Workforce Training Policy¶
HIPAA Rule: §164.308(a)(5)
Purpose¶
Ensure all workforce members who access PHI systems understand their HIPAA obligations and can recognize and respond to security threats.
Who Must Be Trained¶
| Group | Training Required |
|---|---|
| All engineers (DevOps, backend, frontend) | HIPAA Security awareness + PHI handling |
| App administrators | Above + access control procedures |
| Anyone with PHI system access | Full Security Rule training |
Training Requirements¶
Initial Training¶
All new workforce members must complete HIPAA training before being granted access to PHI systems.
Topics: 1. What is PHI and why it is protected 2. HIPAA Security Rule overview 3. Your responsibilities as a workforce member 4. Password and authentication requirements (MFA) 5. Incident recognition and reporting 6. Acceptable use of PHI systems 7. Consequences of violations
Annual Refresher¶
All workforce members must complete an annual refresher covering: - Policy updates since last training - Recent incident trends (anonymized) - Phishing awareness
Training Delivery¶
- Platform: [TBD — e.g., Google Classroom, dedicated LMS, or recorded internal session]
- Completion must be documented with date and trainer/platform
- Certificates of completion retained for 6 years
Sanctions¶
Failure to complete training within 30 days of hire (or annual due date) results in:
- Access to PHI systems suspended until training complete
- Manager notified
- Documented in personnel record
Intentional PHI misuse results in immediate access revocation and disciplinary action up to termination.
Training Records¶
| Field | Retention |
|---|---|
| Name of trainee | 6 years |
| Date of training | 6 years |
| Training content version | 6 years |
| Completion confirmation | 6 years |
Phishing Simulation¶
Conduct annual phishing simulations against workforce members with PHI system access. Document results and use for targeted follow-up training.