Did you know that Covered Entities and Business Associates (and, soon, their subcontractors) must consider “security reminders” as part of their security awareness and training programs under the final HIPAA security rule (see 45 CFR 164.308(a)(5)). The final rule provides that a “security reminder” includes “periodic security updates” but provides no further guidance on how to meet this requirement.

The security reminder specification is “addressable,” which means that the CE or BA must implement the specification unless doing so would be inappropriate or unreasonable and the purpose of the standard cannot be met through a reasonable alternative measure. It is difficult to imagine how issuing periodic security updates could be an inappropriate or unreasonable measure except in the smallest of organizations.

CEs and BAs should take an expansive view of reminders and use multiple media and multiple venues to create a “Culture of Compliance” as was recently called for at the NIST/OCR HIPAA Security Conference.  of security awareness. For example…

  1. Show users a “security tip of the day” at the time of logon, or when they access the organization’s intranet.
  2. Insert a “Security Awareness” column in monthly or quarterly newsletters.
  3. Notify users of security incidents by broadcast e-mail, including an explanation of the remedial actions that have been taken to prevent a repeat incident.
  4. Post interesting articles on computer security in the mailroom or cafeteria/breakroom. None of these approaches are particularly time consuming, and used together can communicate strongly to IS users the importance of good security practices.

Do not confuse “periodic security updates” in relation to security and awareness training with “periodic security updates” in relation to software patches and revisions. Keeping software current is critical to an effective security program, but that is not the purpose of the security reminder specification.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

More HIPAA HITECH Resources:

The complete HIPAA Privacy, Security and Breach regulations are here.

Join our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
Follow us on Twitter
Subscribe to our eNewsletter
Attend a live educational webinar.

Series Navigation<< HIPAA Privacy and Security Reminders – Exercise Caution When Using Public Wireless Access PointsHIPAA Privacy and Security Reminders – Security Official >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.