QualityNet Jira will be unavailable on Tuesday, September 03, 2024, between 8:00 PM ET and 11:00 PM ET while the team performs a system upgrade. QualityNet Confluence will also be briefly unavailable between 8:00 PM ET and 8:30 PM ET.  If you have questions or concerns, please reach out to us in Slack at #help-atlassian.

QualityNet Security

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »



HCQIS Security Awareness Training (SAT) & Certification Administration Instructions


General Information


HHS and CMS in accordance to Federal Information Security Management Act (FISMA) of 2002 and other policies requires that all Federal CMS and Contractor users of Federal Information Systems to be exposed to security and privacy awareness training materials at least annually. This is to inform federal employees, contractors and other users of information systems that support the operations and assets of the agency, of:

  • Information Security risks associated with technologies and their activities while utilizing those technologies.
  • Responsibilities in complying with agency policies and procedures designed to reduce risks.
  • Overview of protecting Personally Identifying Information (PII) or Personal Health Information (PHI) of any individual as directed in the Privacy Act of 1974.
  • Records Management and Retention.


During onboarding and before access to any HCQIS system or application each user must complete proper training requirements on an annual basis and must provide evidence of completion to his/her respective Security Point of Contact (SPOC) who will track all required training within the organization.



Previous HCQIS Contractors Vs. New Users

Newly on-boarded HCQIS Services users who have taken all three training modules within the last 90 days of the organization's certification period are EXEMPT from taking SAT training for the current annual certification period. This group of users will take security awareness training as normal during the following annual certification period.
Note: Any deviations from either training module will require the user to take any missed training during the current certification period.


SAT Record Keeping and Maintenance for SPOCs:

  1. SAT Records are not required for submission unless requested by the COR or ISSO. SAT Records must always be updated and maintained. (SAT record templates are available within HCQIS Security Resources on QNP or may be obtained by the CMS COR/ISSO.
  2. Contracts acting under multiple sites (prime/sub) may exercise the option of having multiple SAT records or a single SAT record that reflects ALL individual sites and each user respectfully.
  3. At the top of each page insert the Contract name and specify the site if applicable.
  4. For multiple sites in a single area, you may use a different table that identifies each state/region for each site.

  • No labels