HIPAA Security Tip #29: Security Awareness And Training

By Iseman Cunningham Riester & Hyde LLP

The final HIPAA Security Rule includes a “security awareness and training” standard requiring Covered Entities to train all personnel, including management, on security topics and policies. The training requirement applies regardless of the size of the organization.

Training must be provided to all individuals with access to electronic Protected Health Information, even, for example, per diems and temporary employees. Keep in mind, however, that training for any given employee is only required as is reasonable and appropriate for the employee to carry out his or her job function. Consider a segmented or modular training program with different components required “as needed” for the job function. This will also provide a ready means for additional training when employees change job functions, and/or targeted remedial training as necessary.

Remember that the Security Rule requires training to be completed by April 21, 2005. If a covered entity has merely developed a training program by that date, but has not yet conducted the training, the covered entity is not in compliance with the rule.



HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.

(c) 2004 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.

HIPAA Security Tips Archive

No posts to display