CMS Recommendations for Complying with the HIPAA Security Awareness Training Requirements

During 2008, the Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) reviewed ten HIPAA covered entities (CEs) for their compliance with the HIPAA Security Rule. They found that the CEs had problems in compliance in the following areas:

  1. Risk Assessment
  2. Currency of Policies and Procedures
  3. Security Training
  4. Workforce Clearance
  5. Workstation Security
  6. Encryption

All of these areas are discussed in detail in the report summarizing the investigation. In particular, page 9 et seq. describes the findings that refer to Security Awareness Training.

They found that:

  • CEs did not have formally documented policies related to training;
  • CEs did not track and retain evidence of training completion;
  • CEs did not conduct security awareness training prior to granting user access; and,
  • CEs did not conduct security refresher training on a regular basis.

Not good.

The document includes the following recommendations which are included here in full since they should be of interest to many organizations – not just HIPAA covered entities:

1. CEs should develop and formally document policies for the development, administration, and monitoring of initial and annual security awareness training courses. The policies should require that all newly hired employees complete initial security awareness training prior to gaining access to ePHI. This requirement should include employees and temporary workers as well as contractors and vendors, if not previously arranged through a Business Associate agreement.
Additionally, the policy should require that any individual with access to ePHI complete security awareness refresher training at least annually.

Further, the policy should require that management review and revise both the initial and refresher security awareness training courses at least annually to ensure currency with the organization’s environment. Additionally, as CEs identify new risks through the risk assessment process, they should incorporate these potential threats in the trainings to further awareness.

2. CEs should develop and formally document a procedure for initial and refresher security awareness training. This procedure should be coordinated with the account provisioning/management process. The procedure should require verification that new users have completed initial security awareness training prior to granting them access to ePHI and require security awareness training on an annual basis thereafter. Additionally, processes should be designed, documented, and put in place to monitor compliance. To support this process, CEs should develop tools for monitoring compliance. If possible, CEs should deploy an automated tracking system to capture key information regarding program activity (e.g., individuals’ completion dates). The tracking system should capture this data at a high level, so that CEs can use such information to provide enterprise-wide analysis and reporting regarding awareness, training, and education initiatives.

To effectively implement this recommendation, CEs must tightly integrate the initial hiring process with the account provisioning process. They must also integrate the training compliance monitoring process with the account management process.

3. CEs should develop and formally document procedures to monitor course completion and escalate issues involving users who have not completed their annual security awareness training timely. Specifically, pre-determined sanctions should be applied to those individuals who are not in compliance with this requirement. These sanctions may include notification of the user’s supervisor when initial deadlines pass without completion and revocation of the user’s access when final deadlines pass without completion.

Excellent advice that should apply to ALL organizations that handle sensitive information.

Jessica Holland

Add comment

Like this post? Subscribe to receive updates directly in your inbox.