For organizations that deal with sensitive client or employee information, (e.g., Medical Practices, Employer Groups, Business Associates, and Business Associate Subcontractors) developing a robust security plan is a necessary investment when it comes to data protection. Building a security program that can ensure the safety of information at rest, in transit, and in storage should be a top priority. With a rapidly changing cybersecurity landscape, it’s not always clear how best to implement data protection, especially when laws and requirements are constantly changing. Many organizations, including Total HIPAA Compliance, rely on NIST for guidance.
What is NIST?
NIST (the National Institute of Standards and Technology) is an agency within the United States Department of Commerce. It promotes innovation and competition among many industries by putting measurement standards in place. They operate as a national laboratory of sorts, conducting research and building organizational frameworks that allow these entities to strengthen and mature their security systems and training programs.
What is NIST 800-50?
NIST Special Publication 800-50, entitled “Building an Information Technology Security Awareness and Training Program,” is a document published by NIST, and the foundation of Total HIPAA’s HIPAA compliance training. It provides guidelines for designing an employee awareness and training program, developing training materials, and implementing a program. In the document, NIST instructs organizations to ask two questions when developing a program:
- What behavior do we want to reinforce (awareness)?
- What skills do we want the audience to learn and apply (training)?
Our HIPAA compliance training program is designed with these questions in mind. Our training is broken down into a series of short videos offering engaging real-world scenarios that you and your team can relate to. Trainees are required to watch all the training videos and pass each of the quizzes before taking the final exam. Upon successfully passing the final exam, trainees will receive a certificate of completion that is valid for one year. Annual retraining is essential for maintaining awareness of security standards, not to mention, it’s required by HIPAA!
NIST 800-50 and Awareness Materials
Awareness materials should address a specific issue, or describe how to start a program, session, or campaign. NIST urges those creating the material to provide content that employees can practically integrate into their jobs. If material feels impersonal or “canned,” then the benefit and retention will be far less.
NIST also recommends being aware of the amount of content that is included in the awareness material. While there are plenty of topics to be covered, it is important not to overwhelm those engaging with the content, or, once again, not very much will be retained.
Total HIPAA’s awareness materials are designed to help organizations of all sizes fulfill HIPAA’s annual training requirement. Our training is broken down into four sections: Privacy, Security, Breach, and Penalties. Within those sections, there are modules about individual topics that feature a short video followed by a brief series of questions. We make the training process easy and interactive to increase retention and ensure employees understand their roles in compliance.
NIST 800-50 and Training Materials
NIST recommends developing training materials for the following topics:
- Password security
- Safe web browsing
- Social engineering
- Mobile security
- Physical security
- Removable media
- Working remotely
Each of these topics has the potential to be broken down into smaller categories, but generally, these are the recommended topics. The training materials should identify a specific audience, considering which employees are being trained, how these security and awareness measures will affect their roles, and create the plan with that in mind.
Implementing a Training Program
A training program should always be explained and contextualized to achieve the support necessary for its implementation. Employees should understand: expectations of management, the nature of staff support, scheduling details, expected results, and benefits. This step is essential, so everyone understands their respective roles and responsibilities.
Our training program offers two different levels for employees, depending on their role in the organization. The Leader Training is designed for personnel charged with creating and implementing policies and procedures and those in leadership positions within the organization. The WorkForce Training is for staff who interact with Protected Health Information but have no hand in creating the organization’s compliance program. Both the Leader and Workforce training are filled with practical suggestions to help staff understand how the HIPAA law impacts their work. It’s our job to help you become compliant, so you can focus on running your business.
Have you performed a Risk Assessment in the past year? Do you have updated HIPAA Policies and Procedures in place? Our HIPAA Prime™ program does all this and more! We create customized compliance documents and provide your staff with easy online training, ensuring compliance for your organization.
Want to know more about our online HIPAA training or our customized compliance solution, HIPAA Prime? Email us at email@example.com to learn more about how we can help your organization become (and stay!) compliant. Or, get started here.