Episode 32: Know The Rules! HIPAA Security Awareness and Training

Covered Entities (CEs) and Business Associates (BAs) are required to secure the electronic protected health information (ePHI) against internal and external security risks and vulnerabilities. That is why the next standard, HIPAA Security Awareness and Training, § 164.308(a)(5), is so important.

Workforce education and training plus creating a culture of compliance valuing patients’ privacy are a necessary part of risk management. All of your workforce members, including; employees, volunteers, trainees, management, and BAs, need to know how to safeguard ePHI in your practice.

Specifically, the HIPAA Security Awareness and Training standard dictates that CEs and BAs must:

Implement a HIPAA Security Awareness and Training program for all members of its workforce (including management).

CEs and BAs are required to educate and train individual workforce members at the time each person is hired or contracted.

Industry best practices suggest that the entire workforce, including management, should be trained at least once every year and any time your practice changes its policies and/or procedures, systems, location, infrastructure, etc.

My recommendations are: Monthly, Quarterly, and Annually

It is particularly important that your workforce be trained on how to respond immediately to any potential security incidents or an unauthorized disclosure of ePHI because these situations may result in breaches. Also, an immediate response will help mitigate any possible loss of data or ePHI.

The HIPAA Security Awareness and Training standard has four implementation specifications:

  1. Security Reminders (Addressable)
  2. Protection from Malicious Software (Addressable)
  3. Log-in Monitoring (Addressable)
  4. Password Management (Addressable)

Your HIPAA Security Awareness and Training program should prepare your workforce to carry out:

  • • Their roles and responsibilities in safeguarding patients’ PHI and complying with the HIPAA Rules
  • • Your HIPAA policies and procedures
  • • Your security monitoring and breach notification processes and procedures

Your workforce needs focused training to develop the requisite skills to perform the necessary steps required. Reinforce workforce training with periodic reminders.

Above all, lead by example by adhering to your policies and procedures.

In addition, periodic retraining should be given whenever legal, environmental, or operational changes affect the security of ePHI. Changes may include:

  • • New or updated policies and procedures
  • • New or upgraded software or hardware
  • • New security technology
  • • Changes in the Security Rule

Regardless of the Administrative Safeguards the CEs or BAs may implement, those safeguards will not protect the ePHI if the workforce is unaware and/or untrained in its role in adhering to, and enforcing the safeguards.

Note: Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as CEs’ & BAs’ organizations and technologies change.

Covered Entities and Business Associates your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure!

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?

HIPAA Security Awareness and Training


For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today.

4 thoughts on “Episode 32: Know The Rules! HIPAA Security Awareness and Training

  1. […] Your policies and procedure • Completed security checklists • Training materials presented to staff and volunteers; any associated certificates of completion • Updated […]

  2. […] In general, these are the administrative functions that should be implemented to meet the security standards. These include security management processes, assignment or delegation of security responsibilities to an individual, and workforce security training requirements. […]

  3. […] (BAs) to implement “procedures for creating, changing and safeguarding passwords” see: Security Awareness and Training, […]

  4. […] Workforce training program […]