HIPAA Security Training: A Flexible Approach

Whether your organization is an insurance company, hospital, clinic, dental group, elder-care facility or anything in between, security awareness and training is required of all members of its workforce (including management).

So how must healthcare organizations plan to meet the Security and Awareness Training Standard? As a first step, I often caution clients to review specific standards and the references made as a part of the standard – for example, §164.308, the Security Awareness and Training Standard must be read in conjunction with § 164.306 Security Standards: General rules, since the General Rules help the organization understand the general intent of the standards and guidance for implementing them. Take a look at the General Rules and see for example the guidance on a “Flexible Approach” -

§ 164.306 Security Standards: General Rules

(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under sub-part E of this part.
(4) Ensure compliance with this subpart by its workforce.
(b) Flexibility of approach. (Emphasis added)
(1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.
(2) In deciding which security measures to use, a covered entity must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity.
(ii)The covered entity’s technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv)The probability and criticality of potential risks to electronic protected health information.

As you can see, the General Rules help answer the question…”We are a clinic and cannot afford a large scale training program like a hospital, what can we do?” By reading § 164.306 Security Standards: General Rules, healthcare organizations of any size will realize the “flexibility” built into the regulations are designed to accommodate healthcare operations of any size.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us