Skip to Content

HIPAA - Security Awareness Training 164.308(a)(5)(i)

447  Matthew Burdick September 28, 2022  Administrative Safeguards

Overview:
Implement a security awareness and training program for all members of its workforce (including management).


Action Items:
1) Obtain and review policies and procedures for security awareness and training program. Elements to review may include but are not limited to: How workforce members are provided the security awareness and training; Identifies workforce members (including managers, senior executives, and as appropriate, business associates, and contractors) who will be provided with the security and awareness training; How workforce members will be provided with security and awareness training when there is a change in the entity's information systems; How frequently security awareness and training will be provided to all workforce members
2) Obtain and review documentation demonstrating the implementation of a security awareness and training program including related training materials. Evaluate and determine whether the training program is reasonable and appropriate for workforce members to carry out their functions.
3) Obtain and review documentation demonstrating that the security awareness and training programs are provided to the entire organization and made available to independent contractors and business associates, if appropriate.


Related Documents:
1) Policies and procedures for security awareness and training program.
2) Documentation demonstrating the implementation of a security awareness and training program including related training materials.
3) Documentation demonstrating that the security awareness and training programs are provided to the entire organization and made available to independent contractors and business associates, if appropriate.


Additional Guidance:
Security training for all new and existing members of the covered entity’s workforce is required by the compliance date of the Security Rule. In addition, periodic retraining should be given whenever environmental or operational changes affect the security of EPHI. Changes may include: new or updated policies and procedures; new or upgraded software or hardware; new security technology; or even changes in the Security Rule.
Not Rated
Secure Code