Buyers beware: What providers should evaluate when vetting AI vendors for HIPAA compliance – McKnight’s Senior Living
Buyers beware: What providers should evaluate when vetting AI vendors for HIPAA compliance McKnight's Senior Living
GCheck Achieves HIPAA Compliance for Healthcare Background Screening – markets.businessinsider.com
GCheck Achieves HIPAA Compliance for Healthcare Background Screening markets.businessinsider.com
GCheck Achieves HIPAA Compliance for Healthcare Background Screening – GlobeNewswire
GCheck Achieves HIPAA Compliance for Healthcare Background Screening – GlobeNewswire
HIPAA Security Rule Training for Business Associates
HIPAA Business Associates that create, receive, maintain, or transmit electronic Protected Health Information on behalf of HIPAA-covered entities are directly subject to the HIPAA Security Rule and must provide security awareness training to their entire workforce, not only to staff who work on healthcare-specific accounts or handle patient data as part of their primary function. The HIPAA Security Rule at 45 CFR 164.308(a)(5) requires covered entities and business associates to “implement a security awareness and training program for all members of its workforce (including management).” The direct applicability of the HIPAA Security Rule to business associates was established by the HITECH Act and confirmed in the 2013 Omnibus Rule, which means the training obligation runs to the business associate as an independently regulated entity rather than solely as a contractual requirement imposed through a HIPAA Business Associate Agreement. A business associate that relies on its covered entity client’s training program to satisfy its own workforce training requirement has misread the regulation.
The Training Scope Goes Beyond Healthcare-Facing Roles
Many business associates operate with workforces that include personnel who are not assigned to healthcare client accounts, do not access patient records, and may not consider themselves to be working in a healthcare context. The HIPAA Security Rule’s training requirement applies to those employees when their roles place them within the organization’s IT security environment. A software developer working on a platform that processes electronic Protected Health Information, an HR coordinator whose email account sits on the same network as systems containing patient data, a legal team member who reviews Business Associate Agreements, and an operations manager who approves the technology stack all fall within the training obligation’s scope. This broader reach distinguishes the Security Rule from the HIPAA Privacy Rule, which directs its training requirement at workforce members whose job functions involve Protected Health Information. The HIPAA Security Rule covers any workforce member whose conduct can affect the security of electronic Protected Health Information through system access, credential use, device handling, or network activity, regardless of whether they handle patient data directly.
Why Business Associate Environments Present Distinct Security Risks
Business associate workforces interact with electronic Protected Health Information in operational contexts that differ from the clinical and administrative settings most HIPAA training content addresses. A billing company processes claims data across hundreds of covered entity clients. A cloud service provider stores electronic Protected Health Information for multiple healthcare organizations on shared infrastructure. A health IT vendor’s support staff access production systems containing patient records to resolve technical issues. In each context, a single compromised credential, a successful phishing attack, or an employee’s unauthorized use of a personal device can expose electronic Protected Health Information belonging to multiple covered entity clients simultaneously. Security awareness training for business associate workforces must reflect those operational realities and address the specific threat patterns that target vendor and service provider environments, including supply chain phishing, business email compromise exploiting covered entity relationships, and credential attacks targeting third-party administrative access.
Building a Training Program Around the Annual Cycle
Annual HIPAA Security Rule training is industry best practice for business associates because the threat environment, the regulatory framework, and the organization’s own service scope all evolve throughout the year. A business associate that expands its services to include a new category of electronic Protected Health Information processing, adopts a new platform used to access covered entity systems, or onboards a new covered entity client may face security risks its current workforce training did not address. Annual training gives the organization a structured opportunity to update content, address changes to internal security policies, reinforce reporting obligations, and produce a new completion record for each workforce member. That annual record supports the six-year documentation retention requirement under 45 CFR 164.316(b) and demonstrates to covered entity clients, OCR auditors, and internal compliance reviewers that the organization maintains a functioning and current security awareness program rather than a one-time onboarding exercise.
Online Security Training Designed for Business Associate Staff
The HIPAA Journal’s Cybersecurity Training for Business Associate Employees is built for organizations that handle electronic Protected Health Information on behalf of covered entities and need a structured online course that reflects the Security Rule obligations, threat patterns, and operational contexts specific to business associate environments. The course covers the regulatory framework governing business associates, electronic Protected Health Information safeguards, healthcare cyber threats including phishing and ransomware, password and credential security, device and media controls, email and messaging risks, incident recognition, and the reporting obligations that run from the business associate to the covered entity. It supports onboarding training before system access is granted, annual refresher delivery across the full workforce, and targeted retraining when policy changes or security events require it, and produces completion records that satisfy the individual-level documentation requirements of the Security Rule’s training mandate.
The post HIPAA Security Rule Training for Business Associates appeared first on The HIPAA Journal.
Bradford Health Services; Bradford Health Partners Settle Data Breach Lawsuit – The HIPAA Journal
Bradford Health Services; Bradford Health Partners Settle Data Breach Lawsuit
Bradford Health Services, LLC, and Bradford Health Partners, LLC, were sued over a December 2023 cybersecurity incident that exposed the personal and protected health information of current and former patients. The lawsuit states 32,425 individuals were affected by the incident. The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 28,543 individuals.
The unauthorized access was detected on December 8, 2023, and the file review determined that names, dates of birth, driver’s license numbers, medical information, including diagnosis and treatment information, health insurance information, financial account numbers, passport numbers, payment card numbers, plus a means of access to the account, and/or Social Security numbers had been compromised. The data review was not completed until May 2025, and notification letters started to be mailed later that month – 18 months after the breach was first identified. The Hunters International threat group claimed responsibility for the attack and stated that more than 760 GBs of data were exfiltrated from the defendants’ systems.
Multiple class action lawsuits were filed in response to the cyberattack and data breach, which were consolidated – In Re Bradford Health Services, LLC Data Breach Litigation – in the Circuit Court of Jefferson County, Alabama, Birmingham Division, where the lawsuit is still pending. The plaintiffs allege that the data breach was due to the negligence of the defendants, who are alleged to have failed to implement reasonable and appropriate cybersecurity measures. The lawsuit asserted claims for negligence/wantonness, negligence per se, breach of express or implied contract, and unjust enrichment.
Shortly after the consolidated class action lawsuit was filed, the parties began exploring the possibility of an early resolution to limit costs and avoid the uncertainty of a trial and related appeals. Following mediation in October 2025, the material terms of a settlement were agreed upon by all parties. The settlement has now been finalized and has received preliminary approval from the court.
The defendant has agreed to pay attorneys’ fees, settlement administration and notification costs, service awards for the class representatives, and benefits for the class members. All class members are entitled to enroll in three years of medical data monitoring services and may also submit a claim for reimbursement of documented losses up to $5,000 per class member, or an alternative cash payment, which is estimated to be $150, but may be higher or lower depending on the number of claims received.
The deadline for objection and exclusion is August 3, 2026, and claims must be submitted by August 17, 2026. The final fairness hearing has been scheduled for September 1, 2026.
The post Bradford Health Services; Bradford Health Partners Settle Data Breach Lawsuit appeared first on The HIPAA Journal.