We recently completed our annual security awareness training. Yearly completion of this training is an expectation of many of our customers as well as a requirement for maintaining our security certifications. These certifications, along with a demonstrated commitment to security education, help to ensure customer confidence and our continued success with their programs.
Completion of the annual security training is required of all IWCO Direct employees, temporary employees, contractors and interns. When asked, “Do I really have to do this again?” I’m always prepared to explain that these practices are an essential part of our relationship with our customers and no one is exempt from completing the training.
Many of the clients we do business with are in highly regulated industries in which they are constantly being asked to verify the effectiveness of their security practices. Because we are a third party vendor to our customers, the security demands placed upon them also extend to us. In order for us to continue to do business with these clients, we need to continually prove to them that we take security just as seriously as they do.
It was gratifying to hear from a number of colleagues that this year’s training was more than just an exercise – the word “enlightening” was used more than once to describe their surprised reaction to the expected “blah blah blah breach” content.
For example, many who participated in the training had no idea that Protected Health Information (PHI) has so many elements and pertains to information created or received by health care providers, health plans, employers, or health care clearinghouses. Many did not realize that PHI is timeless in the sense that it relates to the past, present, or future physical or mental health or condition of an individual. The definition also includes provision of health care to an individual and past, present, or future payment for provision of health care to an individual.
Do you know how many identifiers are defined for HIPAA PHI use? If you answered 18, you must have participated in our training. “Identifier” means there is reasonable basis to believe information can be used to identify an individual. No one was surprised to learn that social security numbers and medical record numbers are considered identifiers. Many were surprised that URLs and IP addresses are included in the list.
The definition of dates for HIPAA PHI identifiers was also new to many. All elements of dates (except year) that directly related to an individual, including birth date, admission date, discharge date and date of death are considered HIPAA PHI identifiers.
It’s also been interesting to hear first-hand from colleagues who are being counted among the many millions impacted by recent data breaches. While news about the breaches is a great concern, it does seem to be generating a new appreciation for our security awareness training. In particular, many have expressed gratitude for the section of the training that explains how information is compromised and have described their increased vigilance to protect client information at work and their personal information at home.
It’s rewarding to have our required security awareness training become a recommended course, rather than just a required one.
Subscribe to SpeakingDIRECT to have new articles delivered to your inbox as they post. We promise to keep it fresh and interesting.