HIPAA Privacy Rule
45 CFR § 164.530(b)(1)
(1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.
(2) Implementation specifications: Training.
(i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows:
(A) To each member of the covered entity’s workforce by no later than the compliance date for the covered entity;
(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce; and
(C) To each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.
(ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.
HIPAA Security Rule
45 CFR § 164.308(a)(5)
(a) A covered entity or business associate must, in accordance with § 164.306:
(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. . . .
(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
(ii) Implementation specifications. Implement:
(A) Security reminders (Addressable). Periodic security updates.
(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.
(C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.
(D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.
What does Addressable mean?
It means, while this item is not Required, it needs to be addressed.
Being Addressable does NOT mean it is not required.
Look at it this way, if an auditor just reviewed an office of your size (or smaller) and that office implemented the addressable item…do you think the auditor will find it strange that you haven’t implemented?
And believe me, not having a password policy or anti-virus because this regulation says it is “only” addressable will land you in a heap of trouble.