Training employees is one of the most basic controls that every company should have in place if you handle sensitive data. It is also one of the first thing that your clients and regulators will want to examine if your business is under review. The following checklist spells out the components that we’ve built into custom training for our clients.

1) Why is Privacy Important to your Business?

  • Describe the sensitive data you have (healthcare records, credit card numbers, banking information, email addresses, etc.).
    • Explain that patients / clients are trusting you with this data, you can’t betray their trust.
    • Explain which laws apply to your business:
      • HIPAA – healthcare data
      • PCI – credit card data
      • GLBA – banking data
      • State privacy laws – any sensitive data for people living in states with strong privacy laws
    • For each law that applies to you, briefly describe it and explain the penalties of a breach:
      • Fines (e.g., in HIPAA, fines can reach $1.5 million)
      • Jail time (e.g. in HIPAA, up to 10 years)
      • Loss of customer trust
      • Expensive remediation costs, often in the hundreds of dollars per record breached
    • Provide examples. “We don’t want to be one of these stories.” Search online for a few recent breaches that led to fines, and make sure the examples are relevant to your business.

2) What’s Expected of Employees

  • Review what kinds of sensitive data you have, and where it’s stored. Be specific.
  • Describe your sanctions policy. Explain that employees can face serious penalties for violating security policies ranging from written warnings to termination to criminal charges.
  • If you see something, say something. Specifically describe how someone can report a possible violation, including names and methods. Ideally, also provide an anonymous method.

3) Physical Security Expectations

  • 80% of breaches since 2009 can be attributed to theft or loss – physical security issues.
  • Describe which doors should be locked vs. open during business hours.
  • Train employees to greet anyone they don’t know.
  • Describe your visitor policy: sign-in/sign-out? Badges? Guests accompanies at all times?
  • Describe your employee access policy. Best practice is visible badges, all doors locked unless badged in, and no “tailgating” through locked doors.
  • Remind them about your reporting and escalation policy if they something strange.

4) Documentation Expectations

  • Explain your document retention policy (e.g., default for HIPAA is 10 years)
  • Describe specifically where privacy-related documentation must be stored
  • Explain what privacy-related documentation means in your business. Be specific (e.g., healthcare records, transaction records, transmittal records, etc.).
  • Explain your policy on disposing of sensitive information on paper. Best practice is locked cabinets with a third-party shredding service.
  • Explain your policy on disposing of computer equipment with sensitive information. Best practice is physical destruction or a secure wipe.
  • Describe common locations where sensitive data should never be stored, like shared folders.

5) Computer Expectations

  • Only use work computers for work-related activity.
  • If you notice something odd (slow computer, pop-ups, etc.), describe who they should call.
  • Explain your social media policy if you have one. Be sure to cover both risk of malware and how they represent the company publicly.
  • Describe your policy on sharing credentials. Ideally, it will not be allowed.
  • Describe your policy about accessing sensitive data (who may access it, and under what circumstances).
  • Describe your policy on leaving sensitive data up on your screen, and auto-locking of computers.
  • Describe your policies around:
    • Employee activity monitoring
    • Anti-virus
    • Passwords (length, strength, how often they change)
    • Encryption for sensitive data at rest
    • Use of removable media (USB drives, CD’s, DVD’s)
    • Sending sensitive data via email, FTP, etc.
  • Include training on how to spot phishing messages
  • Describe what steps people should take to secure laptops

6) Risk Management Expectations

  • Staff may be audited throughout the year. They are expected to participate and be honest.
  • Staff may receive periodic privacy and security reminders throughout the year. They are expected to take them seriously.
  • Point staff to your Incident Management procedure, to be followed in the case of a possible security breach.
  • Point staff to your Privacy Violation Compliance procedure, to be followed in the case that a client or patient files a complaint about security or privacy.
  • Point staff to your Investigations procedure, to be followed in the case that law enforcement or a regulatory agency conduct an investigation.

7) Disaster Expectations

  • Location of employee, customer, and key vendor call tree (both on-side and offsite)
  • Acceptable alternate work locations
  • Location of the disaster recovery procedure
  • Steps to securely access systems and locations that contain sensitive data during a disaster

8) Record Keeping

There are a few generally accepted best practices around privacy and security training:

  • Employees, temps, vendors are trained during onboarding before accessing sensitive data.
  • You maintain a log of everyone who has been trained.
  • You offer a quiz to confirm that they understand it.
  • Training is repeated at least annually. Some companies allow staff to “quiz out” of going through the training again (if they pass the quiz, they can skip the training).
  • You need to be able to produce your audit log and quiz results during an audit or review.

Still feeling a bit overwhelmed?

Get some free help!  Check out our free 42-Point Checklist for ways to make your practice HIPAA compliant.

Talk to us!

Have questions or feedback?  Please share them in the comments below.

Like this article?  Share it!