HIPAA 164.308(a)(4) Security Reminders
Questions an Auditor may ask you (from NIST 800-66):
- What methods are available or already in use to make or keep employees aware of security, e.g., posters or booklets?
- Is security refresher training performed on a periodic basis (e.g., annually)?
- Is security awareness discussed with all new hires?
- Are security topics reinforced during routine staff meetings?
- Consider displaying security reminders and warning banners at log-in on all workstations.
- Screen savers could display random security & privacy hints & tips.
- Place posters throughout the facility to remind staff about information security and the security of physical assets. Change these posters periodically to avoid the message going stale.
- If your company has a newsletter (hard copy or email) have a “Compliance Corner” for news from the Privacy Officer and Information Security Officer.
- Remind staff to complete their annual security refresher training on time.
- Keep records of New Employee Orientation, including evidence of HIPAA awareness.
- Provide evidence that security & privacy are discussed at staff and executive meetings (agendas and minutes).
Do you have any other great ideas for reminding staff about their security and privacy responsibilities? Let us know!