Information Security Awareness and Training: Difference between revisions

no edit summary
m (Dpanowic moved page Security Awareness and Training to Information Security Awareness and Training: Renamed to better identify topicd)
No edit summary
Line 23: Line 23:
</table>
</table>
<br />
<br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | Security Awareness and Training
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | Information Security Awareness and Training
<br /><br />
<br /><br />
Policy No.: '''6301'''<br />
Policy No.: '''6301'''<br />
Line 30: Line 30:
Revised Date: <br />
Revised Date: <br />
<br />
<br />
<big>'''Security Awareness and Training Policy'''</big><br /><br />
<big>'''Information Security Awareness and Training Policy'''</big><br /><br />
==Purpose of Policy==
==Purpose of Policy==
UNMC takes protecting personal or confidential information including, but not limited to, electronic protected health information, education records, and cardholder data that the organization creates, uses, discloses, transmits or stores (collectively, “protected information”) extremely seriously. To help ensure the privacy, security and integrity of protected information, we provide training to the workforce (as defined below). Our goal is to create a level of security awareness that reduces the risk of improper access to, or use or disclosure of, protected information.  
UNMC takes protecting personal or confidential information including, but not limited to, electronic protected health information, education records, and cardholder data that the organization creates, uses, discloses, transmits or stores (collectively, “protected information”) extremely seriously. To help ensure the privacy, security and integrity of protected information, we provide training to the workforce (as defined below). Our goal is to reach a level of security awareness that reduces the risk of improper access to, or use or disclosure of, protected information.
==Policy==
==Policy==
UNMC will ensure that its workforce is trained in and understands the organization’s security policies and procedures with respect to protected information in accordance with all applicable laws and mandated standards including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act and the regulations promulgated thereunder governing the privacy and security of individually identifiable health information (collectively, “HIPAA”), the Family Educational Rights and Privacy Act (“FERPA”), and the Payment Card Industry Data Security Standard (“PCI DSS”). UNMC will strive to achieve a level of security awareness both to prevent improper access to or use or disclosure of protected information and to ensure detection and reporting of any improper access, use or disclosure that may occur.  
UNMC will ensure that its workforce is trained in and understands the organization’s security policies and procedures with respect to protected information in accordance with all applicable laws and mandated standards including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act and the regulations promulgated thereunder governing the privacy and security of individually identifiable health information (collectively, “HIPAA”), the Family Educational Rights and Privacy Act (“FERPA”), and the Payment Card Industry Data Security Standard (“PCI DSS”). UNMC will strive to achieve a level of security awareness both to prevent improper access to or use or disclosure of protected information and to ensure detection and reporting of any improper access, use or disclosure that may occur.  
==Definitions==
==Definitions==
'''Affiliated Covered Entity (ACE)''' means legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current Nebraska Medical ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center, and Nebraska Pediatric Practice, Inc. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:
*is created or received by ACE and
*is created or received by ACE and
Line 52: Line 54:
*Unscheduled awareness assessments periodically to assure compliance with the training.   
*Unscheduled awareness assessments periodically to assure compliance with the training.   
*Feedback surveys to improve the security awareness and training program.
*Feedback surveys to improve the security awareness and training program.
A record of training completion and results of assessments will be maintained for each member of the workforce.  For employees, the record will be maintained in the personnel files by the Compliance Office, as part of the permanent record. Records for faculty, volunteers, students, trainees and others will be maintained by the responsible administrative department.
A record of training completion and results of assessments will be maintained for each member of the workforce within the campus training tracking database.   


==Compliance==
==Compliance==