Interviews with staff members about privacy and security policies relevant to their positions

Question

I am currently working to help a bunch of small pharmacies remain compliant and one of the requirements is: Interviews with staff members about privacy and security policies relevant to their positions.

How do I determine what is relevant to their position or should I just go with a wider range talking about common sense about keep their devices with information secure and protecting client's health information.

Is there a NIST type of document that talks about key points that should be hit?

This is for a URAC compliance.

Compliance areas are: PHARM Core 13 and Core 15

Answer 1

I don't know URAC, it appears to do with HIPPA based on cursory googling, though I would assume the context of what is trying to be achieved is the same as other sectors (for me finance).

I would say there are three categories that are important:

General Knowledge:

This would be everyone's responsibility. A common reference to this is your information security policy used organization wide, internet control polices, and user training around phishing/social engineering attacks. You can even lump best practices here.

Role Specific knowledge:

These are polices specific around your job and responsibilities. If you work with PII or medical records (IE you're a DBA) do you know the practices for access into the system, what level encryption or hashing is used, what the difference between PII and public information is.

Sector/Government Compliance Policy:

An example of this (for the finance sector) is the ABA, which is company wide training around laws and regulation to provide a check and balances policy. This is usually required by either a group or a government.