Information Security Awareness and Training

From University of Nebraska Medical Center
Revision as of 16:09, July 8, 2016 by Dpanowic (Talk | contribs) (Dpanowic moved page Security Awareness and Training to Information Security Awareness and Training: Renamed to better identify topicd)

Jump to: navigation, search
Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property


Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Confidential Information | Protected Health Information (PHI) | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Security Awareness and Training

Policy No.: 6301
Effective Date: DRAFT
Revised Date:
Revised Date:

Security Awareness and Training Policy

Purpose of Policy

UNMC takes protecting personal or confidential information including, but not limited to, electronic protected health information, education records, and cardholder data that the organization creates, uses, discloses, transmits or stores (collectively, “protected information”) extremely seriously. To help ensure the privacy, security and integrity of protected information, we provide training to the workforce (as defined below). Our goal is to create a level of security awareness that reduces the risk of improper access to, or use or disclosure of, protected information.

Policy

UNMC will ensure that its workforce is trained in and understands the organization’s security policies and procedures with respect to protected information in accordance with all applicable laws and mandated standards including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act and the regulations promulgated thereunder governing the privacy and security of individually identifiable health information (collectively, “HIPAA”), the Family Educational Rights and Privacy Act (“FERPA”), and the Payment Card Industry Data Security Standard (“PCI DSS”). UNMC will strive to achieve a level of security awareness both to prevent improper access to or use or disclosure of protected information and to ensure detection and reporting of any improper access, use or disclosure that may occur.

Definitions

Protected Health Information (PHI) is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:

  • is created or received by ACE and
  • relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.

Workforce refers to faculty, full and part-time employees (management and staff), volunteers, trainees, students, and any other persons whose conduct, in the performance of work for UNMC, is under the direct control of UNMC, whether or not they are paid by UNMC.

Required Training

Workforce will be required to take security training, usually in the form of on-line video training and/or onsite workshops. Each member of the workforce will be required to take security training within thirty (30) days of commencing his/her position at UNMC and on an annual basis thereafter. Completion of required training will be tracked by Compliance and the Information Security Officer.

Content of training will be role-based and relevant to the type of protected information created, accessed, used or disclosed. For workforce with access to electronic protected health information as defined under HIPAA such training will include, but not be limited to, user education concerning virus protection and malicious software; user education in the importance of monitoring login success/failure, and how to report discrepancies; and user education in password management. The content of training will be periodically reviewed and updated to reflect changes to information security threats, techniques, requirements, and responsibilities.

In addition to annual training, UNMC will provide periodic security updates to workforce through newsletters, screensavers, webcasts and other means.

In addition to training, the security awareness and training program will include the following:

  • Scheduled awareness surveys.
  • Unscheduled awareness assessments periodically to assure compliance with the training.
  • Feedback surveys to improve the security awareness and training program.

A record of training completion and results of assessments will be maintained for each member of the workforce. For employees, the record will be maintained in the personnel files by the Compliance Office, as part of the permanent record. Records for faculty, volunteers, students, trainees and others will be maintained by the responsible administrative department.

Compliance

Failure to comply with this policy by employees will be subject to UNMC Policy 1098, Corrective and Disciplinary Action Policy. Legal action may be taken for violations of any applicable law.

Record Retention

UNMC will retain a copy of this policy and any revisions thereto, all training materials, and all training records in accordance with UNMC Policy 6056, Retention and Destruction/Disposal of Private and Confidential Information.

Additional Information

This page maintained by dkp.