POLICY # 15
SECURITY REMINDERS
ADMINISTRATIVE MANUAL
APPROVED BY:
ADOPTED:
SUPERCEDES POLICY:
REVISED:
REVIEWED:
DATE:
REVIEW:
PAGE:
HIPAA Security
Rule Language
“Implement …, periodic security updates, ...”
Policy Summary:
Sindecuse Health Center (SHC) must provide regular security
information and awareness to its workforce members.
Purpose:
This policy reflects SHC’s commitment to provide regular security
information and awareness to its workforce members.
Policy:
1. SHC must make certain that all of its workforce members, including
those who work remotely, are regularly reminded of information security
risks and how to follow SHC security policies. Additionally, workforce
members must be provided with information about SHC security
procedures and how to use SHC information systems in ways that
minimize possible security risks.
2. On a regular basis, SHC must provide all of its workforce members
information and reminders on topics including, but not limited to:





SHC information security policies.
Significant SHC information security controls and processes.
Significant risks to SHC information systems and data.
Security best practices (e.g. how to choose a good password,
how to report a security incident).
SHC’s information security legal and business responsibilities
(e.g. HIPAA, business associate contracts).
Such information and reminders may be provided at SHC or via remote
methods.
3. In addition to providing regular information security awareness, SHC
must provide security information and awareness to all of its workforce
Page 1 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
SECURITY REMINDERS
members when any of the following events occur:





Significant revisions to SHC’s information security policies or
procedures.
Significant new information security controls are implemented at
SHC.
Substantial changes are made to significant SHC information
security controls.
Significant changes occur to SHC’s information security legal or
business responsibilities.
Significant new threats or risks arise against SHC information
systems or data.
Such information may be provided at SHC or via remote methods.
4. SHC’s Information Security Officer is responsible for ensuring that
workforce members receive regular security information and awareness.
5. Methods for providing security information and awareness can
include, but are not limited to:




Email reminders
Posters
Letters
Workforce member meetings



Screen savers
Information system sign on messages
Newsletter articles
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Administrative Safeguards
Regulatory
ADDRESSABLE Implementation Specification for Security Awareness
and Training Standard
Regulatory
Reference:
45 CFR 164.308(a)(5)(ii)(A)
Page 2 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
SECURITY REMINDERS
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Risk means the likelihood that a specific threat will exploit a certain
vulnerability, and the resulting impact of that event.
Responsible
Department:
Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (TBD).
Related Policies:
Security Awareness and Training
Protection from Malicious Software
Log-in Monitoring
Page 3 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
SECURITY REMINDERS
Password Management
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 4 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.