble.  While being 'Compliant' is part of the goal, the real benefit to SA training is that you can help stop actual ePHI breaches.  Not just to keep the government off your back, but to help with your liability if the right information gets into the wrong hands.

3. It shows you're serious about security

A continual education process shows your staff that you take security seriously.  Many times I've seen staff share passwords or do something that is just not right that could cause a breach down the road.  By putting time, effort and money behind your security training and doing it consistently, it shows your staff that you mean what you say and that security procedures are a serious topic. 

4. It keeps security in the forefront of your staff's minds

The HIPAA regulations make it clear that they want you do to SA training often.  This is NOT an annual thing, it's a continual thing…like monthly or bi-monthly.  It needs to be often enough that security training is part of your staff's life. 

But however you choose to implement Security Awareness Training, remember to document it!  If you're going to do the work, at least get credit for it.  If you are ever audited or investigated at some point down the road, you'll be glad you did.

Skysail offers a great solution to help you with your Security Awareness training and documentation.  Check it out at HIPAA Tips Security Awareness!.