HIPAA Regulation References C.F.R. 45 §142.308:
Security awareness training: All employees, agents, and contractors must participate in information security awareness
programs. Based on job responsibilities, individuals may be required to attend customized education programs that focus
on issues regarding use of health information and responsibilities regarding confidentiality and security. All personnel in
an organization should undergo security awareness training, including but not limited to, password maintenance, incident
reporting, and an education concerning viruses and other forms of malicious software.
Section II: Requirement
- Awareness training for all personnel (including management)
- Periodic security reminders
- User education concerning virus protection
- User education in importance of monitoring log in success/failure, and how to report discrepancies
- User education in password management
Section III: Approaches/Solutions
- Develop job-specific security awareness training for all workforce members. Customize based on use of PHI (Protected Health Information).
- Focus the training to cover both privacy and security issues.
- Privacy and Security Tips via Email, Intranet or Organizational Newsletters.
- Video Presentations on good security and privacy practices.
- Develop a tracking mechanism to monitor enrollment and completion of HIPAA security awareness training.
- Develop a schedule to provide periodic security awareness training updates.
- Make the responsibility for training completion the supervisory or departmental management level primary and Human Resources a secondary audit review responsibility.
Section IV: Policy & Procedure
Security Awareness Training policy: Security training is a requirement for an organization's HIPAA compliance. Organizations are responsible
for not only training their own personnel, but their agents and contractors that have access to health information. Initial training will need to
include a review of the HIPAA requirements and tailored training needs to specific security policies, processes and technology of your organization
based on the level of security responsibilities for different segments of users.
A security training program should include awareness education covering the organizational security policy, password maintenance, incident
reporting, and viruses; periodic security reminders conducted as updates to the basic security education; user education concerning virus
protection, including identification, reporting and prevention measures; user education in importance of monitoring log-in success/failure, and how
to report discrepancies, including employee responsibility for ensuring security of health information; and user education in password management,
including organizational rules to be followed in creating, changing and ensuring confidentiality of passwords.
Section V: Technology
Minimum: Documentation that each employee, agent or contractor has completed the initial security awareness training and update with each
periodic security update.
Best Practice: An electronic learning program that covers the security awareness training that provides a tracking database of all
employees, agents and contractors that complete the initial training, periodic reviews and quality retention by customized access to PHI.
Demonstrate to the organization that they understood the information that was presented to them during the training.
Section VI: Users/Roles
Security awareness training is customized to specific security policies, processes and technology of your organization and tailored to the
level of security responsibility for each different segment of users. Such as the following: personnel that only have incidental exposure to
systems and are not authorized users (cleaning crews, receptionists, volunteers); users with very limited access; users with substantial access;
users that have explicit security roles e.g., determining access authorization; and security and systems staff.
Section VII: Web Sites Of Interest
http://aspe.hhs.gov/admnsimp/nprm/secnprm.pdf -
Actual proposed HIPAA Security regulation in pdf format.
http://snip.wedi.org/public/articles/awareness.pdf -
Wedi-Snip White Papers on Privacy and Security Awareness and Education.
http://www.hipaasummit.com/ -
General site for HIPAA Summits.
http://www.ahima.org - American Health Information Management Association Web-Site.
http://www.hcmarketplace.com/ - Site that has various educational resources such as h-mail and HIPAA books.
Return To Top
