Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

POLICY # 14 ADMINISTRATIVE MANUAL APPROVED BY:

SECURITY AWARENESS AND TRAINING
ADMINISTRATIVE MANUAL
APPROVED BY:
SUPERCEDES POLICY:
DATE:
HIPAA Security
Rule Language:
POLICY # 14
ADOPTED:
REVISED:
REVIEWED:
REVIEW:
PAGE:
“Implement a security awareness and training program for all members
of a covered entity’s workforce (including management).”
1. Security reminders (A)
2. Protection from malicious software (A)
3. Log-in monitoring (A)
4. Password management (A)
Policy Summary:
Sindecuse Health Center (SHC) must develop, implement, and regularly
review a formal, documented program for providing appropriate security
training and awareness to its workforce members. All SHC workforce
members must be provided with sufficient training and supporting
reference materials to enable them to appropriately protect SHC
information systems and data. All new SHC employees must receive
appropriate security training before being provided with access or
accounts on SHC information systems.
Business associates must be made regularly aware of SHC security
policies and procedures. Third party persons who access SHC
information systems or data must be made aware of SHC security
policies and procedures.
Purpose:
This policy reflects SHC’s commitment to provide regular security
awareness and training to its workforce members.
Policy:
1. Each workforce member who has access to SHC information systems
must understand how to protect the confidentiality, integrity, and
availability of the systems.
2. SHC must develop, implement, and regularly review a formal,
documented program for regularly providing appropriate security training
and awareness to workforce members.
3. All SHC workforce members, both remote and onsite, must be
provided with sufficient regular training and supporting reference
materials to enable them to appropriately protect SHC information
systems. Such training may be provided at SHC facility locations
or via remote training methods. Such training must include, but is
Page 1 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
SECURITY AWARENESS AND TRAINING
not limited to:





All appropriate SHC information security policies, procedures
and standards.
The secure use of SHC information systems (e.g. log-on
procedures, allowed software).
Significant risks to SHC information systems and data.
SHC’s legal and business responsibilities for protecting its
information systems and data.
Security best practices (e.g. how to construct a good password,
how to report a security incident).
4. After training has been conducted, each SHC workforce member must
verify that he or she has received the training, understood the material
presented, and agrees to comply with it.
5. All new SHC employees must receive appropriate security training
before being provided with access or accounts on SHC information
systems. After such training, each employee must verify that he or she
has received the training, understood the material presented, and agree to
comply with it.
6. Business associates must be informed of SHC security policies and
procedures on a regular basis. Such awareness can occur through
contract language or other means.
7. Third-party persons who access SHC information systems or data
must be informed of SHC security policies and procedures. It is the
responsibility of each SHC employee who retains the services of thirdparty individuals to ensure that these individuals adhere to all appropriate
SHC policies. Such responsibility may include verifying third-party
individuals have attended security training or providing them with
appropriate security training or reference materials.
8. All SHC information security policies and procedures must be readily
available for reference and review by appropriate employees, business
associates, and third-party workers.
9. All SHC workforce members responsible for implementing safeguards
to protect information systems must receive formal training that enables
them to stay abreast of current security practices and technology.
10. As defined in SHC’s Security Reminders policy, SHC must provide
regular security information and awareness to its workforce members.
11. As defined in SHC’s Protection from Malicious Software policy,
SHC must regularly train and remind its workforce members about its
process for guarding against, detecting, and reporting malicious software
that poses a risk to its information systems and data.
Page 2 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
SECURITY AWARENESS AND TRAINING
12. As defined in SHC’s Log-in Monitoring policy, SHC must regularly
train and remind its workforce members about its process for monitoring
log-in attempts and reporting discrepancies.
13. As defined in SHC’s Password Management policy, SHC must
regularly train and remind its workforce members about its process for
creating, changing and safeguarding passwords.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Administrative Safeguards
Regulatory Type:
Standard
Regulatory
Reference:
45 CFR 164.308(a)(5)(i)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Page 3 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
SECURITY AWARENESS AND TRAINING
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Availability means the property that data or information is accessible and
useable upon demand by an authorized person.
Confidentiality means the property that data or information is not made
available or disclosed to unauthorized persons or processes.
Integrity means the property that data or information have not been
altered or destroyed in an unauthorized manner.
Risk means the likelihood that a specific threat will exploit a certain
vulnerability, and the resulting impact of that event.
Responsible
Department:
Administration; Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (TBD).
Related Policies:
Security Reminders
Protection from Malicious Software
Log-in Monitoring
Password Management
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 4 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
Related documents
PROHIBITION OF RETALIATION AGAINST EMPLOYEES, INDIVIDUALS OR OTHERS
PROHIBITION OF RETALIATION AGAINST EMPLOYEES, INDIVIDUALS OR OTHERS
Cooperative Innovative High School Curriculum Template Associate in Science
Cooperative Innovative High School Curriculum Template Associate in Science
Cooperative Innovative High School Curriculum Template Associate in Arts
Cooperative Innovative High School Curriculum Template Associate in Arts
ROMAN CATHOLICS IN MINEHEAD
ROMAN CATHOLICS IN MINEHEAD
B3_Energy_transfers
B3_Energy_transfers
Specific Heat Capacity
Specific Heat Capacity
Download