Security Awareness & Training Policy

5. Procedures

1. INITIAL TRAINING (ONBOARDING)

1.1 All new workforce members shall complete HIPAA security awareness training within [NUMBER] days of their start date and before being granted access to ePHI systems.

1.2 Initial training shall cover: overview of HIPAA Privacy and Security Rules, [PRACTICE NAME]'s privacy and security policies, the workforce member's specific responsibilities for protecting ePHI, acceptable use of systems and devices, password creation and management, recognizing and reporting phishing attempts, physical security (workstation locking, clean desk, visitor management), how to report security incidents and suspected breaches, and consequences of non-compliance (sanction policy).

1.3 The workforce member shall sign a Training Acknowledgment Form upon completion.

2. ANNUAL REFRESHER TRAINING

2.1 All workforce members shall complete annual refresher training during [MONTH] of each calendar year.

2.2 Annual training shall reinforce the topics covered in initial training and incorporate: new or emerging threats relevant to healthcare (e.g., ransomware trends, new phishing techniques), updates to [PRACTICE NAME]'s policies and procedures since the last training, lessons learned from any security incidents that occurred during the year, and regulatory updates or guidance from HHS.

2.3 Completion shall be documented in the Training Log.

3. SECURITY REMINDERS

3.1 The Security Officer shall distribute periodic security reminders to all workforce members at least [QUARTERLY/MONTHLY]. Reminders may take the form of emails, posters, newsletter articles, or brief huddle topics.

3.2 Topics shall rotate and include: password hygiene, phishing awareness, physical security, device security, social engineering red flags, and safe use of email and messaging.

4. PROTECTION FROM MALICIOUS SOFTWARE

4.1 Training shall include instruction on: not opening email attachments or clicking links from unknown or suspicious sources, not installing unauthorized software on practice devices, recognizing signs of malware infection (slow performance, unexpected pop-ups, unauthorized changes), and the procedure for reporting suspected malware to IT.

4.2 The IT Manager shall ensure that anti-malware software is installed and current on all practice systems per [PRACTICE NAME]'s technical safeguard policies.

5. LOG-IN MONITORING

5.1 Workforce members shall be trained to: report any discrepancy in their login history (e.g., last login times they do not recognize), never share their login credentials, log off or lock their workstation when stepping away, and report any unauthorized login attempts they observe.

6. PASSWORD MANAGEMENT

6.1 Workforce members shall be trained on [PRACTICE NAME]'s password standards, which follow current NIST SP 800-63B guidance: favor longer passwords or passphrases (minimum [NUMBER] characters, longer is stronger) over forced character-composition complexity rules; passwords must not be reused across systems; passwords must be screened against known breached/compromised password lists where supported; passwords must not be written down or stored in plain text; passwords are changed only when there is evidence or suspicion of compromise, rather than on a mandatory periodic schedule (or as defined in the Authentication Policy); and use of a practice-approved password manager is [REQUIRED/RECOMMENDED].

7. DOCUMENTATION AND RECORDKEEPING

7.1 The Security Officer shall maintain a Training Log that records: the name of each workforce member, the date training was completed, the type of training (initial, annual, ad-hoc), the training topic or curriculum, and the method of delivery (in-person, online, recorded).

7.2 Training Acknowledgment Forms and Training Logs shall be retained for a minimum of six (6) years from the date of creation or the date when last in effect, whichever is later, per 45 CFR § 164.316(b)(2)(i).

6. Roles & Responsibilities

Security Officer ([SECURITY OFFICER NAME]): Develops and maintains the training curriculum. Schedules and delivers or coordinates training sessions. Distributes security reminders. Maintains the Training Log and Acknowledgment Forms. Evaluates training effectiveness.

Privacy Officer ([PRIVACY OFFICER NAME]): Provides content for privacy-related training topics. Ensures training addresses Privacy Rule requirements.

Supervisors/Managers: Ensure their direct reports complete training on time. Reinforce security awareness in daily operations. Report non-compliance to the Security Officer.

IT Manager/Vendor ([IT CONTACT NAME]): Provides technical content for training (e.g., malware protection, system-specific procedures). Maintains anti-malware and technical safeguards.

All Workforce Members: Complete all required training on time. Apply security practices in daily work. Report security concerns and incidents promptly.

7. Review Schedule

This policy and the training curriculum shall be reviewed at least annually and updated to reflect new threats, regulatory changes, technology changes, and lessons learned from security incidents. Training effectiveness should be assessed through periodic knowledge checks, phishing simulations, or other evaluation methods.

8. Regulatory References

45 CFR § 164.308(a)(5)(i) — Security awareness and training (Required) 45 CFR § 164.308(a)(5)(ii)(A) — Security reminders (Addressable) 45 CFR § 164.308(a)(5)(ii)(B) — Protection from malicious software (Addressable) 45 CFR § 164.308(a)(5)(ii)(C) — Log-in monitoring (Addressable) 45 CFR § 164.308(a)(5)(ii)(D) — Password management (Addressable) 45 CFR § 164.530(b) — Training requirement for Privacy Rule 45 CFR § 164.316(b)(2)(i) — Security Rule documentation retention (6 years)