East Carolina University
HIPAA Security Policies
Subject: Security Awareness and Training
Policy #: Security-0005
Supersedes:
Effective Date: April 21, 2005
Review Date: May 30, 2013
HIPAA Security
Rule Language:
Coverage: ECU Health Care Components
Page: 1 of 2
Approved:
Revised: March 30, 2012, May 30, 2013
“Implement a security awareness and training program for all members
of a covered entity’s workforce (including management).”
1. Security reminders (A)
2. Protection from malicious software (A)
3. Log-in monitoring (A)
4. Password management (A)
Regulatory
Reference:
45 CFR 164.308(a)(5)(i)
I. PURPOSE
This policy reflects East Carolina University’s commitment to provide regular security
awareness and training to its workforce members.
II. AUTHORIZATION AND ENFORCEMENT
Health Care component management and/or administrator(s) are responsible for
monitoring and enforcing this policy, in consultation with the ECU IT Security Officer,
ECU HIPAA Security Officer, and ECU HIPAA Privacy Officer.
III. POLICY
ECU must develop, implement, and regularly review a formal, documented program for
providing appropriate security training and awareness to its workforce members. All
Health Care Components’ workforce members must be provided with sufficient training
and supporting reference materials to enable them to appropriately protect EPHI on ECU
information systems.
All new ECU Health Care Components’ workforce members must receive appropriate
security training before being provided with access or accounts on ECU information
systems. Existing workforce members must receive security training updates at a
minimum of once a year.
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only. All other rights reserved
Page 1 of 2
HIPAA Security Policy # 0005: Security Awareness and Training
Business associates must be made regularly aware of ECU security policies, standards,
and procedures. Third party persons who access ECU healthcare computing systems or
EPHI must be made aware of ECU security policies, standards, and procedures.
IV. APPLICABILITY
This policy is applicable to all workforce members who are responsible for or otherwise
administer a healthcare computing system. A healthcare computing system is defined as
a device or group of devices that store EPHI which is shared across the network and
accessed by healthcare workers.
V. PROCEDURE
The following standards and safeguards must be implemented to satisfy the requirements
of this policy:
1. As defined in ECU’s Security Reminders Standard, ECU must provide regular
security information and awareness to its workforce members.
2. As defined in ECU’s Protection from Malicious Software Standard, ECU must
regularly train its workforce members about its process for guarding against,
detecting, and reporting malicious software that poses a risk to its information
systems and data.
3. As defined in ECU’s Log-in Monitoring Standard, ECU must regularly train its
workforce members about its process for monitoring log-in attempts and reporting
discrepancies.
4. As defined in ECU’s Password Management Standard, ECU must regularly
train its workforce members about its process for creating, changing and
safeguarding passwords.
VI. COORDINATING INSTRUCTIONS
1. All section policies, standards and procedures will be reviewed annually. Every
section policy, standard and procedure revision/replacement will be maintained for a
minimum of six years from the date of its creation or when it was last in effect,
whichever is later. Other East Carolina University, University of North Carolina
system, or state of North Carolina requirements may stipulate a longer retention.
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only. All other rights reserved
Page 2 of 2