Author Archives: PJ Murray

Why Healthcare Staff Need HIPAA Training for Social Media

Posted by PJ Murray

Healthcare staff need HIPAA training for social media because a single post, photo, or comment can expose Protected Health Information (PHI), trigger a reportable breach, damage the organization’s reputation, and create personal legal risk for the employee. Social media feels informal and personal, but the HIPAA Privacy Rule and HIPAA Security Rule still apply every time a staff member talks about patients, work cases, or the workplace online.

How social media turns everyday moments into HIPAA risk

HIPAA does not only protect obvious identifiers like a name or medical record number. Any detail that can reasonably identify a person or connect them to a health condition, diagnosis, or treatment can qualify as Protected Health Information. A photo of a recognizable tattoo, a description of “the only serious car wreck in town last night,” or a story about a local public figure receiving care can all reveal who the patient is, even if no name appears.

Social media amplifies this risk. Once something is posted, the author loses control over where it goes, who screenshots it, or how it is edited and reused. Deleted posts can live on in private messages and group chats. Staff may believe that limiting a post to friends or using privacy settings keeps it safe, but friends and followers can still recognize patients, locations, or events and share that information with others. Without specific training, many employees underestimate how easy it is for patients, families, co-workers, and regulators to connect the dots.

Misunderstandings that drive HIPAA violations online

Most staff who get into trouble on social media did not wake up intending to violate HIPAA. They often misunderstand what the law covers or how easy it is to identify a patient. A common belief is that removing a name or blurring a face is enough. Staff may think that talking about “a patient I had today” or “a wild case in the ICU” is acceptable as long as they avoid names or use casual language.

Another problem is emotional pressure. Healthcare work is stressful, sad, and sometimes dramatic. Staff feel a real need to vent, seek support, or share meaningful experiences. In a moment of frustration, pride, or grief, it can feel natural to post a story, image, or video. That impulse to be heard and validated can override training or policy, especially if the person never truly understood how HIPAA applies online.

Some individuals also use social media as a form of self-promotion or branding, highlighting cases or patient interactions to showcase their skill or compassion. When those posts include any identifying details, they become impermissible disclosures. A good training program needs to address not just rules, but these emotional and social drivers of behavior.

Why organizational policies are strict about social media

Most healthcare organizations now have broad social media policies that cover both official and personal use. These policies usually extend beyond the major platforms and include blogs, online forums, messaging apps, and even personal email used from work devices. They often apply not only to original posts but also to actions such as liking a patient’s post, commenting on someone else’s content about a patient, or resharing material that mentions the organization.

Policies may restrict personal social media activity on workplace devices or during work hours. They may authorize the organization to monitor certain activity or block specific sites. Sanctions for violations can include mandatory retraining, written warnings, suspension, or termination. The stakes are high because a single post can harm a patient, damage community trust, attract media attention, and trigger an investigation. Intentional PHI disclosure on social media can create individual criminal exposure.

Staff need training to understand what the policy says in practical terms. They need concrete examples of forbidden behavior, clear explanations of permitted uses, and transparency about how monitoring and sanctions operate.

Personal legal consequences for staff who misuse social media

The risks are not only professional. Impermissible disclosures of PHI on social media for personal gain can be treated as wrongful disclosures under federal law. That can lead to civil fines and, in serious cases, criminal penalties. Liability is possible even if the employee did not personally press the publish button. A person who shares confidential details with a colleague, knowing that the colleague is likely to post about it, can share responsibility for the disclosure.

Personal gain does not have to be financial. Posts that highlight a shocking case to gain followers, sympathy, or status can still be viewed as motivated by gain. Families or individuals whose privacy was breached can pursue civil lawsuits, adding another layer of risk for both the organization and the individual staff member. Effective training should make these consequences real through scenarios and case examples, while still keeping the focus on prevention rather than fear.

Appropriate, compliant uses of social media in healthcare

Staff also need to see that social media is not entirely off limits. Many organizations use official accounts to share public health information, educational content, research updates, and general service announcements. These activities can support community engagement and patient education when they avoid individual patient information and follow internal approval workflows.

Training should distinguish clearly between official, controlled communication and personal accounts. Staff must understand that personal accounts are not appropriate channels for discussing care, answering clinical questions, or coordinating treatment. Even when patients reach out first, staff should redirect them to secure, approved communication methods. Clear boundaries make it easier for employees to participate safely in the organization’s online presence.

Staff HIPAA Training for Social Media

HIPAA social media training should first explain what counts as Protected Health Information in an online context, including any detail or image that could reasonably identify a patient or link someone to a diagnosis, condition, or treatment. Staff need to understand that posting this information on personal accounts is almost always an impermissible disclosure unless there is a valid, informed HIPAA authorization, and that once something is posted it can be copied, manipulated, and shared beyond their control.

The training should then walk through the organization’s social media policy and give clear examples of prohibited behavior and acceptable use. That includes explaining that policies often apply to blogs, forums, messaging apps, and even likes or comments, not just obvious posts on major platforms. Staff should see how real cases have led to discipline, fines, loss of employment, and even criminal charges, and they should know how to report a concern to the HIPAA Privacy Officer or other designated contact.

Training should close by reinforcing simple rules for staying safe on social media, emphasizing that work experiences and patient information belong in secure, approved channels, not on public or semi-public platforms.

The post Why Healthcare Staff Need HIPAA Training for Social Media appeared first on The HIPAA Journal.

Do your Staff need Training on HIPAA in Emergency Situations?

Posted by PJ Murray

Emergencies in healthcare are not limited to extreme weather, wildfires, or other natural disasters. Today’s most disruptive incidents are just as likely to be cyberattacks, EHR downtime, system outages, and infrastructure failures. On a more localized level, organizations also face disruptive, aggressive, or violent patients and visitors that create immediate safety risks and require rapid, compliant decision‑making. Across all these scenarios, HIPAA continues to apply and staff must know how to act quickly while protecting patient privacy.

Effective HIPAA training equips staff to make permitted disclosures for treatment and care coordination during urgent situations without guessing. It helps staff understand when information may be shared with family or friends involved in a patient’s care, how to communicate with public health authorities, and when disaster relief organizations may receive limited information to help locate or notify individuals. It also clarifies that the minimum necessary standard does not limit disclosures for treatment, while guiding staff to limit other disclosures to what is reasonably needed.

HIPAA in Emergency Situations

HIPAA compliance officers must navigate a wide spectrum of emergencies that challenge normal operations and require staff to apply HIPAA under pressure. These events fall into two broad categories. The first involves system‑wide operational disruptions, which can halt access to ePHI, interrupt clinical workflows, or compromise critical infrastructure.

Natural disasters, cyberattacks, EHR downtime, system outages, and infrastructure failures can all force organizations into contingency mode. These situations often require coordinated action across clinical, IT, and compliance teams and activate HIPAA’s contingency planning requirements.

The second category involves localized safety emergencies, which occur far more frequently and demand immediate, on‑the‑ground decision‑making. Disruptive, aggressive, or violent patients, threatening or unstable visitors, and behavioral health crises that escalate into safety risks can all create urgent situations where staff must balance safety with privacy obligations.

Although this second category of incidents rarely triggers organization‑wide emergency preparedness plans, they do require personnel to make rapid HIPAA decisions, particularly around the imminent danger standard, the minimum necessary requirement, and appropriate communication boundaries.

Across both categories, whether the disruption affects the entire organization or a single unit, staff must understand how HIPAA applies when normal operations are disrupted and quick judgment is essential.

HIPAA Training for System‑Wide Disruptions

During natural disasters, cyberattacks, outages, and infrastructure failures, staff must know how to:

  • Access essential information during downtime
  • Permissibly disclose PHI to emergency services personnel
  • Document care using approved paper or downtime workflows
  • Secure temporary records and re‑enter data safely once systems are restored
  • Avoid insecure workarounds such as using personal or unapproved tools and services.
  • Verify patient identity when electronic tools are unavailable

Training should reinforce that HIPAA’s Privacy and Security Rules remain fully in effect, even when systems are compromised.

HIPAA Training for Localized Safety Emergencies

Disruptive or violent behavior creates immediate risks to staff, patients, and visitors. HIPAA training should prepare personnel to:

  • Recognize when the imminent danger standard permits disclosure of limited PHI
  • Share only the information necessary to protect individuals on site
  • Document what was disclosed, to whom, and why
  • Avoid unnecessary post‑incident discussion or over‑disclosure
  • Understand when behavioral information is PHI and when it is not
  • Coordinate with security teams without violating privacy boundaries

These scenarios are among the most common sources of privacy lapses because staff act quickly, often without clear guidance. Training must close that gap.

Contingency Planning, Emergency Preparedness, and HIPAA Expectations

Effective emergency readiness requires strong HIPAA contingency planning supported by clear HIPAA Privacy Rule guidance. HIPAA Security Officers must ensure that the confidentiality, integrity, and availability of ePHI can be maintained during any disruption, and staff should understand how backup and recovery processes work, what emergency mode operations look like in practice, and their specific responsibilities during downtime.

HIPAA Training must also clarify how permissible uses and disclosures function in emergencies. Staff must understand that disclosures for treatment may proceed without delay, the minimum necessary standard still applies to most non‑treatment disclosures, and that patient authorization is still required for uses and disclosures not otherwise permitted by the Privacy Rule, even during emergencies. Staff should also know how to escalate suspected breaches or unusual system behavior and how these expectations apply during both system‑wide and localized incidents.

For Medicare and Medicaid participants, integrating HIPAA contingency planning with CMS Emergency Preparedness requirements creates a unified response framework. This alignment reduces confusion during incident command activation, clarifies communication channels and decision‑making authority, and ensures staff understand how HIPAA’s Privacy and Security Rules operate within broader emergency operations, particularly during incidents where coordinated action is essential.

HIPAA Flexibilities and Expectations in Emergencies

HIPAA provides important flexibilities that support emergency response, but these flexibilities operate within clear boundaries that staff must understand. During widespread events such as major natural disasters, the HHS Office for Civil Rights may announce temporary enforcement discretion for specific provisions of the HIPAA Privacy Rule, but this discretion is always limited, temporary, and formally communicated. Staff must continue following HIPAA as usual unless leadership explicitly advises otherwise.

Key Takeaways for HIPAA Compliance Officers

  • HIPAA continues to apply during system-wide or localized emergencies.
  • Staff must be trained to make rapid, lawful disclosures for treatment and safety.
  • Cyberattacks and outages now trigger HIPAA contingency plans more often than natural disasters.
  • Disruptive patients and visitors create high‑frequency safety emergencies that require clear HIPAA guidance.
  • Training must address downtime workflows, secure communication, and re‑entry procedures.
  • Aligning HIPAA contingency plans with CMS Emergency Preparedness strengthens organizational readiness.
  • HIPAA flexibilities support emergency response but require clear understanding. Enforcement discretion must never be assumed.

A well‑trained workforce is your strongest asset during emergencies. When staff understand how HIPAA operates under pressure, they protect patients, support continuity of care, and reduce organizational risk.

The post Do your Staff need Training on HIPAA in Emergency Situations? appeared first on The HIPAA Journal.

Does your Staff Understand the Role of HIPAA Officers?

Posted by PJ Murray

Most healthcare staff know that HIPAA exists, yet many do not really understand who the HIPAA officers are or how those officers support their daily work. When staff see HIPAA Privacy and Security Officers only as rule enforcers or distant administrators, they miss a key resource that can help them make better decisions, prevent incidents, and resolve problems before they become reportable breaches.

Why it Matters that Staff Understand HIPAA Officer Roles

HIPAA is a moving target. Rules, implementation specifications, technology, and internal processes change over time. No front-line employee can track every update or interpret every nuance alone. The HIPAA Privacy Officer and HIPAA Security Officer exist to take on that responsibility at an organizational level and to translate it into clear, practical guidance for the workforce.

If staff do not understand what these officers do, they are less likely to ask questions when they feel unsure, less likely to report potential incidents quickly, and more likely to handle concerns informally or ignore warning signs. That puts patients, the organization, and the individual employee at greater risk.

The HIPAA Compliance Officer from the Staff Perspective

From the staff perspective, the HIPAA Compliance Officer plays a central and highly visible role in shaping how privacy and security expectations are understood and applied across the organization. Employees look to the compliance officer for practical guidance on how HIPAA requirements affect their specific duties, whether that involves handling patient records, communicating with vendors, responding to information requests, or managing incidents and near misses. The compliance officer is often the primary source of training and awareness, translating complex regulations into clear policies, procedures, and examples that staff can follow with confidence. Beyond training, the role includes listening to employee concerns, encouraging early reporting of potential issues, and creating a safe environment where questions and mistakes can be addressed without fear of retaliation. Staff also depend on the HIPAA Compliance Officer to coordinate audits, monitor compliance activities, and communicate changes in rules or organizational practices in a timely and understandable way. When the role is performed well, employees see the compliance officer as a trusted partner who supports ethical behavior, promotes consistency in decision making, and helps everyone contribute to protecting patient information as part of their everyday work.

The HIPAA Privacy Officer from the Staff Perspective

The HIPAA Privacy Officer is the person charged with building and running the privacy side of your HIPAA program. This role includes developing and implementing workplace privacy policies, making sure training reaches the workforce, and checking whether people actually follow those policies in real work settings.

When privacy rules or organizational practices change, the HIPAA Privacy Officer assesses the risks, updates the policies, and arranges extra HIPAA training so staff know what has changed and why. Staff should understand that this is the person who connects regulatory requirements and internal policies to the way front-line work is done.

The HIPAA Privacy Officer is also the organization’s main point of contact for patients and members of the public who want to exercise HIPAA rights, ask privacy questions, or file complaints. There is an important human element to patient rights for HIPAA Privacy Officers. That means the HIPAA Privacy Officer sits at the center of communication between the organization, its workforce, patients, and regulators. From a staff point of view, this is the person who investigates privacy concerns, decides whether a data breach report is required, and applies sanctions when staff violate privacy or breach notification standards.

Some tasks can be delegated to other senior staff, yet the HIPAA Privacy Officer keeps ultimate responsibility for privacy compliance. When employees understand this, they know where to take questions about policies, patient rights, and privacy complaints, and they can see the officer as a resource rather than just a source of discipline.

The HIPAA Security Officer from the Staff Perspective

The HIPAA Security Officer focuses on the protection of electronic health information. This officer develops and implements security policies and procedures designed to support compliance with the HIPAA Security Rule. That includes not only which technical safeguards the organization uses, but also how staff must use those safeguards in practice.

To support this work, the HIPAA Security Officer conducts HIPAA risk assessments, chooses appropriate security mechanisms, and designs a security awareness training program for the entire workforce. From the employee’s point of view, this is why there are rules about passwords, phishing emails, device use, remote access, and incident reporting. The HIPAA Security Officer turns the broad HIPAA Security Rule into specific expectations for daily behavior.

The HIPAA Security Officer also monitors compliance with security policies and can apply sanctions when staff break those rules, even when the violation is unintentional. This same officer is responsible for plans that protect the confidentiality, integrity, and availability of health information during emergencies. Those plans cover backup processes, contingency operations, emergency mode procedures, and disaster recovery, and staff rely on them when systems fail or disasters occur.

Depending on how roles are distributed, the HIPAA Security Officer may also handle breach reporting, Business Associate Agreements, and responses to external compliance assessments. Staff who understand this role know why certain technical rules exist and who to approach with concerns about security controls or suspicious activity.

HIPAA Officers as Partners, not just Enforcers

Privacy and Security Officers must enforce policies and manage incidents, but their role is not limited to catching errors and imposing discipline. In a healthy compliance culture, these officers are visible and approachable. Many maintain an open door policy and actively encourage staff and students to ask questions, raise concerns, and report possible violations.

When staff see HIPAA officers only as “the people who get you in trouble,” they may hide mistakes or stay silent about near misses. When they see officers as partners who can explain the rationale behind rules and help resolve issues, concerns surface earlier. That early detection can prevent harm, reduce the scope of a breach, and avoid escalation from a minor violation to a major event.

Staff should know who their HIPAA Privacy Officer and Security Officer are, where and how to reach them, and what types of questions or issues belong with each role. A brief introduction at orientation and early in role-based training can make later conversations much easier.

Risks when Staff do not Understand HIPAA Officer Roles

If staff cannot explain what the Privacy and Security Officers do, they are less likely to use those roles effectively. They may send patient complaints to the wrong place or fail to escalate a serious privacy concern. They might treat training as a one-time requirement without realizing that officers use training to communicate important policy changes. They may also assume that small violations do not need to be reported if no one seems hurt.

That lack of understanding undermines incident management and can harm the organization’s response to audits and investigations. It also increases personal risk for staff, because unreported or mishandled issues are more likely to resurface later in a worse form.

What Training for Staff about HIPAA Officers Should Cover

HIPAA training should then give a clear picture of the HIPAA Officer’s responsibilities in language that fits staff experience. That includes policy development, workforce training, privacy monitoring, patient-facing duties, investigation of alleged violations, and coordination with regulators and business associates. Staff should hear how those responsibilities show up in daily practice, such as updated privacy notices, revised authorization forms, or follow-up after a complaint.

Training should cover the HIPAA Officer’s responsibilities. Staff need to understand that this officer oversees security policies, risk assessments, security awareness training, monitoring of technical and procedural safeguards, and emergency planning for information systems. The training should link common expectations, such as mandatory security modules or new login procedures, back to the Security Officer’s role so staff can see the connection.

A section of the training should focus on communication. Staff should learn that HIPAA Officers are available to answer questions, clarify procedures, and discuss concerns. The HIPAA training content should encourage staff to contact the HIPAA officers.

Training should also explain the boundary between delegation and ultimate responsibility. Staff should understand that while some tasks may be assigned to supervisors, managers, or other specialists, the named officers still carry overall responsibility for HIPAA compliance.

The post Does your Staff Understand the Role of HIPAA Officers? appeared first on The HIPAA Journal.

10 Step Guide to Choosing HIPAA Training for Employees

Posted by PJ Murray

Choosing HIPAA training for employees should be about compliance outcomes, not simply optics of checking the box for mandatory training. This 10-step guide helps you select HIPAA training courses that build real HIPAA compliance knowledge, reduce common errors, and prepare employees to apply HIPAA correctly from day one. This guide helps you avoid checkbox training and invest in learning that improves employee compliance performance, ultimately reducing HIPAA violations and HIPAA breaches.

Step 1: Review the course curriculum and verify that it is specifically designed for employees.

Verify that the training was designed for the staff receiving the training. There is little point in providing HIPAA training designed for compliance officers or training designed for managers that is focused on the compliance programs for HIPAA-covered entities.

Step 2: If the training provider does not state who produced the training, then ask for this information.

When selecting HIPAA training, evaluate substance and outcomes, not slide count. Effective courses go beyond reciting regulations and show how the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule translate into concrete tasks and decisions for employees. Begin with the source of the training content. Prefer curricula developed and maintained by recognized HIPAA subject-matter experts that have been designed with input from and then reviewed by HIPAA Privacy Officers and HIPAA Compliance Officers. The officers understand how violations occur and can teach recurring patterns, such as misdirected messages, wrong-patient access, and casual disclosures, and the precise steps that prevent them.

Step 3: If the training does not have a release date, then ask when it was produced.

Verify that the content is up-to-date because HHS and OCR guidance evolves, enforcement priorities shift, and new technologies introduce fresh risks. High-quality training is actively updated to reflect new laws, guidance, and enforcement trends, rather than remaining static.

Step 4: Prioritize practical advice over theory

Ensure the HIPAA training prioritizes practical scenarios over abstraction or simply repeating regulations. The training must use realistic examples such as unattended workstations, unapproved applications, and over-sharing on phone calls.

Step 5: Verify that training has modules covering evolving threats like social media and AI tools.

The training must also address modern risk areas, including generative AI tools, social media, messaging platforms, remote work, and personal devices.

Step 6: Choose training focused on risk reduction

Training cannot eliminate HIPAA violations and HIPAA breaches, but well-designed modules reduce both likelihood and impact by targeting behaviors behind common incidents. Make sure that the content is focused on prevention and response. The training must identify typical errors, such as lost devices, unencrypted email, and improper disclosures, and specify who to notify, what to document, and when to escalate.

Step 7: Review the trainee learning experience

An effective learning experience is practical, accessible, and respectful of time. Online, self-paced modules with pause and resume controls suit shift work and clinical interruptions. Mobile-friendly delivery across desktop, tablet, and phone improves the completion rate of training. When staff can access training easily, learn at a sensible pace, verify understanding, and obtain help as needed, they make better decisions, and the compliance program becomes measurably stronger. Make sure that the training is available for the full year until the next annual session so that employees can review as many times as they require to refresh their knowledge. The learning experience is also improved if there are quizzes after each topic covered. The fact that trainees know that they will be tested at the end of each topic in the training course immediately improves their attention levels.

Step 8: Training management features

Online HIPAA training provides managers with the opportunity to monitor the progress of employees during their HIPAA training and confirm that the training has been completed. It is also necessary to retain training records for a minimum of six years.

Step 9: Include state privacy laws where necessary

HIPAA training also means training in the related medical record privacy and security laws. Certain states such as Texas and California have state medical privacy laws that are mandatory and stricter than HIPAA. There are also additional state data privacy laws that apply to medical records.

Step 10: Don’t forget cybersecurity training

Integrate HIPAA with cybersecurity awareness for any staff who have access to medical records on computers. Many large scale HIPAA beaches begin with general cyber risks, including phishing, weak credentials, unsafe USB use, and credential sharing. Pair HIPAA content with focused cybersecurity modules on human error, phishing recognition, secure messaging, credential management, and removable media.

Choose HIPAA Training That Changes Behavior

This guide recommends selecting HIPAA training that is designed for employees, identifies who produced the content, and includes a clear release date. It emphasizes practical scenarios over theory, with up-to-date modules that address social media, AI tools, messaging, remote work, and personal devices. It calls for risk-focused instruction that identifies common errors such as lost devices, unencrypted email, and improper disclosures, and that specifies who to notify, what to document, and when to escalate. It also highlights a learning experience that is self-paced, mobile-friendly, and available for the full year so employees can review as needed. The guide advises pairing HIPAA training with cybersecurity modules for staff who access medical records on computers.

The post 10 Step Guide to Choosing HIPAA Training for Employees appeared first on The HIPAA Journal.

Are You Really Compliant? The Stricter Medical Privacy Regulations in Texas

Posted by PJ Murray

In addition to HIPAA and the Texas Medical Records Privacy Act/HB300, several other laws apply to the privacy and security of medical records in Texas. Laws such as the Texas Identity Theft Enforcement and Protection Act, the Texas Data Privacy and Security Act, the Texas Responsible AI Governance Act, SB1188 and the Texas Medical Practice Act create a layered system of protections that often go beyond HIPAA’s minimum requirements.

Before HIPAA, medical confidentiality in Texas was governed mainly by the Texas Health and Safety Code, which already limited how health information could be used and disclosed, and gave patients rights to see their records. HIPAA then introduced federal privacy and security rules, but only for a narrower group of “covered entities.” To close that gap, Texas passed the Texas Medical Records Privacy Act in 2001, extending HIPAA-style protections to more organizations that handle Texans’ health information. HB300, passed in 2011, strengthened that Act by tightening rules for electronic disclosures, shortening deadlines for responding to patient access requests, and expanding breach notification requirements. HB300 is important, but it operates alongside a broader set of Texas privacy and security laws.

The Texas Identity Theft Enforcement and Protection Act (TITEPA) is not limited to healthcare, but it heavily affects healthcare organizations because it applies to any business that handles personal identifying information about Texas residents. Its definition of “sensitive personal information” is broader than HIPAA’s definition of PHI, so some data that is not PHI still has to be protected as if it were. Organizations must secure this information, dispose of it safely, and notify individuals (and sometimes the Attorney General) if computerized sensitive personal information is acquired by an unauthorized person. Because these requirements sit next to HIPAA’s breach rules, many healthcare organizations in Texas treat all patient-related information like PHI and apply HIPAA-level safeguards across the board.

The Texas Data Privacy and Security Act (TDPSA) is aimed at consumer data generally, but it also touches healthcare. Covered entities and business associates are exempt for PHI but not for other personally identifying data they collect, such as marketing lists, website tracking data, appointment booking details, or some HR data. For this non-PHI data, organizations must limit collection to what is necessary, obtain informed consent for certain uses (such as targeted marketing), and honor rights to access, correct, or request deletion where those rights apply. Deletion rights do not override medical record retention requirements, so PHI and medical records still must be kept according to Texas rules.

The Texas Responsible AI Governance Act and SB1188 add AI- and EHR-specific obligations. The AI Governance Act applies broadly to developers and users of AI, including healthcare organizations that use AI in clinical or administrative workflows. Patients must be told when AI is used in diagnosis or clinical decision support (outside emergencies), and patient authorization is required if PHI is sent to AI systems for purposes beyond treatment, payment, healthcare operations, or required-by-law disclosures. 

SB1188 goes further by requiring AI-generated diagnostic outputs to be reviewed under standards set by the Texas Medical Board and documented in the medical record, and by imposing specific security and functionality requirements on EHRs. It restricts storing certain data types in EHRs, such as credit scores or voter-registration status, and sets rules around parental access to minors’ electronic records – with exceptions for sensitive services such as reproductive, substance use, or mental health care.

The Texas Medical Practice Act and related code provisions add professional and confidentiality duties for licensed healthcare professionals on top of all this. In many cases, state law requires written consent for disclosures that go beyond treatment, payment, healthcare operations, or disclosures explicitly required by law, and adds extra protections for especially sensitive categories such as mental health, substance use, HIV testing, and genetic information. These provisions are updated regularly and can override or refine how other laws apply in specific scenarios. Because all of these laws overlap, organizations that handle medical information about Texas residents generally follow a “most protective law wins” approach. HIPAA and the Texas Medical Records Privacy Act/HB300 are central pieces of Texas medical privacy law, but real-world practice is also shaped by TITEPA, the TDPSA, the Responsible AI Governance Act, SB1188, and the Medical Practice Act. For workforce members, the safest course is to follow organizational policies, complete required training, and ask their privacy or compliance teams when they are unsure.



The post Are You Really Compliant? The Stricter Medical Privacy Regulations in Texas appeared first on The HIPAA Journal.

More Than CMIA and HIPAA: Which Medical Privacy Regulations Apply to You in California?

Posted by PJ Murray

The Confidentiality of Medical Information Act (CMIA) is just one of several state laws and regulations that apply to medical privacy in California and influence how staff handle patient information. Alongside HIPAA and CMIA, healthcare organizations may also have to comply with the Patient Access to Health Records Act (PAHRA), Medi-Cal confidentiality rules, California’s Consumer Privacy Act and Privacy Rights Act (CCPA/CPRA), state rules governing artificial intelligence in healthcare (including CCPA’s automated decision-making regulations), and SB81 on patient access and protection. Together, these laws help explain why privacy and security policies in California can look different from those in other states. 

HIPAA was designed to create a national “floor” of privacy and security standards, but in California that floor is only the starting point. When state law gives patients more rights or stronger protections than HIPAA does in a particular area, the California law takes precedence for that issue, while HIPAA still applies in the background. As a result, California providers often have to reconcile multiple overlapping rules when deciding how to use, disclose, and protect health information.

CMIA is the core California medical privacy statute. It applies broadly to providers, plans, contractors, and many consumer-facing digital health apps when they store or process identifiable medical information. CMIA tightly limits when information can be used or disclosed without authorization, adds extra protections for sensitive services, and requires safeguards for electronic information. A key difference from HIPAA is CMIA’s private right of action, which allows patients to sue for negligent, unauthorized disclosures, even when there was no intent to cause harm. That is a major reason California organizations stress strict access control, “need-to-know” use of records, and zero tolerance for snooping or gossip.

PAHRA strengthens and accelerates patient access rights beyond HIPAA. California providers generally must acknowledge or respond to access requests within a few days and provide copies within a much shorter deadline than HIPAA’s. Patients can also submit an addendum to correct or clarify their records, and that addendum must be attached with future relevant disclosures. PAHRA and CMIA together also limit parental access to minors’ sensitive records when the minor has the right to consent to care, so staff must pay close attention to who is entitled to see what.

Other important laws fill gaps that HIPAA and CMIA do not fully cover. Medi-Cal regulations protect beneficiary information, including social and economic data used for eligibility and benefits, and restrict its use mainly to treatment, billing, and program administration. CCPA/CPRA applies to eligible businesses for personal information that is not PHI or CMIA “medical information,” such as website tracking data, marketing lists, and some HR records. CCPA/CPRA also gives consumers rights to know, correct, and in some cases delete data. California also regulates the use of AI in healthcare through a mix of privacy, consumer, and professional rules that emphasize transparency, security, and maintaining human clinical judgment. In practice, these rules often appear as internal policies: which AI tools may be used, what kind of data may be entered, how outputs must be reviewed, and when patients must be informed.

SB81, California’s Patient Access and Protection law, adds targeted protections for immigration-related information. It treats a patient’s place of birth and immigration status as protected medical information and prohibits disclosures for immigration enforcement without a valid authorization or court order. It also requires healthcare organizations, including public college health centers, to establish “safe” non-public areas where patients can receive care without fear of immigration agents entering unless they have proper legal authority. This law shapes how front desks, security, and clinical teams respond to requests from law enforcement and why staff should receive specific training on these scenarios.

Because all these laws overlap, California healthcare organizations usually design their policies around the most protective rule that applies. CMIA is central, but real-world privacy practice is also shaped by PAHRA, Medi-Cal rules, CCPA/CPRA, AI-related requirements, and SB81. For healthcare staff and students, the safest approach is to follow their organization’s written policies, complete required training, and ask their privacy or compliance team whenever they are unsure. This overview is for training and general information, not legal advice, but it highlights why CMIA is just one piece of a much larger California privacy framework.

The post More Than CMIA and HIPAA: Which Medical Privacy Regulations Apply to You in California? appeared first on The HIPAA Journal.

What training does The HIPAA Journal provide?

Posted by PJ Murray

The HIPAA Journal provides a full suite of online HIPAA and related cybersecurity training programs, designed for different roles and types of organizations.

The main HIPAA products are:

  • Accredited HIPAA Certification for Individuals
    A certificate course for people entering or progressing in healthcare that covers HIPAA rules and real world scenarios, and issues an accredited certificate that can be shown to employers and used during onboarding.

  • HIPAA Training for Healthcare Employees
    A workforce course for covered entities of all sizes that satisfies HIPAA training requirements on HIPAA rules and regulations, suitable for new hire onboarding and annual refresher training, with lessons focused on how to safeguard protected health information in day to day work.

  • HIPAA Training for Small Medical Practice Employees
    A version of the workforce course tailored to small medical practices, with extra modules on the specific HIPAA challenges they face, also suitable for onboarding and refresher training.

  • HIPAA Training for Students
    A course for healthcare students and faculty that satisfies HIPAA training requirements for students working in any HIPAA covered environment and includes student specific modules and examples to prepare them for clinical placements.

  • HIPAA Training for Business Associate Employees
    A dedicated course for employees of business associates that meets HIPAA training requirements and includes modules on the particular compliance challenges that arise when handling protected health information on behalf of covered entities.

The main cybersecurity products are:

  • Cybersecurity Training for Healthcare Employees
    A certificate course for healthcare staff that teaches them to recognize cyber threats and handle health records securely, providing practical, attacker focused cybersecurity awareness to sit alongside standard HIPAA training.
  • Cybersecurity Training for Healthcare Students
    A cybersecurity course for healthcare students and faculty that can be added to HIPAA Training for Students, giving learners extra protection by teaching online threat awareness and safer behavior before and during clinical placements.
  • Cybersecurity Training for Business Associate Employees
    A healthcare focused cybersecurity course for employees of business associates that complements HIPAA Training for Business Associate Employees, with content aimed at reducing the risk of breaches when vendors and service providers handle patient data.
  • Healthcare Cybersecurity Training for Individuals
    A healthcare specific cybersecurity course that individual learners can purchase alongside Accredited HIPAA Certification for Individuals to demonstrate their understanding of cyber risks to protected health information and medical records.

All of these training courses are self paced online programs built by The HIPAA Journal’s compliance team using more than a decade of breach and enforcement analysis, with practical examples, coverage of emerging issues such as generative AI, messaging platforms and social media, randomized quizzes with certificates, and optional free modules on Texas and California medical privacy laws and on small medical practice challenges.

The post What training does The HIPAA Journal provide? appeared first on The HIPAA Journal.

Does the HIPAA Training from The HIPAA Journal satisfy the regulatory requirements for training?

Posted by PJ Murray

Yes, The HIPAA training from The HIPAA Journal has been specifically designed to satisfy the mandatory regulatory requirements to train your workforce on HIPAA rules and regulations. Under the HIPAA Privacy Rule and Security Rule, covered entities and business associates must ensure that all relevant workforce members receive training on HIPAA requirements and on how to perform their roles in compliance with those requirements. The HIPAA Journal’s courses are built around those obligations and provide comprehensive coverage of the HIPAA rules and regulations employees need to understand, including the core Privacy, Security, and Breach Notification Rule concepts, permitted uses and disclosures of PHI, patient rights, safeguards, incident reporting, and common real world risk areas such as email, messaging, and social media.

However, HIPAA also requires training on each organization’s own internal policies and procedures, which the regulations state will “depend on the size and type of activities” of the covered entity and on the results of its HIPAA risk assessment. Those internal policies are necessarily different in every organization, so they cannot be built into a single generic online course. The HIPAA Journal training deliberately does not attempt to cover those local policies and procedures; instead, organizations typically combine The HIPAA Journal’s rules-and-regulations training with their own site-specific policy and procedure training to fully meet all HIPAA training obligations.

The post Does the HIPAA Training from The HIPAA Journal satisfy the regulatory requirements for training? appeared first on The HIPAA Journal.

Who develops and maintains The HIPAA Journal’s HIPAA training content?

Posted by PJ Murray

The HIPAA Journal’s HIPAA training content is created and maintained by The HIPAA Journal editorial team, a group of in-house HIPAA experts each with more than a decade of experience in HIPAA and healthcare regulation. They designed the courses using insights from over ten years of HIPAA breach reporting and analysis, then refined the content using input from hundreds of external contributors such as privacy officers, compliance officers, IT security managers, and practice managers who responded to surveys and reviewed the material.

The training is actively maintained by The HIPAA Journal’s editorial and compliance team, who continuously monitor HIPAA rules, HHS/OCR guidance, and enforcement trends and update the lessons whenever there are meaningful regulatory or practical changes, including new issues such as the use of generative AI, messaging platforms, and social media.

The post Who develops and maintains The HIPAA Journal’s HIPAA training content? appeared first on The HIPAA Journal.