This entry is part 15 of 59 in the series Complete Guide to HIPAA Security Final Rule

(ii) Implementation specifications:

 (A) Security reminders (Addressable).  Periodic security updates.

Tell Me More:

The Security Reminders implementation specification requires covered entities to address implementing procedures for implementing periodic security updates to members of the workforce. Periodically reminding employees of their security responsibilities is recommended. Security reminders are effective for reinforcing what has been learned through more formal security training. Periodic security reminders should roll out on a regular basis (e.g., at least quarterly) to ensure the workforce is up to date on all security issues.

Questions to consider:

  • Does the organization provide periodic security updates, related to both ePHI and other PHI? If not, do they make sense for the organization?
  • What media are used and what media are best for providing the updates, e.g., e-mails, posters, memoranda, Intranet, and newsletters? The organization should consider using a variety of approaches to reinforce key security policies and procedures.
  • How are security update topics be selected and by whom? Security reminders should address problem areas? How often are security updates provided and by whom? Make sure developing and delivering periodic reminders is assigned to appropriate staff.
  • Does the organization provide periodic “refresher” training? Is this training documented? Periodic refresher courses are an effective way to make sure workforce members understand the organization’s policies and procedures address common concerns.

References:

Series Navigation<< 164.308(a)(7)(ii)(B) Standard: Contingency plan – Disaster recovery plan164.312(a)(1) Technical safeguards – Standard: Access control >>