Start with employee education: This can be achieved in many forms. Don't limit yourself to expecting employees to read long policy and procedure manuals. As well, it is unrealistic to think that once a year canned training or worse, just training upon orientation is enough for the workforce to be armed with what they need to know to safeguard your patients' health information. Education should be creative and provided as often as possible. See a news story about a breach? Use that opportunity to share best practices in how to avoid that happening to you. Want to see how alert your teams are against phishing? Send a bogus email and see how many of them click on the link (to nowhere, since you are managing this), and how many actually report it as they should to appropriate held desk staff. Live interactive educational sessions with "real world" examples of breaches and their consequences will always be most powerful.
Next step, ask employees to share their stories: One thing that I find extremely valuable is to ask your employees to share their personal experiences with HIPAA. Friends and family who have had experiences with no access to record copies, or a provider encounter where the information was not accurate will be eye-opening to those hearing the stories. Another good one is asking your people if they've had any issues with identity theft or medical identity theft. These are impactful because they are actual events that can help those around them understand the risks of a breach of PHI or hacking attacks are not always going to be just the "other guy." This is happening all around us.
The bottom line is that there is just no substitute for focus on the efforts that are being made to get to PHI and how we must all be on guard all the time.
