(a) A covered entity must, in accordance with § 164.306:
(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
The Security awareness and training standard includes four (4) implementation specifications:
- (A) Security reminders (Addressable).
- (B) Protection from malicious software (Addressable).
- (C) Log-in monitoring (Addressable).
- (D) Password management (Addressable).
The objective of this standard is to implement a security awareness and training program for all members of its workforce (including management). Training implies education concerning the vulnerabilities of the health information in an entity’s possession and ways to ensure the protection of that information. The HIPAA Security Rule requires training of the workforce as reasonable and appropriate to carry out their functions in the facility.
Training should be cover all relevant aspects of the HIPAA Security Final Rule and, as highlighted in this section, especially around protection from malicious software, Log-in monitoring and Password management.
Security reminders are a way to reinforce training and help keep privacy and security top of mind for members of the workforce.
Security awareness training is a critical activity, regardless of the organization’s size. The amount and type of training will be dependent upon an entity’s configuration and security risks. Business associates must be made aware of security policies and procedures, whether through contract language or through other means.
Covered entities are not required to provide training to business associates or anyone else that is not a member of their workforce. However, Business Associates are required to provide training to members of their workforce that handle ePHI. Whether in a Covered Entity or Business Associate organization, each individual who has access to electronic PHI (EPHI) must be aware of the appropriate security measures to reduce the risk of improper access, uses and disclosures. Training is not a one-time type of activity, but rather an on-going, evolving process as an entity’s security needs and procedures change. Training should be tailored to job need. Training must be customized and based on job responsibilities. Training must be focused on issues regarding the use of health information and responsibilities regarding confidentiality and security. All employees must be trained to better understand enterprise security objectives, vulnerabilities and the need for security policies that address passwords and network access.
The final Security rule requires covered entities to train all members of their workforce on the policies and procedures with respect to ePHI required by this rule, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. Each entity is required to provide initial training by the compliance date on which this final Security rule became applicable. After that date, each covered entity would have to provide training to new members of the workforce within a reasonable time after joining the entity. In addition, when a covered entity makes material changes in its security policies or procedures, it is required to retrain those members of the workforce whose duties were related to the change within a reasonable time of making the change.
Entities can determine the most effective means of achieving this training requirement for their workforce, and are responsible for implementing policies and procedures to meet these requirements and for documenting that training has been provided.
Insiders in general have always been the greatest security threat; of these, the unintentional actions of workforce members comprise the most significant security issues. A workforce knowledgeable in security not only protects against their own mistakes, but also serves as an important line of defense against malicious persons. A training and awareness program that routinely keeps the workforce enforced and retrained, when the organizational, technical and threats change is the best initial defense. Integration with Privacy training, or even general corporate compliance training, may generate efficiencies.