The assessment matters most when it changes what people do next.
A HIPAA Security Risk Assessment should not end with a binder, a PDF, or a folder that no one opens again. The SRA should lead to training, reminders, assignments, deadlines, and follow-up. If you are the HIPAA Security Officer, this means your role is not only to help identify risks. Your role is to help the organization do something with the findings.
If you are an executive manager, this topic matters because training and reminders are where the compliance program becomes real for the workforce. A policy may say the right thing, but people need to understand what it means in their daily work. New employees, volunteers, temporary staff, subcontractors, and other workforce members may all need training depending on their roles and access. If these people are not trained and reminded, the organization may have a written program that does not match actual behavior.
Why this information is important
Human error remains one of the most common ways security incidents begin. Someone clicks a phishing link. Someone uses a weak password. Someone texts patient information through the wrong channel. Someone leaves a laptop in a car. Someone forgets to report a suspicious email because they do not know whether it matters. Training and reminders are not just formalities. They are how organizations turn policies into habits.
The SRA should identify workforce-related risks and help leadership decide what training, reminders, and corrective actions are needed. For example, if the SRA identifies poor password practices, lack of phishing awareness, unsecured devices, weak reporting habits, or inconsistent access termination, the security management plan should connect those findings to specific education and follow-up.
What is actually expected under this topic
HIPAA Security training should help workforce members understand how the Security Rule applies to their roles. Topics commonly include password management, phishing awareness, workstation use, remote access, portable devices, secure messaging, reporting suspicious activity, incident response basics, access control, minimum necessary practices, and the importance of protecting ePHI. Training should be provided to new workforce members as part of onboarding and should continue periodically, including annual training and retraining when roles, systems, policies, or risks change.
Training documentation matters. The organization should be able to show who was assigned training, what training was assigned, when it was completed, what topics were covered, and how overdue or incomplete training was handled. If a contractor, temporary employee, volunteer, or subcontractor has access to ePHI or systems containing ePHI, the organization should determine what training and documentation are appropriate for that role. The point is not to create paperwork for the sake of paperwork. The point is to be able to demonstrate that the organization took reasonable steps to prepare the workforce.
Security reminders have a different purpose from annual training. Training teaches the foundation. Reminders keep the topic alive. A reminder may be a monthly message about phishing, a short alert about suspicious texts, a tip about locking screens, a reminder not to use personal email for patient information, or a quick note after a new risk is identified. The intent is repetition. People are more likely to follow security expectations when those expectations remain visible and practical.
The security management plan ties everything together. It should list the risks identified by the SRA, rank or prioritize them, assign owners, set target dates, track completion, and document follow-up. Without this plan, even a good SRA can become a binder on a shelf. With the plan, the SRA becomes a working roadmap.
This is where the EPI Compliance console can be especially useful. The console provides and tracks HIPAA Security training, identifies and reminds each employee when training needs to be completed, and provides monthly HIPAA Security reminders. It also helps the compliance team organize template policies, forms, and recurring tasks. That structure makes it easier for the HIPAA Security Officer to move from “we know we should do this” to “we assigned it, tracked it, documented it, and followed up.”
Many people assigned to security oversight are trying to do the right thing, but they have never been shown how training, reminders, documentation, and the security management plan connect to the SRA. Without that connection, they may complete annual training and still miss the bigger responsibility: using training and reminders to reduce the risks the SRA identified.
If you are an executive manager, ask these questions
Manager Questions
☐ Do all workforce members receive HIPAA Security training based on their role and access?
☐ Are new employees, volunteers, temporary employees, subcontractors, and other team members addressed in the training process when appropriate?
☐ Can we prove who completed training, when they completed it, and what topics were covered?
☐ Do employees receive ongoing security reminders, not just annual training?
☐ Are reminders tied to real risks such as phishing, passwords, devices, secure messaging, and incident reporting?
☐ Do SRA findings become assigned tasks in a security management plan with owners and deadlines?
☐ Is the HIPAA Security Officer using a system to track training, reminders, tasks, and follow-up?
What you can do now
Start by reviewing your training records and asking whether they match your real workforce. Then review your last SRA and ask whether the training and reminders address the risks that were actually identified. Have at least one team member complete the CHSO course and test so the organization has someone who understands how to connect the SRA to training, reminders, and a working security management plan. Then contact Taino Consultants to conduct or refresh the SRA so your team has a clear baseline. EPI Compliance can help support the ongoing training, reminders, policies, forms, and task tracking that keep the roadmap active.
Quick Checklist
☐ Assign HIPAA Security training to workforce members based on role and access.
☐ Include new employees, volunteers, temporary employees, subcontractors, and other team members when appropriate.
☐ Document training assignment, completion, topics covered, overdue follow-up, and retraining.
☐ Send regular HIPAA Security reminders about phishing, passwords, devices, secure messaging, remote access, and reporting.
☐ Use SRA findings to create a security management plan with owners, deadlines, and status tracking.
☐ Use the EPI Compliance console to provide and track training, monthly reminders, policies, forms, and tasks.
☐ Have at least one team member complete the CHSO course and test.
“A plan only protects you when it becomes action.”
If your last SRA created findings but not follow-up, this is the moment to close that gap. Taino Consultants can help establish or refresh the SRA baseline, and EPI Compliance can help your team keep training, reminders, policies, forms, and monthly tasks moving in a way that is easier to manage and document.
About Dr. Jose I. Delgado
Dr. Jose I. Delgado is the founder and CEO of Taino Consultants, a veteran-owned, 8(a) graduate healthcare IT consulting firm based in St. Augustine, Florida. With over 30 years of experience in healthcare compliance and government contracting, Dr. Delgado has helped organizations navigate HIPAA, MACRA/MIPS, and federal IT security requirements.
Need help with healthcare compliance?
Taino Consultants provides HIPAA compliance consulting, MACRA/MIPS compliance support, and healthcare IT modernization services for government and private healthcare organizations.
Schedule a consultationRelated articles
The HIPAA Security Officer: The Person Who Helps Turn HIPAA Security from Confusing to Manageable
Equipment Inventory and Network Maps: How to See the Risks You Are Expected to Manage
