HIPAA Security Awareness and Training
This article describes the HIPAA security awareness and training requirements for a covered entity. The relevant subsection of the HIPAA law is §164.308(a)(5).
A HIPAA security awareness and training program is one of the administrative safeguards that a covered entity must employ. The program is required in order to educate workforce members about security responsibilities and best practices.
NOTE: There is a significant difference between what HIPAA requires regarding awareness and training, and actual awareness. This post covers the minimums necessary to meet HIPAA security awareness and training requirements. A future post will focus on how to go beyond the minimums to cultivate actual awareness, and the benefits that true security awareness can have in your organization (beyond HIPAA compliance).
HIPAA Security Awareness and Training
In addition to the implementation of policies to limit access to electronic protected health information (ePHI), all workforce members should participate in a robust HIPAA security awareness and training program. The program should ensure the workforce has understanding of, and complies with their individual security responsibilities. There are four areas that this program must cover:
- Security Reminders – the entity must distribute security reminders and updates periodically. NIST special publication 800-50 describes many topics that could be covered with these reminders, including areas such as appropriate use of handheld computing devices, on-site visitor monitoring, and detecting social engineering attacks.
- Protection from Malicious Software – workforce members should be trained to guard against and report malicious software. Any member of the workforce who has access to ePHI must be trained to identify the symptoms of malicious software, and the procedures for reporting and controlling such problems.
- Log-In Monitoring – workforce members should be trained to recognize discrepancies in log-in procedures, and technical safeguards must be in place to detect suspicious log-in activity. Routine monitoring of account activity, such as detecting repeated incorrect password entries should be performed. Workforce members should be trained to recognize when their accounts may have been accessed without their knowledge. Workforce members should report any discrepancies to the appropriate security officer.
- Password Management – workforce members should be trained in creating, changing and safeguarding secure passwords. This guidance in particular must be periodically reviewed to ensure it remains effective as password requirements change over time.
An auditor will assess the training schedules and materials to ensure that they are sufficient to cover the areas above, as well as whether they specifically cover HIPAA security awareness and training requirements.
Each training specification is addressable, so if any part of the training requirements is not applicable or reasonable for the entity to implement, there must be formal documentation explaining why, and what (if any) related training programs exist instead.
Security Awareness vs. Training
The HIPAA regulation separates “security awareness” from “training”, which is a good thing. Although there are many that will sell you a “security awareness training” program, awareness and training aren’t the same. Awareness is a state in which individuals realize the consequences of his/her actions or decisions. Training is to form by instruction, discipline, or drill. One can be trained to enact certain behaviors given some inputs, but cannot be trained to be aware. For example, individuals can be trained to report to their security officer if the anti-malware software detects an infection. It is much harder to create awareness, so that the individual realizes that opening an attachment from an unrecognized email address may create the consequence of a malware infection (and subsequently having to send that report).
Changes in the 2013 HIPAA Update
No changes to the HIPAA security awareness and training requirements were included in the 2013 HIPAA Omnibus Rule. However, as described in this article, business associates of covered entities are also liable for complying with the Security Rule. Therefore, these requirements also apply to business associates.
Maintaining HIPAA compliance is the responsibility of all of the workforce members of a covered entity. A well-maintained HIPAA security and awareness training program will help ensure that everyone understands their responsibilities within the organization for maintaining compliance. As mentioned above, it is possible to go beyond the compliance minimums and cultivate security awareness, but that will be the subject of a future article.