By Iseman Cunningham Riester & Hyde LLP
Covered entities must consider “security reminders” as part of their security awareness and training programs under the final HIPAA security rule. (See Tip #29 for more on security awareness and training programs.) The final rule provides that a “security reminder” includes “periodic security updates” but provides no further guidance on how to meet this requirement.
The security reminder specification is “addressable,” which means that the covered entity must implement the specification unless doing so would be inappropriate or unreasonable and the purpose of the standard cannot be met through a reasonable alternative measure. It is difficult to imagine how issuing periodic security updates could be an inappropriate or unreasonable measure except in the smallest of organizations.
Covered Entities should take an expansive view of reminders and use multiple media and multiple venues to create a “culture” of security awareness. For example, show users a “security tip of the day” at the time of logon, or when they access the organization’s intranet. Insert a “Security Awareness” column in monthly or quarterly newsletters. Notify users of security incidents by broadcast e-mail, including an explanation of the remedial actions that have been taken to prevent a repeat incident. Post interesting articles on computer security in the mailroom or cafeteria/breakroom. None of these approaches are particularly time consuming, and used together can communicate strongly to IS users the importance of good security practices.
Do not confuse “periodic security updates” in relation to security and awareness training with “periodic security updates” in relation to software patches and revisions. Keeping software current is critical to an effective security program, but that is not the purpose of the security reminder specification.
HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.
(c) 2004 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.