This policy is listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.

Security Awareness & Training: Metrics

Reference: 45 CFR § 164.308(a)(6)
Last Updated: July 5, 2023


Goal: Measure efficiency and progress of training program

The purpose of this policy is to ensure the completion of three areas as it relates to the Security Training Program:

  1. Gaps in training program have been addressed;
  2. Training priorities have been addressed;
  3. Status of the training program.


Gap Training

Gaps in our training curriculum shall be identified during our Initial and subsequent Risk Assessment Training. In addition to these the Security Manager or authorized representative shall conduct a bi-annual inspection to ensure that the training goals have been met.

During the inspection there will be three basic areas to consider:

  1. Employees' training has been conducted and documented;
  2. Security Reminders have been produced and circulated;
  3. Any security incident has been introduced as part of the curriculum.

Training Priorities

Employee’s initial training shall encompass key elements of our Security Program. Key elements covered during the initial training shall include but not be limited to:

  • Security Officer
  • Policies and Procedures
  • e-PHI
  • Business Associates
  • Access Controls
  • Password Protection
  • Encryption
  • Workstation Security
  • Malware
  • Security Incidents
  • Sanction Policy

Internal security issues shall also be addressed upon termination of the investigation. These issues will be added to our initial training under the topic of Security Incidents. Any findings during any inspection or security risk analysis shall also be added to the training under the Security Incident topic.

The third priority of the training program shall relate to industry specific topics and incidents. The idea of these topics is to keep the training program fresh and interesting.

Status of Training Program

The status of the training program shall be assessed on an annual basis. The status of the training program shall be documented in the Security Training Inspection form or as part of the Security Risk Analysis.

Status of training program may be affected by a multitude of variables; however, for our own benefit we will use the following table as guidance:

Deficient Needs Improvement Passing
Initial Training Not Completed Completed > 10 days Completed <= 10 days
Subsequent Training Not Completed < 1 every three months => 1 every three months
Security Reminders Not Completed < 1 every three months => 1 every three months
Security Incidents* Not Completed Completed > 10 days Completed <= 10 days

Note: Security Incidents only apply if there is a security incident within the period under observation. Days start counting after investigation is completed.

Simplify Your Compliance with
Software and Guided Coaching
Let your patients and clients know that you take HIPAA seriously with the HIPAA Seal of Compliance for your website, storefront, and marketing materials.

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!

overlapping hands

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram