HIPAA Training for IT Professionals

Posted by Steve Alder

HIPAA training for IT professionals is required for IT workforce members who support systems that create, receive, maintain, or transmit protected health information (PHI), because HIPAA compliance depends on administrative, physical, and technical safeguards being implemented and followed consistently.

Why HIPAA Training is Necessary for IT Professionals

IT professionals influence how PHI is protected more directly than most job functions because they design, configure, administer, and monitor the systems that store and move electronic protected health information (ePHI). Even when an IT role is not clinical, IT staff may access logs, databases, backups, ticketing systems, and troubleshooting data that contain PHI. HIPAA training helps IT teams understand the privacy and security expectations that apply to their work, the consequences of misconfiguration or improper access, and the operational behaviors that reduce the risk of unauthorized access, improper disclosure, or data loss.

HIPAA training for IT should connect the HIPAA Privacy Rule and the HIPAA Security Rule to real technology workflows. IT personnel need to understand how permitted uses and disclosures relate to system administration activities, how minimum necessary applies to troubleshooting and access, and how privacy obligations intersect with incident response, auditing, and vendor management. Training should also reinforce that compliance is supported by documented policies and procedures and that IT work must align with those requirements.

IT teams can encounter PHI in many forms beyond the electronic health record. Common exposure points include directory services, authentication logs, audit trails, access reports, help desk tickets, screenshots, email archives, voicemail systems, call recordings, mobile device management platforms, endpoint logs, application databases, and data exports used for reporting or integrations. Backups and disaster recovery replicas often contain complete PHI datasets, which makes secure access control and monitoring essential. IT professionals should be trained to recognize that even metadata and identifiers, when linked to care context, can constitute PHI.

Training should address how PHI can be unintentionally copied into insecure places. Examples include attaching screenshots with PHI to tickets without proper controls, using unapproved file-sharing tools to transfer logs, storing database extracts on local drives, or leaving PHI in temporary folders after troubleshooting. Training should reinforce approved methods for handling sensitive information during support and maintenance work.

Core IT Security Systems for Protecting PHI

A comprehensive HIPAA training program for IT professionals should reinforce the practical application of HIPAA requirements to technology operations, including the following areas.

Access controls and identity management

IT staff should understand the importance of unique user identification, strong authentication, least privilege, and timely access termination. Training should reinforce standardized provisioning and deprovisioning workflows, periodic access reviews, and the importance of aligning access with documented authorization and job duties. IT professionals should also understand how privileged accounts are controlled, monitored, and audited, and why shared credentials increase compliance and security risk.

Audit controls, monitoring, and logging

IT professionals should be trained on how audit logs support compliance, investigations, and breach analysis. Training should reinforce secure log retention, integrity controls, and monitoring processes that detect abnormal access patterns. IT teams should understand that log access itself can expose PHI, and access to logs should be controlled, justified, and documented according to policy.

Transmission and encryption practices

Training should cover secure transmission methods, including the approved use of encryption and secure portals when PHI is sent externally or transmitted between systems. IT staff should understand the organization’s standards for encryption at rest and in transit, key management practices, and how configuration choices can unintentionally downgrade security. Training should also address common risk areas such as email security, secure messaging platforms, VPN and remote access controls, and the secure configuration of APIs and interfaces that connect clinical systems.

Device and endpoint security

IT professionals should be trained on device management controls that protect ePHI across workstations, laptops, mobile devices, and shared clinical terminals. Training should reinforce patch management, endpoint protection, hardening standards, secure configuration baselines, and the handling of removable media. IT teams should understand how kiosk and shared device workflows are secured and how lockout and timeout policies reduce exposure.

Data lifecycle management

Training should address how PHI is managed across creation, storage, use, sharing, archival, and disposal. IT staff should understand retention requirements, secure deletion practices, and how to prevent PHI from being stored in unapproved locations. Backup and disaster recovery should be covered, including access controls for backup repositories, secure restoration workflows, and segregation of duties.

Incident response and breach support

IT professionals should understand the organization’s incident response process, their responsibilities during security events, and the importance of timely escalation. Training should reinforce how to preserve evidence, avoid altering logs, and coordinate with privacy and compliance teams. IT staff should be trained to recognize indicators of compromise and to report suspected incidents immediately, including phishing, credential theft, ransomware, misdirected data transfers, and misconfigurations that expose systems.

HIPAA Training for IT Professionals Working in HIPAA Covered Entities

When IT professionals work within a HIPAA Covered Entity, training should align with the Covered Entity’s policies and procedures and the operational realities of supporting clinical and administrative systems. Covered Entity IT staff should understand how HIPAA training applies to all workforce members, including management, and how their work supports organizational safeguards and compliance documentation. Training should reinforce internal processes for access authorization, change management, security risk management activities, and system maintenance. It should also address internal expectations for handling PHI during support, including how to minimize the amount of PHI used for troubleshooting and how to document access when required by policy.

Covered Entity training should also reinforce appropriate communication practices with users and departments. IT staff may receive requests for screenshots, data extracts, or configuration changes that affect PHI access. Training should emphasize that IT teams should follow approved workflows, verify requester identity and authority, and escalate uncertain requests rather than bypassing controls for convenience. IT professionals should also understand the organization’s process for privacy complaints and how IT evidence supports investigations.

HIPAA Training for IT Professionals Working in HIPAA Business Associates

When IT professionals work for a HIPAA Business Associate, training should address the additional expectations that apply to Business Associate employees and the scope limitations of working with PHI on behalf of Covered Entities. Business Associate IT staff should understand that access to PHI is permitted only to support contracted services and that information should not be used or disclosed outside that scope. Training should reinforce how minimum necessary applies to maintenance, monitoring, and support activities and why Business Associate staff must follow contractual requirements for security controls, incident reporting, and cooperation during investigations.

Business Associate training should emphasize incident reporting obligations and escalation pathways, including the requirement to report suspected incidents promptly according to internal policy and contractual terms. It should also cover how subcontractors are managed when they may handle PHI, including the need to ensure appropriate agreements and security controls are in place. Business Associate IT teams should understand that multi-tenant environments, shared infrastructure, and customer segmentation controls must be configured and monitored carefully to prevent cross-customer exposure of PHI.

Effective HIPAA Training for IT Professionals

An effective HIPAA Training program should be practical, measurable, and aligned with organizational policies and technical operations. Training should be delivered within a reasonable period after hire and reinforced when responsibilities change or when systems and policies are updated. Refresher training should be provided regularly, and annual training is commonly used as an industry best practice. Organizations should document completion, retain training materials, and maintain evidence of any knowledge checks or assessments. Training effectiveness improves when it is paired with ongoing security awareness activities, such as brief updates about new phishing campaigns, reminders about secure ticket handling, and reviews of recent incidents and lessons learned.

HIPAA training for IT professionals supports HIPAA compliance by ensuring IT staff understand how to protect PHI and ePHI through secure access controls, monitoring, encryption, endpoint security, and disciplined incident response. Training should account for whether IT professionals work within a HIPAA Covered Entity or a HIPAA Business Associate and should include cybersecurity training focused on medical records and modern attack methods. Online training supports consistent delivery, flexible completion, and documented completion records, which helps IT teams and compliance programs maintain strong privacy and security practices over time.

The post HIPAA Training for IT Professionals appeared first on The HIPAA Journal.

Four Healthcare Providers Settle Class Action Lawsuits Over Data Breaches

Posted by Steve Alder

Settlements have been agreed to resolve class action lawsuits over healthcare data breaches experienced by Alabama Cardiovascular Group, Carolina Arthritis Associates, Rocky Mountain Gastroenterology Associates, and Regional Obstetrical Consultants.

Alabama Cardiovascular Group Data Breach Settlement

Alabama Cardiovascular Group has settled a class-action data breach lawsuit arising from a data security incident detected on July 2, 2024. The investigation confirmed that an unauthorized third party accessed its network between June 6, 2024, and July 2, 2024, and exfiltrated files containing patient and employee information. Data compromised in the incident included names, contact information, Social Security numbers, health insurance information, and medical information. The data breach affected 280,534 individuals.

Multiple class action lawsuits were filed in response to the data breach, which were consolidated into a single action – Tammy Brown et al., v. Alabama Cardiology Group P.C. d/b/a Alabama Cardiovascular Group – in the Circuit Court for Jefferson County, Alabama. The consolidated lawsuit asserts claims of negligence, negligence per se, breach of contract, breach of implied contract, unjust enrichment, and breach of fiduciary duty. Alabama Cardiovascular Group denies all claims of liability and wrongdoing, and disagrees that the data breach caused any harm to the affected patients and employees; however, to avoid the cost of protracted litigation and the uncertainty of trial and related appeals, the decision was taken to settle the lawsuit.

Under the terms of the settlement, Alabama Cardiovascular Group has agreed to establish a $2,225,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, service awards for the class representatives, and benefits for the class members. Class members are entitled to submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Alternatively, class members may choose to receive a pro rata cash payment, which will be paid from the residual funds after costs and expenses have been deducted and claims have been paid. Regardless of the cash payment chosen, class members are entitled to two years of credit monitoring services. The deadline for exclusion and opting out is February 4, 2026. Claims must be submitted by March 6, 2026, and the final approval hearing has been scheduled for March 20, 2026.

Carolina Arthritis Associates Data Breach Settlement

Carolina Arthritis Associates has agreed to settle a consolidated class action lawsuit over a September 2024 data breach. The Carolina Arthritis Associates data breach was identified on September 27, 2024, and the investigation determined that files containing patient data may have been exfiltrated from its network between September 26, 2024, and September 30, 2024.

The file review confirmed that names, birth dates, treatment/procedure information, medical record numbers, provider names, and Social Security numbers may have been stolen. Up to 36,961 individuals were affected by the data breach. Multiple class action lawsuits were filed in response to the data breach, alleging that Carolina Arthritis Associates failed to implement reasonable and appropriate security measures to protect sensitive data on its network. The lawsuits were consolidated – In re Carolina Arthritis Associates Data Incident Litigation – in the General Court of Justice, Superior Court Division for New Hanover County, North Carolina. Carolina Arthritis Associates denies all claims of wrongdoing and liability but agreed to settle the litigation to avoid the cost and time of protected litigation and the uncertainty of trial.

Carolina Arthritis Associates has agreed to establish a $600,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives. After those costs have been paid, the remainder of the settlement fund will be used to pay benefits to the class members. Class counsel and the class representatives believe the settlement is fair, and the settlement has received preliminary approval from the court.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Alternatively, a claim may be submitted for a pro rata cash payment, estimated to be $100 per class member. The cash payments may be increased or decreased based on the number of claims received. In addition, credit monitoring and identity theft protection services have been offered to the affected individuals for two years. The deadline for objection and opting out of the settlement is February 6, 2026. The deadline for submitting a claim is February 23, 2026. The final fairness hearing has been scheduled for March 10, 2026.

Regional Obstetrical Consultants Data Breach Settlement

Regional Obstetrical Consultants has settled a class action lawsuit over a May 2024 data breach affecting 25,787 current and former patients. An unauthorized third party gained access to its network on or around May 6, 2024, and potentially obtained names, dates of birth, addresses, phone numbers, medical record numbers, insurance ID numbers, diagnoses, medical histories, and procedure information. The affected individuals were notified on January 22, 2025.

Three class action lawsuits were filed against Regional Obstetrical Consultants over the data breach. The lawsuits had overlapping claims, and were consolidated into a single action – Heidi Davis et al. v. Regional Obstetrical Consultants, P.C. – in the Chancery Court of Hamilton County, Tennessee. The consolidated lawsuit alleged the data breach occurred as a result of the failure to implement reasonable and appropriate security measures, and asserted claims of negligence, negligence per se, breach of implied contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty.

Regional Obstetrical Consultants deny all claims of wrongdoing and liability; however, to avoid the cost, time, and distraction of prolonged litigation and the uncertainty of trial, the decision was taken to settle the litigation. Under the terms of the settlement, class members may submit a claim for one of three benefits. A claim may be submitted for reimbursement of documented, unreimbursed, extraordinary losses up to a maximum of $7,500 per class member. Alternatively, a claim may be submitted for reimbursement of documented ordinary losses up to a maximum of $2,000 per class member, or a pro rata cash payment may be claimed, which is estimated to be $50 per class member, but may be higher or lower based on the number of claims received. The deadline for exclusion and objection is January 31, 2026. The deadline for submitting a claim is February 15, 2026. The final fairness hearing has been scheduled for March 2, 2026.

Rocky Mountain Gastroenterology Associates Data Breach Settlement

Rocky Mountain Gastroenterology Associates has agreed to settle class action litigation over a data breach that was identified on September 13, 2024, involving unauthorized access to the electronic protected health information of 366,491 patients. Data compromised in the incident included names, addresses, dates of birth, patient account numbers, medical record numbers, Social Security numbers, health insurance identification numbers, and health information such as diagnoses and treatment information.

Notification letters started to be mailed to the affected individuals on November 13, 2024, and the first class action lawsuit was filed on December 19, 2024, by plaintiff David Davis. Further lawsuits were filed by other affected individuals. The lawsuits were consolidated – David Davis et al. v. Rocky Mountain Gastroenterology Associates PLLC – in the Colorado District Court for Jefferson County, as the lawsuits had overlapping claims. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, and for declaratory judgment. Rocky Mountain Gastroenterology Associates denies all claims of wrongdoing and liability.

Shortly after the consolidated class action lawsuit was filed, all parties began to explore the possibility of early resolution, and following mediation, the material terms of a settlement were agreed upon. The settlement has now been finalized and approved by the court. Under the terms of the settlement, class members are entitled to two years of complimentary credit monitoring and identity theft protection services, retailing at $14.95 per month. In addition, class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach. The reimbursement claims have been capped at $1,000 per class member. The deadline for submitting a claim is February 2, 2026.

The post Four Healthcare Providers Settle Class Action Lawsuits Over Data Breaches appeared first on The HIPAA Journal.

Blue Cross Blue Shield of Montana Faces Data Breach Probe

Posted by Steve Alder

Health Care Service Corporation, doing business as Blue Cross Blue Shield of Montana (BCBSMT), is facing a probe into whether the company complied with Montana’s breach notification law following a significant data breach that impacted approximately 462,000 Montanans.

Like many health insurance providers, BCBSMT contracted with Conduent Business Services, a business associate that provides back-office administrative services to HIPAA-covered entities and government agencies. On January 13, 2025, Conduent identified unauthorized access to its network, and its forensic investigation confirmed that a threat actor had access to its network for three months between October 13, 2024, and January 13, 2025. Data compromised in the incident included names, addresses, dates of birth, Social Security numbers, health plan and medical record identifiers, diagnosis and treatment codes, provider details, and claims information. The Safepay ransomware group claimed responsibility for the attack.

Conduent disclosed the attack in a filing with the U.S. Securities and Exchange Commission (SEC) on April 9, 2025, although at the time the investigation was ongoing to determine the extent of the data breach. It has been more than a year since the attack was detected, and it is still unclear how many individuals have been affected. The Oregon Attorney General was notified that around 10.5 million individuals had been affected nationwide, and subsequently, the Texas Attorney General was informed that 14.7 million Texas residents had been affected.

In January 2025, BCBSMT was notified by Conduent that it was one of the affected clients; however, BCBSMT did not notify the affected individuals until October 2025 – a year after Conduent’s systems were first breached and 9 months after it first learned that it had been affected. State regulators launched a probe to determine if BCBSMT was compliant with state data breach notification law, which requires notifications to be issued without unreasonable delay. State regulators also seek to establish the circumstances surrounding the data breach.

The Montana Office of the Commissioner of Securities and Insurance (CSI) scheduled a public administrative hearing on January 22, 2026, to gather evidence about the breach, establish a timeline of events, and determine how BCBSMT responded to the incident. BCBSMT sought a temporary restraining order from the Lewis and Clark County District Court to prevent the hearing from taking place; however, the court denied the request.

“It is troubling that it appears [BCBS] attempted to avoid regulatory oversight and accountability by seeking to block this hearing through the courts,” said Montana CSI communications director Tyler Newcombe. “Our office is committed to protecting Montanans and ensuring a fair, transparent, and very serious process when sensitive personal and health data may have been placed at risk. Our office will consider all the evidence and then issue a final order in due course.”

A Hearing Examiner will review the record from the hearing and will propose a decision for the Commissioner to consider. The Commissioner will publish further information about the timeline of events to ensure transparency over the lengthy delay in issuing breach notifications.

The post Blue Cross Blue Shield of Montana Faces Data Breach Probe appeared first on The HIPAA Journal.