Did you know that Covered Entities and Business Associates (and, soon, their subcontractors) must consider “security reminders” as part of their security awareness and training programs under the final HIPAA security rule (see 45 CFR 164.308(a)(5)). The final rule provides that a “security reminder” includes “periodic security updates” but provides no further guidance on how to meet this requirement.
The security reminder specification is “addressable,” which means that the CE or BA must implement the specification unless doing so would be inappropriate or unreasonable and the purpose of the standard cannot be met through a reasonable alternative measure. It is difficult to imagine how issuing periodic security updates could be an inappropriate or unreasonable measure except in the smallest of organizations.
CEs and BAs should take an expansive view of reminders and use multiple media and multiple venues to create a “Culture of Compliance” as was recently called for at the NIST/OCR HIPAA Security Conference. of security awareness. For example…
- Show users a “security tip of the day” at the time of logon, or when they access the organization’s intranet.
- Insert a “Security Awareness” column in monthly or quarterly newsletters.
- Notify users of security incidents by broadcast e-mail, including an explanation of the remedial actions that have been taken to prevent a repeat incident.
- Post interesting articles on computer security in the mailroom or cafeteria/breakroom. None of these approaches are particularly time consuming, and used together can communicate strongly to IS users the importance of good security practices.
Do not confuse “periodic security updates” in relation to security and awareness training with “periodic security updates” in relation to software patches and revisions. Keeping software current is critical to an effective security program, but that is not the purpose of the security reminder specification.
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016