How to Develop HIPAA Security Awareness and Training for Healthcare Staff?

docsThe purpose of the HIPAA security awareness and training program is to educate all workforce members including management on security policies and procedures of Protected Health Information (PHI). This updated training needs to be provided to all new employees and repeated annually for all employees. There are several key considerations for developing the training including:

a. Security Training Program

It is primarily the responsibility of the security officer to ensure the development and delivery of initial security training.  All workforce members should receive initial training addressing the requirements of the HIPAA Security Rule, including the updates to HIPAA regulations found in the Health Information Technology for Economic and Clinical Health (HITECH) Act.  Security training needs to be provided to all new workforce members as part of the orientation process. Attendance and/or participation in training is mandatory for all workforce members. The Security Officer is responsible for maintaining appropriate documentation of all training activities, including training logs, training material, completion certificate, etc.

The security officer should be responsible for the development and delivery of ongoing security training, provided to workforce members in response to environmental and operational changes impacting the security of ePHI, e.g., addition of new hardware or software and new threats like “Heartbleed,” etc.

b. Security Reminders

  • The Security Officer should generate and distribute routine security reminders to all workforce members on a regular basis. Periodic reminders shall address password security, malicious software, incident identification and response, and access control. Reminders should also include how to check the firewall and ensure it is activated/configured properly, etc.  The Security Officer may provide such reminders through formal training, e-mail messages, discussions during staff meetings, screen savers, log-in banners, newsletter/intranet articles, posters, and promotional items such as coffee mugs, mouse pads, sticky notes, etc.  The Security Officer is responsible for maintaining appropriate documentation of all periodic security reminders.
  • The Security Officer needs to generate and distribute special notices and alerts to all workforce members providing urgent updates, such as new threats, hazards, vulnerabilities, and/or countermeasures.
  • Reminders should also include physical safeguards, in terms of ensuring facilities are locked when away, not leaving open workstations unattended near insecure areas, etc.
  • Also, electronic data must be disposed of properly (straight deletion being insecure)

c. Protection from Malicious Software

As part of the aforementioned Security Training Program and Security Reminders, the Security Officer needs to at least include training concerning the prevention, detection, containment, and eradication of malicious software.   Such training shall include the following:

  • Guidance on opening suspicious e-mail attachments, e-mail from unfamiliar senders, and hoax e-mail,
  • The importance of updating anti-virus software and how to check a workstation or other device to determine if virus protection is current,
  • Instructions to never download files from unknown or suspicious sources,
  • Recognizing signs of a potential virus that could sneak past antivirus software or could arrive prior to an update of anti-virus software,
  • The importance of backing up critical data on a regular basis and storing the data in a safe place,
  • Damage caused by viruses and worms, and
  • What to do if a virus or worm is detected.

d. Password Management

As part of the aforementioned Security Training Program and Security Reminders, the Security Officer needs to provide training concerning password management.  Training needs to address the importance of confidential passwords in maintaining computer security, as well as the following requirements relating to passwords:

  • Passwords must be changed at least every 90 days.
  • A user cannot reuse the last 12 passwords.
  • Passwords must be at least eight characters and contain upper case letters, lower case letters, numbers, and special characters.
  • Commonly used words, names, initials, birthdays, or phone numbers should not be used as passwords.
  • A password must be promptly changed if it is suspected of being disclosed or known to have been disclosed.
  • Passwords must not be disclosed to other workforce members (including anyone claiming to need a password to “fix” a computer or handle an emergency situation) or individuals, including family members.
  • Passwords must not be written down, posted, or exposed in an insecure manner such as on a notepad or posted on the workstation.
  • Employees should refuse all offers by software and/or Internet sites to automatically login the next time that they access those resources.
  • Any employee who is directed by the Security Officer to change his/her password to conform to the aforementioned standards shall do so immediately.

Finally, some of the training content need to be customized based on the roles and responsibilities of the workforce as healthcare staff needs only the basics of HIPAA against the healthcare IT staff that needs to understand the security rule requirements completely.

Useful Reference Sites:

To purchase or customize HIPAA security awareness training please visit our training page at:


Get Started Now!-v2

Share this in :
The following two tabs change content below.
Our mission is to assist healthcare organizations and business associates in the development, design, and implementation of practices to secure IT systems and comply with HIPAA/HITECH privacy, security, breach and enforcement rules by protecting patient health information.