Goal: Define procedures used to provide an ongoing security information and awareness program to its employees.
The purpose of this policy is to communicate to the workforce changes that may affect the privacy and security of ePHI.
Procedure: The Security Manager is responsible to remind and update employees of their security responsibilities and the existence of any potential threat. As part of these responsibilities the Security Manager shall:
- Post in a visible area basic information regarding ePHI.
- On at least a quarterly basis communicate with the staff (e-mail, brochures, training session, or as part of a staff meeting) a reminder regarding Security Practices.
- Inform staff members of security violations and/or penetration attempts.
- Internal security violations shall be forwarded to all employees immediately. Whenever possible reports of the violation will be sanitized to protect the privacy of the violator and the ePHI.
- Internal violations that have been contained may be reported to the workforce via e-mails, bulleting boards, memos or staff meetings.
- Internal violations that have not been contained will require lock-up procedures where no one other than the Security Manager, the System Manager and the designated staff will have access to ePHI.
- Penetration attempts shall be included as part of a quarterly meeting with the staff.
- Inform staff of potential threats to include but not limited to virus, worms and trojan horses.
