Computerworld - The state agency I work for is categorized as a "covered entity" under the Health Insurance Portability and Accountability Act. That means that we handle and transmit health information on state residents that is subject to the HIPAA privacy and security rulings.
To comply with those rules, we have to make sure that all of our employees know the proper way to handle the protected information they have access to -- anything from personal health information such as HIV test results to Social Security numbers, home addresses and health care provider information. Training is given to all new employees, and privacy information is provided via the agency's internal Web site.
Staffers are instructed not to leave confidential information lying around on desks and to lock their computer screens when away from their desks. The training materials are overseen by the agency's privacy officer, and his organization has written and published a document of over 100 pages. Each unit chief (agencyspeak for "department manager") has his employees read the document and then sends an e-mail to the privacy organization listing the names of those who have done so.
Yuck! Would you read 100 pages on HIPAA compliance? I might read a document of that size if it were really interesting and pertained specifically to my profession, but I doubt that I could get through five pages on HIPAA compliance. As much as I didn't want to revisit the topic of HIPAA training, I knew that in order to have an effective training program, things had to change.
Why does this concern the security manager? I have been asked to approve policies and procedures issued by the privacy organization before publication, since they're an important intersection between privacy and security. I requested a meeting with the privacy officer so that we might collaborate on future training and publication endeavors.
My thinking is that if it's important for employees to learn how to comply with the privacy and security rulings, then we have to make the presentation something they'll want to spend time on.
In other words, I don't want to use the typical approach of posting static information on an internal Web site and telling employees to visit the intranet to read and become informed. Web pages filled with do's and don'ts are never going to hold the interest of busy workers, even if you use PowerPoint presentations to add a little color and some pictures.
What we need is an approach that will capture employees' attention, drive home for them how
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
