Saved · this browser
Chapter 5 · §164.308(a)(5)

Your Training

Training doesn’t have to be a course with a certificate. A short written description of your procedures for each topic, reviewed on your chosen cadence, is what satisfies the rule for a solo or small practice.

Why this chapter exists, in plain English

§164.308(a)(5) is the rule that says you have to have a security awareness and training program for everyone on the workforce. For a solo practice, the workforce is you. For a two-person office, it’s both of you. The rule doesn’t care how big you are — it cares whether the people who can touch patient information know how to handle it.

The rule has four implementation specifications under it, and each one is a concrete topic: security reminders, protection from malicious software, log-in monitoring, and password management. We’ll walk through each one the same way — what the rule is asking for, the version for a solo or small practice, and what “documented” looks like when someone asks.

Two framing pieces. The rule says training has to be “periodic” without specifying a frequency — so the chapter asks you to pick a cadence and commit to it. And there’s no certificate or course requirement — a short written description of your procedures, reviewed on cadence, is the artifact.

01

Setup

2 questions

How often will you review your training?

The HIPAA rule says “periodic” and leaves the number to you. We recommend annual as the minimum — that’s the cadence OCR requires in the corrective action plans they issue after settlements.

When did you last review your training?

If this is your first time through, picking today is the right answer — working through this chapter is a review.

02

The four topics

4 questions
§164.308(a)(5)(ii)(A)

Security reminders:

how staying current beats trying to stay expert

§164.308(a)(5)(ii)(A) is the rule that says awareness has to be ongoing, not a one-time event. For a solo or small practice, this comes down to three small habits: subscribe to the HHS OCR cybersecurity newsletter (free, at hhs.gov/ocr), keep an eye on healthcare-specific phishing trends (they change fast), and set a short recurring calendar reminder to check for software updates on your work devices.

The bar here is low — staying current, not staying expert.

Do you subscribe to your EHR vendor’s security-advisory feed?

Most EHR vendors (TherapyNotes, SimplePractice, Athenahealth, Epic, etc.) publish security advisories — patch notices, vulnerability disclosures, breach updates — on a dedicated page or via email. Subscribing to yours is the EHR-specific complement to the HHS OCR newsletter above.

§164.308(a)(5)(ii)(B)

Protection from malicious software:

the three habits that actually keep clinical devices clean

The built-in tools are the answer for almost every solo or small practice. Windows Security on Windows and XProtect on macOS are both on by default and enterprise-grade; paid third-party antivirus rarely improves on them at this scale.

The three habits that matter: keep the operating system current (install updates within a week of release), don’t click unexpected attachments or links in email — especially anything that urges action — and treat any antivirus alert as an incident to write up, not a notification to dismiss. A confirmed malware event goes straight to the “If Something Goes Wrong” chapter and the ransomware scenario there.

§164.308(a)(5)(ii)(C)

Log-in monitoring:

a recurring check on the accounts that touch patient information

For a solo practice this means monitoring your own activity; in a small office, each workforce member’s. Pick a recurring time — first Monday of the month is a common choice — and check the sign-in activity on the three or four accounts that handle patient information. In practice that’s usually:

  1. Your email (Gmail: myaccount.google.com → Security → Recent security events; Microsoft: account.microsoft.com → Sign-in activity).
  2. Your EHR audit log — most EHRs surface this under admin or user settings.
  3. Your cloud storage (Drive, OneDrive, Dropbox) recent activity.
  4. Your password manager’s activity log if it has one.

What you’re looking for: unfamiliar locations, devices you don’t recognize, failed login attempts in bursts. Any of those is treated as a possible account compromise — see the account-compromise scenario in the “If Something Goes Wrong” chapter.

§164.308(a)(5)(ii)(D)

Password management:

confirming you're following the procedures from Chapter 3

Password management is covered in depth in Chapter 3, “Your Passwords.” The training-rule question here is narrower: confirm you’re following the password procedures you set up there.

The short version: a password manager generating and storing a unique password for every account that touches patient information, with MFA enabled wherever the account supports it, and no credential reuse across accounts. If any of those are in doubt, work back through Chapter 3 before checking this box.

For your insurer (optional)

Optional, and not required to finish this chapter. Cyber-liability carriers (Hiscox especially) ask whether security training is required at least annually. Your answer pre-fills the training row of your Carrier-Mapped Insurance Summary.

Carriers ask this

Is annual security-awareness training a standing requirement at your practice?

03

Where you stand

Not quite there yet

Answer the remaining 6 questions above to see your chapter resolution.