2012 OCR HIPAA Audit Program Protocol on Security Training
OCR HIPAA Audit Program Protocol on Security Training
At the Standard Level:
OCR Audit Established Performance Criteria:
§164.308(a)(5) Security Awareness and Training - Implement a security awareness and training program for all
members of its workforce (including management).
OCR Audit Key Activity 1:
Develop and Approve a Training Strategy and a Plan.
OCR Audit Protocol Procedures 1:
Inquire of management as to whether security awareness and training programs address the specific required
HIPAA policies. Obtain and review a list of security awareness and training programs and evaluate the content in
relation to the specified criteria. Determine if the specific HIPAA policies are addressed in these courses.
Determine if the security awareness and training programs are provided to the entire organization. If the
covered entity has chosen not to fully implement this specification, the entity must have documentation on
where they have chosen not to fully implement this specification and their rationale for doing so.
OCR Audit Key Activity 2:
Develop and Approve a Training Strategy and a Plan.
OCR Audit Protocol Procedures 2:
Inquire of management as to whether security awareness and training programs outline the scope of the
program. Obtain and review a sample of security awareness and training programs and evaluate the content in
relation to the specified criteria. Determine if security awareness and training programs have been reviewed
and approved. If the covered entity has chosen not to fully implement this specification, the entity must have
documentation on their rational as to why and where they have chosen not to fully implement this specification.
Evaluate this documentation if applicable.
OCR Audit Key Activity 3:
Develop Appropriate Awareness and Training Content, Materials, and Methods.
OCR Audit Protocol Procedures 3:
Inquire of management as to whether training materials incorporate relevant current IT security topics. Obtain
and review a sample of training materials and determine if training materials are updated with relevant and
current information. Determine if training materials are reviewed to ensure relevant and current information is
included. If the covered entity has chosen not to fully implement this specification, the entity must have
documentation on where they have chosen not to fully implement this specification and their rationale for doing
so.
OCR Audit Key Activity 4:
Implement the Training.
OCR Audit Protocol Procedures 4:
Inquire of management as to whether employees receive all required training. Obtain and review a list of
required training. Determine if required training courses are designed to help employees fulfill their security
responsibilities. Determine if training courses are provided to employees to fulfill their security responsibilities.
If the covered entity has chosen not to fully implement this specification, the entity must have documentation on
where they have chosen not to fully implement this specification and their rationale for doing so.
OCR Audit Key Activity 5:
Monitor and Evaluate Training Plan.
OCR Audit Protocol Procedures 5:
Inquire of management as to whether security policies and procedures are updated periodically. Obtain and
review security policies and procedures. Determine if security policies and procedures are approved and
updated on a periodic basis. If the covered entity has chosen not to fully implement this specification, the entity
must have documentation on where they have chosen not to fully implement this specification and their
rationale for doing so.
2012 OCR HIPAA Audit Program Protocol on Security Training
At the Implementation Specification Level:
OCR Audit Established Performance Criteria:
§164.308(a)(5)(ii)(A):Security Awareness and Training - Periodic security updates.
OCR Audit Key Activity:
Implement Security Reminders.
OCR Audit Protocol Procedures:
Inquire of management as to whether security policies and procedures are updated periodically. Obtain and
review security policies and procedures. Determine if security policies and procedures are approved and
updated on a periodic basis. If the covered entity has chosen not to fully implement this specification, the entity
must have documentation on where they have chosen not to fully implement this specification and their
rationale for doing so.
OCR Audit Established Performance Criteria:
§164.308(a)(5)(ii)(B): Security Awareness and Training - Procedures for guarding against, detecting, and
reporting malicious software. §164.308(a)(5)(ii)(C): Security Awareness and Training - Procedures for
monitoring log-in attempts and reporting discrepancies. §164.308(a)(5)(ii)(D): Security Awareness and
Training - Procedures for creating, changing, and safeguarding passwords.
OCR Audit Key Activity:
Protection from Malicious Software; Log-in Monitoring; and Password Management.
OCR Audit Protocol Procedures:
Inquire of management as to whether formal or informal policy and procedures exist to inform employees of the
importance of protecting against malicious software and exploitation of vulnerabilities. Obtain and review
formal or informal policy and procedures for informing employees of the importance of protecting against
malicious software and exploitation of vulnerabilities. Determine if the formal or informal policy and procedures
have been approved and updated as needed. If the covered entity has chosen not to fully implement this
specification, the entity must have documentation on where they have chosen not to fully implement this
specification and their rationale for doing so.