This policy is listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.

Security Awareness & Training: Metrics

Reference: 45 CFR § 164.308(a)(6)

Last Updated: October 24, 2024

Purpose

Goal: Measure efficiency and progress of training program

The purpose of this policy is to ensure the completion of three areas as it relates to the Security Training Program:

Gaps in training program have been addressed;
Training priorities have been addressed;
Status of the training program.

Policy

Gap Training

Gaps in our training curriculum shall be identified during our Initial and subsequent Risk Assessment Training. In addition to these the Security Manager or authorized representative shall conduct a bi-annual inspection to ensure that the training goals have been met.

During the inspection there will be three basic areas to consider:

Employees' training has been conducted and documented;
Security Reminders have been produced and circulated;
Any security incident has been introduced as part of the curriculum.

Training Priorities

Employee’s initial training shall encompass key elements of our Security Program. Key elements covered during the initial training shall include but not be limited to:

Security Officer
Policies and Procedures
e-PHI
Business Associates
Access Controls
Password Protection
Encryption
Workstation Security
Malware
Security Incidents
Sanction Policy

Internal security issues shall also be addressed upon termination of the investigation. These issues will be added to our initial training under the topic of Security Incidents. Any findings during any inspection or security risk analysis shall also be added to the training under the Security Incident topic.

The third priority of the training program shall relate to industry specific topics and incidents. The idea of these topics is to keep the training program fresh and interesting.

Status of Training Program

The status of the training program shall be assessed on an annual basis. The status of the training program shall be documented in the Security Training Inspection form or as part of the Security Risk Analysis.

Status of training program may be affected by a multitude of variables; however, for our own benefit we will use the following table as guidance:

	Deficient	Needs Improvement	Passing
Initial Training	Not Completed	Completed > 10 days	Completed <= 10 days
Subsequent Training	Not Completed	< 1 every three months	=> 1 every three months
Security Reminders	Not Completed	< 1 every three months	=> 1 every three months
Security Incidents*	Not Completed	Completed > 10 days	Completed <= 10 days

Note: Security Incidents only apply if there is a security incident within the period under observation. Days start counting after investigation is completed.

Simplify Your Compliance with
Software and Guided Coaching

Let your patients and clients know that you take HIPAA seriously with the HIPAA Seal of Compliance for your website, storefront, and marketing materials.

hipaa compliance verification seal of compliance.png

Sign Up with
Compliancy Group

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.

Products

Resources

Specialties
Events & Webinars
Resource Hub - Coming Soon

Company

HIPAA Compliant Hosting

The premier choice for HIPAA Compliant Hosting services in the United States.

Privacy Policy | Terms of Use | Accessibility Statement