How to Manage HIPAA Security Reminders in 5 Easy Steps


You know you must provide HIPAA training to new employees shortly after employment. However, a frequently forgotten part of training is security reminders. Security reminders are a required administrative safeguard under the HIPAA Security Rule. The Security Rule also requires you to implement a security awareness and training program for all members of your workforce, including management. Therefore, security reminders are not only a required safeguard but also a vital part of your HIPAA training arsenal.

Learn how to manage your HIPAA security reminders in five easy steps: choosing reminder topics, choosing the medium/media, scheduling your reminders, setting someone in charge, and keeping a record of your compliance.

1. Choose Your Topics

Required topics. There are three specific security reminder topics you must cover in your security awareness and training program:

  1. Protection from malicious software. Train staff on how to guard against, detect, and report malicious software. For example, employees should know how to identify suspicious emails, how to scan files before downloading them, and how to review permission requests.
  2. Login monitoring. Train staff about how to successfully use your organization’s login process, how to monitor login attempts, and how to detect and report login discrepancies.
  3. Password management. Train staff on how to safely create, store, and manage their passwords to prevent unauthorized access.

Since protection from malicious software, login monitoring, and password management are important reminders, we made it easy to send them from our software, HIPAAtrek. It’s easy to see which topics you’ve already covered at-a-glance in HIPAAtrek’s Security Reminders module.

Topics based on your organization’s risks. You should also choose topics based on the particular needs and vulnerabilities in your own organization. For example, if you find in your security risk analysis that employees step away from their workstations without first logging off, you may want to develop a series of reminders about workstation security.

Additionally, phishing emails pose a major threat to healthcare organizations. Therefore, it’s always a good idea to remind your staff about how to recognize this threat and safely manage their inboxes.

Our security reminder system is 100% customizable to your organization’s needs, so you don’t have to rely on stale, stock templates. You can talk directly to your team about the issues that matter to them.

READ MORE: Top 3 Insider-Caused Data Breaches and How to Prevent Them

2. Choose Your Medium/Media

The HIPAA rule is flexible about how you deliver your reminders. Therefore, you can choose the medium or media you believe will be most effective for your employees. Some common options are:

  • Email blasts. You can compose a few long, descriptive emails or several shorter emails.
  • Training videos. You can have employees watch training videos from their workstations.
  • Staff meetings. You can use meetings to deliver verbal or printed security training information to your team.
  • Physical reminders. You can hang signs or posters with security information in key places around your workplace.
  • Newsletters, message boards, or the intranet. If your organization uses any of these communication tools, they are great for getting timely information to your team (e.g. a security column in a newsletter or security-focused thread on a message board).

In HIPAAtrek’s Security Reminders module, you can create custom reminders and email them to your staff with the click of a button. Don’t worry; you can always go back and edit the reminder later to correct typos that slipped through!

3. Choose Your Schedule

HIPAA requires periodic security reminders. The exact schedule is up to you. What frequency will best meet your staff’s needs? Weekly? Monthly? Quarterly? You should develop a schedule based on the topic, the medium through which you will send reminders, and the changing needs and risks in your organization.

For example, if your organization requires employees to change their password every quarter, then it would be smart to include a reminder about creating strong passwords in the quarterly newsletter.

The importance of timeliness. Always be ready to compose a reminder on-the-fly. For example, if an employee falls prey to an email phishing attack and causes a breach, you should send out a timely reminder to all staff members about how to detect malicious emails (after mitigating the breach, of course!).

We know how easy it is to plan a task and then forget to do it! That’s why it’s important to automate your reminders. We made HIPAAtrek’s Security Reminders module do all the work – all you need to do is schedule the date, time, frequency, and end date of your reminders and HIPAAtrek will keep your schedule for you (that’s potentially years-worth of reminders done in less than an hour!).

4. Choose Who’s in Charge

Your organization’s HIPAA security officer should be in charge of developing and scheduling security reminders. The security officer will know your organization’s areas of weakness from conducting a security risk analysis. Therefore, they’re equipped to take this knowledge to the security reminder process.

However, the security officer must be in close communication with the IT department and other departments as needed to get the most accurate security information. Again, security is everyone’s responsibility.

5. Choose to Document Your Compliance

Sending HIPAA security reminders isn’t just a friendly suggestion – the HIPAA Security Rule requires it. And, because it’s a requirement, the Department of Health and Human Services Office for Civil Rights (HHS/OCR) may ask for records showing that you comply with the rule.

Therefore, you should have a record of all your security reminders to present to the OCR in the event of an audit. We recommend documenting the following:

  • Email blasts. Print the emails and recipient list for your records.
  • Training videos. Keep a transcript of the videos and recipient list in your records.
  • Staff meetings. Transcribe the verbal reminder or keep the printed security training documents for your records.
  • Physical reminders. Keep all posters and other printed reminders in your records.
  • Newsletters, message boards, or the intranet. Again, print the security message delivered through these media for your records.

When you use HIPAAtrek to manage your security reminders, our software automatically keeps a list of your reminders, the recipients, the dates they were sent, and more. Plus, you can export the data to Excel to easily present to requesters. This takes the burden of proving your compliance off your shoulders so you can focus on more important things.

Need Help? Grab Our Guide to Policy Management!

Policy management can be overwhelming, so we’ve created this workflow to get you on the right track.

Women holding a giant pencil standing in front of a large checklist

Summary of HIPAA Security Reminders

Security reminders are not only a required administrative safeguard under the HIPAA Security Rule but are also a vital part of your HIPAA training program. Security reminders should be sent periodically to all staff members, including management, and should inform them about a security topic. We discussed five steps to start managing your security reminders effectively:

  1. Choose your topics
  2. Choose your medium/media
  3. Choose your schedule
  4. Choose who’s in charge
  5. Choose to document your compliance

Learn more about how HIPAAtrek can take your HIPAA management to the next level by checking out our platform page or shooting us an email – we’d love to answer your questions!

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Double Extortion: What It Is, and How You Can Prevent It

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »