Transcript
[Transcript] Episode 428: How to Manage Security Reminders for Your Team
Evan Dumas
You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co host, Evan Dumas.
Liath Dalton
And I’m Liath Dalton and we are Person Centered Tech.
Liath Dalton
This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and Electronic Health Record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments, and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user, go to therapynotes.com and use promo code PCT.
Evan Dumas
Hello, and welcome to Episode 428: How to Manage Security Reminders for Your Team.
Liath Dalton
This is going to hopefully be a really helpful episode for folks, because one of the administrative standards under the HIPAA Security Rule is not just that you have to train your workforce on your policies and procedures. And as we’ve talked about in other PCT podcast episodes, it’s very supportive to have those foundational conceptual framework trainings as well to to assist with folks understanding the why and the what of your specific policy and procedure contents.
Liath Dalton
But in addition to that, there is this requirement that you be providing periodic security reminders to your team, and that it doesn’t actually provide a huge amount of specificity as to what these reminders need to consist of, or what the best sources for them are. So this is a question that we field not infrequently.
Liath Dalton
And so we thought, let’s tackle this directly and provide a good collection of resources to assist you in meeting this standard in a way that’s not onerous. And is just generally supportive of of optimizing your practices, overall security and risk management program and processes.
Liath Dalton
So the kind of primary resources that we ourselves utilize, are the OCR, that’s the Office of Civil Rights, who are the HIPAA regulators, their listserv. And that provides for kind of current topical updates about the HIPAA compliance and regulatory landscape changes to any HIPAA rules, as well, as you know, sometimes breach updates. If there’s a large breach, they’ll include a notice about what that breach was and kind of lessons learned from it, which then becomes very useful. So in the shownotes, we will be linking to where you can sign up for the OCR’s listserv.
Liath Dalton
And then another resource that’s really fantastic is Health IT Securities newsletter, and they have an entire kind of news feed thread around HIPAA compliance and regulation and cybersecurity in general. And so that will contain issues or notices and guidance around kind of current cybersecurity risks and developments in this space that folks should be aware of. So those are kind of two I would identify primary, as as primary sources for security reminders to draw on.
Evan Dumas
Oh yeah.
Liath Dalton
And then we also have created and curated some security reminder resources for you that are intended to draw on the foundational clinical staff and admin staff HIPAA and privacy ethics trainings. And the way we formatted them is in the meme form. I like to call them mememinders. But basically, it’s a fun and engaging way to highlight an important topic or concept or behavioral practice.
Liath Dalton
Like, how to avoid phishing attempts or the importance of strong and unique passwords or let lending out your device, that sort of thing. And basically, we’ve set it up to be as easy and streamlined as possible for you, or whoever is wearing the security officer hat in your practice. What does that look like Evan?
Evan Dumas
Yeah, well, you sign up for our little security reminders, and you say if you’re a solo practice or group practice, because they’re a little bit tailored. And then, is it like every few weeks or so like, what’s the duration? Yeah, they come out about every few weeks, and you get a little selection of cute memes. And they’re little static images with a bit of text, and you can freely use them to send out to your team to act as a security reminder without having to come up with something clever, we do it for you. And they are just like little snippets that, you know, might as might as well try to make HIPPA less officious and bureaucratic and a little bit more fun.
Liath Dalton
Exactly. And with that, basically, you will receive those in your inbox or your security officer, if you’re delegating that role, can sign up for them. And then when they are received, they can then be forwarded to your team and then right there in your inbox, and sent message history, you have the documentation of having provided security reminders and complying with the standard.
Liath Dalton
Because one of the important notes about security reminders is that covered entities have to document the security reminders that they implement. So it should include, or could include, the type of reminder, its message and date it was implemented.
Liath Dalton
For folks who are utilizing PCT’s HIPAA security policies and procedures and manuals and forums and logs and such that’s provided in the group practice materials set, one of the logs includes a spot, your workforce management log, includes a spot for documenting the security reminders, as well. So just note that part.
Liath Dalton
And then we in addition to those meme reminders, we also have some security awareness training posters, digital posters, that you can utilize, and those specifically correspond to the content and topics of our sort of three mini course security awareness training, which is also assignable to staff and provides a good basis for for folks to be aware of kind of the most consistently present and risky cybersecurity attacks that we see where vulnerabilities are present, around like phishing, social engineering, which we’re seeing more and more in the news every day, I don’t think I’ve visited any of my financial institutions websites recently, without there being a big pop up or banner alerting to current spoofing or phishing notices. So that’s just kind of the reality of the modern landscape.
Liath Dalton
And so something that folks need to be aware of, how to recognize, how to respond, and those are included in those posters, like the distilled version. So we’ll be adding links to both the the posters and the memes in in the show notes as well. And then Evan, for folks who really want to do an even deeper dive, and maybe geek out a little bit about security considerations, who is our go to there?
Evan Dumas
Yeah, so a classic in the field has been this fellow named Bruce Schneier. And he runs a blog called Schneier on Security and writes wonderfully about security trends, about current topics. And you know, it isn’t a corporation. It’s just this guy, and who’s who’s spoken at many conferences, and given so many talks, and is generally recognized as a great impartial expert on cybersecurity. So really, really trustworthy.
Liath Dalton
Exactly, and it’s not specifically focused on the healthcare sector, its general cybersecurity and privacy guidance, but there are a lot of really important and relevant pieces and blog posts that he includes in his newsletter, that are absolutely applicable, and can be used as security reminders, too.
Liath Dalton
So now you have kind of a whole handful of options for being able to manage the standard, and do so without having to generate these reminders on your own or be a health information system or cybersecurity expert, or just trawling the news and researching it every time it comes up in your security activity task calendar that a reminder needs to be sent out.
Evan Dumas
Definitely, definitely.
Evan Dumas
Mhm.
Liath Dalton
So hopefully that is helpful. Are there any bits of guidance that you would share, Evan, about how useful security reminders actually are in practice?
Evan Dumas
Yeah, security reminders are so much more useful than annual trainings, because if you’ve ever taken an annual training and then asked a couple months afterwards, do you remember anything from it? It’ll probably be a hazy memory. Whereas a security reminder can be topical, it can be you’re in reaction to things people are bringing up to you, or have happened at your group, or that you read a maybe fearmongering article of, you want to actually say okay, no, you don’t need to be afraid, just do these things. And they are a better way that we learn than the general yearly training.
Liath Dalton
Exactly, it’s about being able to be kind of continually actively engaged in this security mindset, and be providing kind of bite sized actionable, chunks of of information and guidance to people which really equips and empowers them to take a more direct role in safeguarding client information, and adhering to the practice’s, policies and procedures.
Liath Dalton
And the reminders can also be serving just to highlight the importance of this, particularly if reminders include, on a periodic basis, you know, a news story about where something has gone awry, so that we’re taking things out of the realm of things just seeming like, you know, an arbitrary requirement or something that is a theoretical possibility, and just bringing that into the kind of level of conscious awareness on an ongoing basis.
Liath Dalton
So yep, that’s the the nitty gritty of security awareness reminders. And do of course, check out the show notes for all those helpful links being directly shared with you. And please join us next time.
Evan Dumas
Yeah, talk to you next time, everybody.
Liath Dalton
This has been Group Practice Tech, you can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.
Your Hosts:
PCT’s Director Liath Dalton
Senior Consultant Evan Dumas
Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.
In our latest episode, we explain what goes into HIPAA security reminders, which are required under the HIPAA Security Rule.
We discuss our favorite resources for security reminders; our PCT security reminder memes for group or solo practice; documenting security reminders; why security reminders are more useful than annual training; and using current events to inform your security reminders.
Resources are available for all Group Practice Tech listeners below:
Therapy Notes proudly sponsors Group Practice Tech!
TherapyNotes is a behavioral health EMR/EHR that helps you securely manage records, book appointments, write notes, bill, and more. We recommend it for use by mental health professionals. Learn more about TherapyNotes and use code “PCT” to get two months of free software.
*Please note that this offer only applies to brand-new TherapyNotes customers
Resources for Listeners
Resources & further information
Resources:
- Sign up for the OCR’s listserv here
- Sign up for HealthIT Security’s newsletter as well, which you can do here (the signup is in a box on the righthand of the screen)
- Sign up for Bruce Schneier of Schneier on Security’s newsletter here
PCT Resources:
- PCT’s free digital Security Reminder Posters
- Sign up for PCT’s free Security Reminder Memes
- Assignable staff training: HIPAA Security Awareness Grab Bag
- A collection of three short courses helping you maintain your security awareness through better handling of PHI in public, avoiding inappropriate disclosures, and preventing phishing and social engineering attacks.
- PCT podcast episode: Episode 412: Staff HIPAA Training in Year 2, and Beyond
- Group Practice Care Premium
- weekly (live & recorded) direct support & consultation service, Group Practice Office Hours
- + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
- + assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more
- HIPAA Risk Analysis & Risk Mitigation Planning service for mental health group practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You’ll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks.
Group Practices
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.
Solo Practitioners
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.