What is the HIPAA Security Rule Security Awareness and Training Standard?

Modified on Tue, 5 Mar at 11:56 AM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

The HIPAA Security Rule requires covered entities and business associates to implement a series of administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.  The administrative safeguards contain a series of standards that covered entities and business associates must meet. One of these standards is called the Security Awareness and Training standard.

The Security Awareness and Training standard requires covered entities and business associates to Implement a security awareness and training program for all members of its workforce (including management).

Here is the standard:

(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).

(ii) Implementation specifications. Implement:

(A) Security reminders (Addressable). Periodic security updates.

(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.

(C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.

(D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.


To meet the security awareness and training standard, covered entities and business associates must implement a security awareness and training program for all members of their workforce (including management). The security awareness and training standard requires covered entities and business associates to implement security reminders (in the form of periodic security updates); protection from malicious software (in the form of procedures for guarding against, detecting, and reporting malicious software); log-in monitoring (in the form of procedures for monitoring log-in attempts and reporting discrepancies); and password management (in the form of procedures for creating, changing, and safeguarding passwords). All of these implementations are known as "implementation specifications."

A. Security reminders (addressable). Periodic security updates.


Where this implementation specification is a reasonable and appropriate safeguard for a covered entity or business associate, the entity must implement periodic security updates.  Types of security reminders that covered entities may choose to implement include:

Notices in printed or electronic form
Agenda items and specific discussion topics at monthly meetings
Focused reminders posted in affected areas
Formal retraining on security policies and procedures.

Covered entities and business associates should look at how they currently remind the workforce of current policies and procedures, and then decide whether these practices are reasonable and appropriate or if other forms of security reminders are needed. 

B. Protection from Malicious Software. Procedures for guarding against, detecting, and reporting malicious software.

One important security measure that employees may need to be reminded of is security software that is used to protect against malicious software. Where this implementation specification is a reasonable and appropriate safeguard for a covered entity or business associate, covered entities and business associates must implement: “Procedures for guarding against, detecting, and reporting malicious software.” Malicious software can be thought of as any program that harms information systems, such as viruses, Trojan horses or worms. As a result of an unauthorized infiltration, ePHI and other data can be damaged or destroyed, or at a minimum, require expensive and time-consuming repairs. Malicious software is frequently brought into an organization through email attachments, and programs that are downloaded from the Internet. Under the Security Awareness and Training standard, the workforce must also be trained regarding its role in protecting against malicious software, and system protection capabilities. It is important to note that training must be an ongoing process for all organizations

C. Log-in Monitoring.  Procedures for monitoring log-in attempts and reporting discrepancies. 

Security awareness and training should also address how users log onto systems and how they are supposed to manage their passwords. Where the Log-in Monitoring implementation specification is a reasonable and appropriate safeguard for a covered entity or business associate, the covered entity or business associate must implement: “Procedures for monitoring log-in attempts and reporting discrepancies.” 

Typically, an inappropriate or attempted log-in is when someone enters multiple combinations of usernames and/or passwords to attempt to access an information system. Fortunately, many information systems can be set to identify multiple unsuccessful attempts to log in. Other systems might record the attempts in a log or audit trail. Still others might require resetting of a password after a specified number of unsuccessful log in attempts. If smaller covered entities or business associates are not using, or are not familiar with, their systems capabilities for these types of log-in attempts, they should contact their system vendor or read their application software manuals for more information. Once capabilities are established the workforce must be made aware of how to use and monitor them.

D. Password Management. Procedures for creating, changing, and safeguarding passwords.

The last addressable specification in this standard is Password Management. Where this implementation specification is a reasonable and appropriate safeguard for a covered entity or a business associate, the covered entity or business associate must implement: “Procedures for creating, changing, and safeguarding passwords.” 

In addition to providing a password for access, entities must ensure that workforce members are trained on how to safeguard the information. Covered entities and business associates must train all users and establish guidelines for creating passwords and changing them during periodic change cycles. 





















Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article