How to Automate HIPAA Security Reminders for Your Staff (Free Script)

Why Security Reminders Are Required (Not Optional)

Let's clear up a misconception. HIPAA security reminders aren't a nice-to-have. They're a required implementation specification under the Security Rule.

Section 164.308(a)(5)(ii)(A) of the HIPAA Security Rule specifies "security reminders" as an addressable implementation specification under the Security Awareness and Training standard. Under the 2026 Security Rule update, the distinction between "required" and "addressable" specifications is being eliminated — which means security reminders are moving from "you should do this unless you have a documented reason not to" to "you must do this."

The Office for Civil Rights has made its expectations clear through enforcement actions. When OCR investigates a breach, one of the first things they examine is the organization's security awareness training program. They look for:

• Evidence of initial training for all workforce members
• Evidence of ongoing security reminders (monthly or quarterly)
• Documentation of training content and delivery
• Records of who received training and when
• Evidence that training was updated after significant security events

If your answer to "show me your security reminder program" is a single annual presentation with no documentation between sessions, you have a compliance gap. OCR auditors don't accept "we told them once a year" as a sufficient security awareness program.

Consider what happened in recent enforcement actions. A mid-size healthcare organization was investigated after a phishing breach compromised 12,000 patient records. The organization had conducted annual HIPAA training, but OCR found no evidence of ongoing security reminders between annual sessions. The investigation concluded that the organization's security awareness program was insufficient because it didn't include "periodic security updates" as specified in the Security Rule. The resulting corrective action plan required the organization to implement monthly security reminders with documented delivery — exactly the system I'm about to show you how to build.

The pattern in OCR's enforcement history is consistent. Organizations that can demonstrate a systematic, ongoing security awareness program — with documentation showing regular delivery and relevant content — fare dramatically better in investigations than those with only annual training records. It's the difference between showing an auditor a single training attendance sheet from eleven months ago and showing them a log of twelve monthly reminders, each tied to a specific Security Rule specification, delivered to every staff member with timestamps.

The proposed 2026 Security Rule update is expected to formalize annual training as an explicit required specification rather than a best practice. But the organizations that fare best in audits and breach investigations aren't doing the minimum — they're sending regular reminders that create a documented pattern of ongoing security awareness.

The Human Error Problem in Healthcare

The reason security reminders matter isn't abstract. It's math.

68% of healthcare data breaches are attributed to non-malicious human error. Not hackers. Not ransomware (though that's a growing problem). Human mistakes. The wrong attachment sent to the wrong person. The phishing email that looked legitimate. The password written on a sticky note. The unattended workstation in a shared hallway.

Healthcare organizations show the highest baseline phishing vulnerability of any industry at 41.9%. That means nearly half your staff would click a phishing link if they received one right now. But here's the encouraging part: healthcare also shows the most dramatic improvement potential. Organizations with ongoing security awareness training see up to 91% improvement rates, bringing that vulnerability down dramatically.

The math is straightforward. If 42% of your staff would fall for a phishing attack without training, and training reduces that to 4%, you've eliminated 90% of your human-error attack surface. The cost of that training? A few minutes of staff time per month reading a security reminder. The cost of not doing it? The average healthcare data breach costs $10.93 million — the highest of any industry.

There was a 17.4% increase in unauthorized access and disclosure incidents year-over-year in the most recent breach data, with these incidents including both malicious insiders and inadvertent exposures due to employee carelessness. These are exactly the incidents that regular security reminders prevent.

For DeLand practices and offices across Volusia County, these statistics aren't abstract. A single breach at a five-provider practice doesn't just trigger regulatory penalties — it damages patient trust in a community where reputation is everything.

Let me make this more concrete. Imagine your billing coordinator receives an email that appears to come from your EHR vendor, asking her to verify her login credentials because of a "security update." The email looks legitimate — correct logo, professional formatting, the sender name matches someone she's emailed before. Without regular phishing awareness training, she clicks the link and enters her credentials. Now an attacker has access to your EHR, your patient records, and potentially your entire network. The breach affects 2,500 patients. You're required to notify HHS, notify every affected patient, notify the media if over 500 patients are involved, and submit to an OCR investigation. The average cost to your practice: $150 per affected record, or $375,000 — plus legal fees, remediation costs, and the permanent listing on HHS's Breach Portal (sometimes called the "Wall of Shame").

Now imagine the same scenario, but your billing coordinator received a phishing awareness reminder two weeks ago. The reminder included specific examples of EHR vendor impersonation emails. She hovers over the link, notices the URL doesn't match the vendor's domain, and forwards it to your IT contact. Threat neutralized. Zero breach. Zero cost. The only difference between these two outcomes is whether your staff received regular security reminders.

What Good Security Reminders Look Like

A good security reminder has three characteristics:

Short. Three to five paragraphs maximum. Your staff has patients to see. They'll read a two-minute email. They won't read a two-page document.

Specific. Each reminder covers one topic. Not "be careful with patient data" — that's useless. Instead: "How to verify a caller's identity before releasing patient information." One topic, one actionable takeaway.

Current. Reference recent events, seasonal threats, or changes to your practice's systems. A January reminder about tax-season phishing scams. A September reminder about back-to-school insurance verification. A reminder after a staff member reports a suspicious email, praising them for reporting it and explaining what the threat was.

Here's the structure I use for security reminders at practices I work with:

Subject line: Monthly Security Reminder: [Topic]

Body:

1. One-sentence hook explaining why this topic matters right now
2. What the threat or risk looks like in practice (real example)
3. What to do / what not to do (specific, actionable steps)
4. Who to contact if you encounter this situation
5. One-line compliance reminder ("This reminder fulfills HIPAA §164.308(a)(5) security awareness requirements")

The 12-Month HIPAA Security Reminder Calendar

Here's a complete year of security reminder topics. Each one addresses a different HIPAA Security Rule requirement and maps to real-world threats your staff faces:

Each topic is specific enough to be actionable and broad enough to be relevant across roles — from front desk to clinical staff to billing.

You'll notice the calendar is designed to be seasonal where possible. January covers passwords because credential-stuffing attacks spike in Q1 after the previous year's breach data circulates. February covers phishing because tax-season scams begin early. October is Cybersecurity Awareness Month nationally, so it's a natural fit for a comprehensive security update. December wraps the year with a compliance review that doubles as preparation for your annual HIPAA risk assessment.

The calendar is a starting point. Customize it for your practice's specific risks. If you've had an incident — even a near-miss — add a reminder about that specific scenario. If a new threat emerges in the healthcare sector (a specific ransomware variant targeting EHR systems, for example), insert an emergency reminder outside the normal schedule. The script handles this easily: add an entry to the JSON file with the appropriate month number, or create a second JSON file for ad-hoc reminders and modify the script to check both files.

For practices that want to go deeper on any individual topic, each monthly reminder can include a link to a short training video or article. Free resources from HHS (hhs.gov/hipaa), the Cybersecurity and Infrastructure Security Agency (cisa.gov), and the NIST Cybersecurity Framework provide authoritative content you can link to without creating training materials from scratch.

The Free PowerShell Reminder Script

Here's the complete PowerShell script. It reads reminder content from a JSON file, sends the appropriate month's reminder to your staff distribution list via Microsoft Graph API (the modern replacement for the deprecated Send-MailMessage), and logs every send for your compliance records.

<#
.SYNOPSIS
    HIPAA Security Reminder Automation Script
.DESCRIPTION
    Sends monthly HIPAA security reminders to all staff via Microsoft Graph.
    Run via Windows Task Scheduler on the 1st of each month.
    Logs all sends for HIPAA compliance documentation.
.NOTES
    Requires: Microsoft.Graph.Users.Actions module
    Setup: Register Azure AD app with Mail.Send permission
    Config: Update $config section below with your values
#>
 
$config = @{
    TenantId     = "YOUR-TENANT-ID"
    ClientId     = "YOUR-APP-CLIENT-ID"
    ClientSecret = "YOUR-APP-CLIENT-SECRET"  # Store in secure vault
    SenderEmail  = "hipaa-security@yourpractice.com"
    RecipientDL  = "allstaff@yourpractice.com"
    RemindersFile = "C:\HIPAA\reminders.json"
    LogFile      = "C:\HIPAA\logs\reminder-log.csv"
    PracticeName = "Your Practice Name"
}
 
# --- Authentication ---
$tokenBody = @{
    grant_type    = "client_credentials"
    scope         = "https://graph.microsoft.com/.default"
    client_id     = $config.ClientId
    client_secret = $config.ClientSecret
}
$tokenResponse = Invoke-RestMethod -Method Post `
    -Uri "https://login.microsoftonline.com/$($config.TenantId)/oauth2/v2.0/token" `
    -ContentType "application/x-www-form-urlencoded" `
    -Body $tokenBody
$accessToken = $tokenResponse.access_token
 
# --- Load Reminders ---
$reminders = Get-Content $config.RemindersFile | ConvertFrom-Json
$currentMonth = (Get-Date).Month
$reminder = $reminders | Where-Object { $_.month -eq $currentMonth }
 
if (-not $reminder) {
    Write-Error "No reminder found for month $currentMonth"
    exit 1
}
 
# --- Build Email ---
$subject = "Monthly Security Reminder: $($reminder.topic)"
$htmlBody = @"
<html>
<body style="font-family: Calibri, Arial, sans-serif; max-width: 600px;">
<h2 style="color: #1a5276;">&#128274; $($reminder.topic)</h2>
<p><strong>Why this matters right now:</strong> $($reminder.hook)</p>
<h3>The Risk</h3>
<p>$($reminder.risk_description)</p>
<h3>What To Do</h3>
<ul>
$(($reminder.action_items | ForEach-Object { "<li>$_</li>" }) -join "`n")
</ul>
<h3>If You See Something</h3>
<p>$($reminder.report_to)</p>
<hr style="border: 1px solid #eee;" />
<p style="font-size: 11px; color: #888;">
This reminder fulfills HIPAA §164.308(a)(5) security awareness requirements.
Ref: $($reminder.hipaa_ref) | $($config.PracticeName) | $(Get-Date -Format 'MMMM yyyy')
</p>
</body>
</html>
"@
 
# --- Send via Microsoft Graph ---
$mailPayload = @{
    message = @{
        subject = $subject
        body = @{
            contentType = "HTML"
            content = $htmlBody
        }
        toRecipients = @(
            @{ emailAddress = @{ address = $config.RecipientDL } }
        )
    }
    saveToSentItems = $true
} | ConvertTo-Json -Depth 5
 
$headers = @{
    Authorization  = "Bearer $accessToken"
    "Content-Type" = "application/json"
}
 
try {
    Invoke-RestMethod -Method Post `
        -Uri "https://graph.microsoft.com/v1.0/users/$($config.SenderEmail)/sendMail" `
        -Headers $headers `
        -Body $mailPayload
 
    $status = "SUCCESS"
    Write-Host "Reminder sent: $($reminder.topic)" -ForegroundColor Green
}
catch {
    $status = "FAILED: $($_.Exception.Message)"
    Write-Error "Failed to send: $($_.Exception.Message)"
}
 
# --- Log for Compliance ---
$logEntry = [PSCustomObject]@{
    Timestamp   = (Get-Date -Format "yyyy-MM-dd HH:mm:ss")
    Month       = $currentMonth
    Topic       = $reminder.topic
    HIPAARef    = $reminder.hipaa_ref
    Recipient   = $config.RecipientDL
    Status      = $status
    SentBy      = "Automated Script"
}
 
# Create log directory if needed
$logDir = Split-Path $config.LogFile
if (!(Test-Path $logDir)) { New-Item -ItemType Directory -Path $logDir -Force }
 
# Append to CSV log
$logEntry | Export-Csv -Path $config.LogFile -Append -NoTypeInformation
 
Write-Host "Log entry recorded: $($config.LogFile)"

The Reminders JSON File:

Create a file at C:\HIPAA\reminders.json with this structure:

[
  {
    "month": 1,
    "topic": "Password Hygiene and MFA Enrollment",
    "hipaa_ref": "§164.312(d)",
    "hook": "January is the most common month for credential-stuffing attacks, as hackers exploit passwords leaked in the previous year's breaches.",
    "risk_description": "Weak or reused passwords are the #1 way attackers gain access to healthcare systems. If your email password is the same as your Netflix password, a breach at Netflix becomes a breach at our practice.",
    "action_items": [
      "Use a unique password for your work account (minimum 12 characters)",
      "Enable MFA on your Microsoft 365 account if you haven't already",
      "Never share your password with coworkers — even for coverage",
      "Report any MFA prompts you didn't initiate immediately"
    ],
    "report_to": "Contact the HIPAA Security Officer or IT support if you receive an unexpected MFA prompt or suspect your password has been compromised."
  },
  {
    "month": 2,
    "topic": "Recognizing Phishing Emails",
    "hipaa_ref": "§164.308(a)(5)(ii)(B)",
    "hook": "Phishing attacks targeting healthcare increased 42% last year. Your inbox is the front door for most cyberattacks.",
    "risk_description": "Phishing emails impersonate trusted senders — insurance companies, EHR vendors, even colleagues — to trick you into clicking malicious links or entering credentials on fake login pages.",
    "action_items": [
      "Check the sender's actual email address, not just the display name",
      "Hover over links before clicking — does the URL match what you expect?",
      "Never enter your work credentials on a page you reached via email link",
      "When in doubt, forward the suspicious email to IT for review"
    ],
    "report_to": "Forward suspicious emails to security@yourpractice.com. Do NOT click any links or open any attachments. Reporting phishing attempts helps protect the entire practice."
  }
]

Add entries for months 3 through 12 following the same pattern, using the topic calendar from the previous section. I've included two months as examples — the full twelve-month JSON is available from our security services page.

The script authenticates via Azure AD app registration with client credentials, which means it runs unattended without requiring anyone to log in. It reads the current month, pulls the matching reminder, formats it as a professional HTML email, sends it via Microsoft Graph, and logs everything to a CSV file that serves as your compliance documentation.

Setting Up the Scheduled Task

To run this script automatically on the first of each month:

Step 1: Create the Azure AD App Registration

In the Azure portal (portal.azure.com), register a new application. Grant it the Mail.Send application permission for Microsoft Graph. Create a client secret. Note the Tenant ID, Client ID, and Client Secret — these go into the script's configuration section.

Step 2: Create the Windows Scheduled Task

Open Task Scheduler on your server (or any Windows machine that will be running at the scheduled time). Create a new task with these settings:

• Trigger: Monthly, on the 1st, at 8:00 AM
• Action: Start a program — powershell.exe
• Arguments: -ExecutionPolicy Bypass -File "C:\HIPAA\Send-HIPAAReminder.ps1"
• Run whether user is logged on or not
• Run with highest privileges

Step 3: Test

Run the task manually. Check that the email arrives at your distribution list. Check that the log file was created at C:\HIPAA\logs\reminder-log.csv. Verify the log entry includes all fields.

For practices using Linux servers, the equivalent is a cron job calling a Python version of this script using the Microsoft Graph SDK for Python. The logic is identical — authenticate, read reminders, send email, log the send.

Troubleshooting common issues. The most frequent problem is authentication failure — usually because the Azure AD app registration wasn't granted the Mail.Send permission, or admin consent wasn't granted for the permission. Check the Azure portal under your app registration > API permissions and verify that the Mail.Send permission shows "Granted" status. The second most common issue is the sender email not matching a valid mailbox — you can either use a shared mailbox or a dedicated service account for the sender address. If you see a "Request not applicable to target mailbox" error, the sender email doesn't have a licensed mailbox in your tenant.

Security considerations for the script. The client secret in the configuration section should not be stored in plain text in production. For a more secure setup, store it in Windows Credential Manager and retrieve it at runtime using Get-StoredCredential, or use a certificate-based authentication flow instead of client secret. The script also runs with the permissions of the Azure AD app registration, so scope those permissions tightly — only Mail.Send, nothing else.

Tracking Compliance: The Audit Trail

The CSV log the script creates is your compliance documentation. Each entry records:

• Timestamp — when the reminder was sent
• Month — which month's content was delivered
• Topic — what the reminder covered
• HIPAA Reference — which Security Rule specification the reminder addresses
• Recipient — the distribution list that received it
• Status — whether the send succeeded or failed
• Sent By — "Automated Script" for audit clarity

When an OCR auditor asks "show me your security awareness program," you hand them this log. It demonstrates a systematic, documented, monthly program that maps directly to HIPAA Security Rule specifications. That's exactly what auditors want to see.

For additional compliance documentation, consider adding email read receipts or tracking opens (Microsoft 365 supports this) to demonstrate that staff actually received and opened the reminders. This isn't required by HIPAA, but it strengthens your compliance posture significantly.

Pair this reminder system with the automated HIPAA audit logging script for a comprehensive compliance automation stack.

One more thing about the audit trail that practice managers often overlook: the log file isn't just for OCR auditors. It's for your malpractice insurance, your cyber liability insurance, and your own legal protection. If a breach occurs and litigation follows, demonstrating that you had a systematic, documented security awareness program can be the difference between "negligent" and "reasonable measures were taken." Insurance underwriters are increasingly asking about security awareness programs during renewals — having twelve months of logged reminders can literally reduce your premium.

Keep the log files backed up and immutable. Don't store them only on the same server that sends the reminders — copy them to a separate location monthly. If the server is compromised, you don't want your compliance documentation compromised with it. A simple robocopy script or cloud backup to an encrypted storage bucket handles this. The point is redundancy: your proof of compliance should survive any single point of failure.

Beyond Reminders: Building a Security Culture

Automated reminders are the foundation, but the practices with the strongest security posture go further. Here are three additions that multiply the effectiveness of your reminder program:

Monthly micro-quizzes. After each reminder, send a three-question quiz (Google Forms or Microsoft Forms). "Which of the following is a phishing indicator?" Takes 60 seconds to complete. Track completion rates. This transforms passive reading into active learning and gives you data on which topics need reinforcement.

Positive reinforcement for reporting. When a staff member reports a suspicious email, phishing attempt, or security concern, acknowledge it publicly in your next team meeting. "Sarah flagged a phishing email last week that could have compromised patient data. That's exactly what we need." This creates a culture where reporting is rewarded, not feared.

Simulated phishing tests. Send controlled phishing emails to your staff quarterly. Track who clicks. Provide immediate education to anyone who falls for the test — not as punishment, but as just-in-time training. Advanced behavioral training with simulated phishing reduces actual phishing incidents by 86% compared to standard quarterly awareness training. Services like KnowBe4, Proofpoint, and even free tools like Gophish make this accessible for small practices.

Annual training integration. Your monthly reminders work best when they connect to a comprehensive annual training session. Structure your annual training to cover the same twelve topics in depth — one hour of interactive training that your staff completes online or in person. The monthly reminders then serve as reinforcement, keeping each topic fresh. When someone clicks a simulated phishing link in June, you can say "remember February's reminder about checking sender addresses?" The annual training provides the foundation; the monthly reminders keep the building standing.

New employee onboarding. Don't wait for the next scheduled reminder to train new hires. Add a step to your onboarding process that sends all twelve reminders to a new employee in a condensed sequence — one per day for twelve days, or one per week for twelve weeks depending on your preference. This ensures every staff member has received the full awareness curriculum regardless of when they started. The PowerShell script can be modified to accept a target email address and month override for exactly this purpose.

These additions transform your security awareness program from a compliance checkbox into an actual risk reduction tool. The reminders create baseline awareness. The quizzes reinforce it. The simulated phishing tests measure it. And the positive reinforcement sustains it.

For practices across Volusia County — from DeLand to Daytona Beach to New Smyrna Beach — this approach works regardless of practice size. A solo practitioner can run the automated reminders and simulated phishing on their own. A twenty-provider practice can layer in quizzes, tracking, and remedial training. The system scales because the automation handles the heavy lifting.

Want help setting up your compliance automation? We configure HIPAA security reminder systems, automated audit logging, and staff training programs for healthcare practices across Volusia County. Schedule a compliance consultation — we'll assess your current training program and build the automation that fills the gaps.

FAQ: HIPAA Security Training and Reminders

Are HIPAA security reminders required?

Yes. Security reminders are specified in HIPAA Security Rule §164.308(a)(5)(ii)(A) as an implementation specification under the Security Awareness and Training standard. While currently classified as "addressable," the 2026 Security Rule update is expected to eliminate the addressable/required distinction, making security reminders explicitly mandatory. OCR enforcement actions consistently cite inadequate security awareness programs as a compliance failure.

How often should HIPAA security reminders be sent?

Monthly is the industry best practice. HIPAA doesn't specify an exact frequency for reminders (it does require annual training at minimum), but OCR guidance and enforcement patterns indicate that monthly reminders demonstrate a proactive security awareness program. Quarterly is the absolute minimum; monthly is what OCR auditors consider a well-run program.

What should HIPAA security reminders cover?

Each reminder should focus on one specific topic relevant to your practice's daily operations. Core topics include: phishing recognition, password hygiene, workstation security, email encryption, mobile device security, incident reporting procedures, physical access controls, and social engineering awareness. Map each reminder to a specific HIPAA Security Rule specification for audit documentation.

Can I use this script with Google Workspace?

The PowerShell script in this post is designed for Microsoft 365 via Microsoft Graph API. For Google Workspace environments, a Python script using the Gmail API achieves the same result. The reminder content (the JSON file) is platform-independent — only the email sending mechanism changes.

Does sending reminders count as HIPAA training?

Security reminders supplement but do not replace comprehensive HIPAA training. You still need an initial training program for new hires and annual refresher training that covers the full scope of HIPAA requirements. Reminders serve the "ongoing security awareness" requirement — keeping training topics fresh between formal sessions.

How do I prove to an auditor that reminders were sent?

The script's CSV log file provides complete documentation: timestamp, topic, HIPAA reference, recipients, and send status for every reminder. Keep these logs for at least six years (your HIPAA retention period). For additional evidence, enable email delivery receipts or open tracking in your Microsoft 365 environment.

JSON-LD Schema

{
  "@context": "https://schema.org",
  "@type": "Article",
  "headline": "How to Automate HIPAA Security Reminders for Your Staff (Free Script)",
  "description": "Free PowerShell script for automated monthly HIPAA security reminders with 12-month topic calendar and compliance logging.",
  "author": {
    "@type": "Person",
    "name": "Alan Newingham",
    "url": "https://automateandeploy.com/about"
  },
  "publisher": {
    "@type": "Organization",
    "name": "Automate & Deploy",
    "url": "https://automateandeploy.com"
  },
  "datePublished": "2026-03-19",
  "dateModified": "2026-03-19",
  "mainEntityOfPage": "https://automateandeploy.com/automate-hipaa-security-reminders-staff-free-script"
}

{
  "@context": "https://schema.org",
  "@type": "FAQPage",
  "mainEntity": [
    {
      "@type": "Question",
      "name": "Are HIPAA security reminders required?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Yes. Security reminders are specified in HIPAA Security Rule §164.308(a)(5)(ii)(A). The 2026 update is expected to make them explicitly mandatory. OCR consistently cites inadequate security awareness as a compliance failure."
      }
    },
    {
      "@type": "Question",
      "name": "How often should HIPAA security reminders be sent?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Monthly is best practice. HIPAA requires annual training minimum, but OCR guidance and enforcement patterns indicate monthly reminders demonstrate a proactive program. Quarterly is the absolute minimum."
      }
    },
    {
      "@type": "Question",
      "name": "Does sending reminders count as HIPAA training?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Security reminders supplement but do not replace comprehensive HIPAA training. You still need initial training for new hires and annual refresher training. Reminders fulfill the ongoing security awareness requirement."
      }
    }
  ]
}

Your staff forgets their HIPAA training within weeks. That's not a character flaw — it's how human memory works. The only way to keep security awareness active is to reinforce it regularly, automatically, and with documentation that proves you did it.

The script is free. The reminder calendar is free. The compliance documentation it generates is automatic. The only thing standing between your practice and a documented, auditor-ready security awareness program is thirty minutes of setup time.

That is it. Copy the script, customize the reminders for your practice's specific risks and terminology, schedule the task on your server, and stop worrying about whether your staff remembers what they learned last March. Your compliance documentation builds itself from this point forward.