HIPAA Security Implementation, Version 1.0

6.7 SECURITY TRAINING AND AWARENESS

Security training must educate the organization workforce on the vulnerabilities of the health information in an entity's possession and ways to ensure the protection of that information. Security awareness training should re-enforce that education, making security part of their daily work routines. This training should include (but not be limited to) password maintenance, incident reporting, and computer viruses and other forms of malicious software. The training and educational programs should be customized to an person's role in the organizations, focusing on issues regarding use of health information and responsibilities regarding confidentiality and security specific to their job. IT skills assessment and training should also be addressed under security to avoid security incidents that are unintentional, based on a user 's lack of fundamental computer skills.

• Skill assessment for information technology in order to ensure that an employee can comply with the security requirements required by information technology;

• Centrally managed training program that includes security. This program should also document the training received in either the staff or vendor record;

• Training provided during orientation;

• On-going training for security awareness that, ideally , is scenario-based;

• Security awareness program that includes daily reminders such as posters , flyers, and so forth; and,

• Training in information technology for users that specifically addresses computer and information system security issues, policies, and procedures.