All Medical Center employees and customers are required to complete the annual refresher modules as part of the Annual Retraining and Competency Assessment Program.


To provide information on Security Awareness initiatives used by the Medical Center.


This standard applies to all Medical Center employees and customers.


Initial security training is required for all HIT customers who develop, implement, maintain or use Information Systems or devices for Medical Center operations that involve patient data.  This does not include vendors who are providing hardware or software technical support covered by ongoing maintenance contracts.

Users currently accessing these systems must complete annual refresher training as part of the Annual Retraining and Competency Assessment Program.  The training may be provided at facility locations or via remote training methods such as Computer Based Learning (CBL).  Those not successfully completing the initial or annual refresher training will have their electronic accesses suspended until they provide a transcript indicating completion. The user's Supervisor/Manager is responsible for notifying HIT Security if a suspension in access is needed due to noncompliance.

All new Medical Center (209) employees and applicable customers within University Physicians Group (UPG) or the UVA Academic Agency (207) are required to sign the Electronic Access Agreement. The respective Human Resource departments are responsible for the retrieval of signatures and storage of Electronic Access Agreements.

Third party vendors and contractors must sign the Electronic Access Agreement before being granted access to Health System information systems. The respective Health System department is responsible for the retrieval of signatures and storage of Electronic Access Agreements.

If third party vendors or contractors need access to Protected Health Information (PHI) then a Business Associate Agreement must also be completed. (See Medical Center Policy No. 0013: Vendors, Sales and Service Representatives and Business Associate Addendum)

The HIT Security Office will provide periodic security reminders and updates when there are:

  • Significant revisions to information security policies or procedures
  • Significant new information security controls are implemented
  • Substantial changes are made to significant information security controls
  • Significant new threats or risks arise against Information Systems or data


The HIT Security Office conducts regular Security Awareness Training when speaking to customers on issues that are escalated to the HIT Security team. Examples of this type of training may include but is not limited to: the importance of strong passwords and passphrases,  password sharing violations, preventing phishing attacks, email encryption, portable device encryption, etc.

The HIT Security Office also routinely schedules departmental Security Awareness Training for departments who request additional Security Awareness Training for their staff.

Document Supporting Resources