Building a Privacy & Security Culture: Training is just the beginning!

The privacy and security practices required by HIPAA run counter to decades of habit! Paper charts stored in unsecured racks in public hallways, unsecured computer workstations, and open discussion of patient information in public areas have been the norm in many healthcare facilities despite the 1996 and 2003 HIPAA privacy requirements. The additional risks to patient information posed by new technologies also run counter to decades of thought. Caregivers accustomed to thinking of their facility as a relatively safe and self-contained place may not easily internalize the reality that they are under continual attack by cyber thieves. As a result, caregivers are likely to perceive the behavior changes required to safeguard patient information as awkward, inconvenient, or unnecessarily “paranoid.”

Training is a necessary and important first step in making staff aware of the threats to PHI as well as the proper practices for protecting it, but training alone will not produce consistent behavior change. Think of the last time you considered taking the stairs for exercise but opted for the elevator instead!  You know taking the stairs is good for you, but the elevator seems faster and more convenient. Your staff faces this same dilemma each time they step away from the medication cart or get interrupted while working in the EHR. To achieve the real behavior change needed to safeguard patients’ PHI – and reduce your risk of a breach(!) – privacy and security need to become integral aspects of your organizational culture, woven into the unwritten rules of “how we do things here” as well as spelled out in readable and usable policies and procedures.

How do you do that? Here are suggestions based in learning theory and culture change theory that will be applicable to most healthcare organizations. You will likely come up with additional ideas unique to your organization.

1. Reinforce training content.
   
   HIPAA is a lot of information to take in at one time. In addition, training often takes place away from the actual work environment, and some staff may not make the necessary connections between training and their own day-to-day work. Try these tips for reinforcing the training content.
   • Provide “real world” demonstrations of proper practice on the unit.
   • Add “Locate the HIPAA Policies & Procedures” to the New Employee Orientation Checklist.
   • Make “HIPAA reminders” a recurring feature in existing communication channels – newsletters, email alerts, bulletin board postings, etc.
2. Watch your language! When talking about HIPAA with your staff, speak in terms of “protecting our patients” rather than “complying with another regulation.”
3. Make it visible and routine.
   • Make “Information Privacy and Security” a standing agenda item for both Executive Team Meetings and Staff Meetings.
   • Ask your IT folks for data on the number of cyber-breach attempts thwarted by the firewall and share this with staff.
   • Share news articles about breaches and discuss them in staff meetings: How did this breach occur? Could it happen here? What could we do better or differently to protect ourselves.
4. Make it personal.
   
   Remind staff that the information they could be protecting is their own! Once cyber thieves gain access to an organization’s information stores, they are as likely to go after personnel records as patient files.
5. Make it serious.
   • Sanctions for knowingly violating HIPAA requirements – regardless of whether or not a breach occurs – should be applied swiftly and consistently.
   • Remind staff that if a breach investigation reveals that anyone knowingly disregarded privacy and security safeguards, the organization will not be able to protect them from criminal and civil charges levied by the government.
6. Make it fun.
   • Celebrate successes – post the number of days/weeks/years without an information security incident.
   • Recognize individuals and groups who identify information risks and participate in developing a solution.
   • Perform unannounced spot checks and recognize units/departments that are found to be “100% compliant.”
7. Continuously improve.
   • Make an annual event of the “CIO’s Information Privacy & Security Update.” Have him/her speak in a town hall meeting or produce a video to distribute to staff by email.
   • Ask staff what barriers they are encountering or what difficulties they are experiencing in trying to comply with the HIPAA requirements. Form a small process improvement team if necessary to address the issues.

We’re all learning about the threats to information privacy and security and new threats emerge each day as cyber thieves become more creative and technologies continue to evolve.

Information privacy and security will be an organizational priority for the foreseeable future. Protect yourself and your organization by making it an integral part of your organizational culture.