Compliance gaps can become training opportunities.
Conducting a thorough risk assessment is essential to protecting both your patients' private health information and your facility's operational efficiency--but don't use the assessment merely to pinpoint your compliance needs. Rather, your risk assessment could become your foremost security rule training tool. Here's how to make it work for you.
Make Assessment Results Easy For All
Not all workforce members are created equal when it comes to security know-how. That means you'll need to shape your risk assessment results into a form that your employees will be comfortable with, expresses Kelly Moore, a privacy and security officer for Cogent Health Care in Daytona Beach, FL.
Try this: Filter out the information your workers don't need to know, suggests Margret Amatayakul of MargretA Consulting in Schaumburg, IL. Example: Don't try to train your employees on how to verify access authorization. Instead, emphasize how to create and maintain strong passwords.
Focus On Behaviors, Not Standards
Your risk assessment may highlight your risks according to the security rule's standards, but that approach won't work very well with your staffers, advises Michael Roach, an attorney at Chicago's Michael C. Roach & Associates. "It's your staff's procedures and behaviors that have to change," he says. If you try to train them on the standards without pointing out how those standards translate into real life, you're wasting valuable time, he warns.
Strategy: Come up with a slew of customized, practical examples of how to comply with each standard geared toward each department. Try this: Make a two-column list of common behaviors. In one column list the old way of doing things. In the other column list your new, compliant methods. Keep your list where each department member can easily access it.
Teach The Change, Not The Process
While you may be working from one, uniform risk assessment, you don't have to train each staff member the same way, Moore points out. To accomplish Cogent's security training, Moore created a coaching program that centered training on how the employee's duties will change based on that job's risk assessment. Example: "An hourly employee entering data isn't concerned why we made a decision--she just wants to know how to do her job now," Moore relates.
The Bottom Line
For the most effective training, "you have to decide what's right for you based on your staff and your environment," Amatayakul counsels.
Important: Train your staff as you go rather than waiting to do one large education session. "The earlier in the process you work with those 'on the ground,' the better your results will be," Roach urges. And this way, your employees can give you good feedback on where your coaching is most helpful--and where you need to improve.