Author Archives: PJ Murray

10 Step Guide to Choosing HIPAA Training for Employees

Posted by PJ Murray

Choosing HIPAA training for employees should be about compliance outcomes, not simply optics of checking the box for mandatory training. This 10-step guide helps you select HIPAA training courses that build real HIPAA compliance knowledge, reduce common errors, and prepare employees to apply HIPAA correctly from day one. This guide helps you avoid checkbox training and invest in learning that improves employee compliance performance, ultimately reducing HIPAA violations and HIPAA breaches.

Step 1: Review the course curriculum and verify that it is specifically designed for employees.

Verify that the training was designed for the staff receiving the training. There is little point in providing HIPAA training designed for compliance officers or training designed for managers that is focused on the compliance programs for HIPAA-covered entities.

Step 2: If the training provider does not state who produced the training, then ask for this information.

When selecting HIPAA training, evaluate substance and outcomes, not slide count. Effective courses go beyond reciting regulations and show how the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule translate into concrete tasks and decisions for employees. Begin with the source of the training content. Prefer curricula developed and maintained by recognized HIPAA subject-matter experts that have been designed with input from and then reviewed by HIPAA Privacy Officers and HIPAA Compliance Officers. The officers understand how violations occur and can teach recurring patterns, such as misdirected messages, wrong-patient access, and casual disclosures, and the precise steps that prevent them.

Step 3: If the training does not have a release date, then ask when it was produced.

Verify that the content is up-to-date because HHS and OCR guidance evolves, enforcement priorities shift, and new technologies introduce fresh risks. High-quality training is actively updated to reflect new laws, guidance, and enforcement trends, rather than remaining static.

Step 4: Prioritize practical advice over theory

Ensure the HIPAA training prioritizes practical scenarios over abstraction or simply repeating regulations. The training must use realistic examples such as unattended workstations, unapproved applications, and over-sharing on phone calls.

Step 5: Verify that training has modules covering evolving threats like social media and AI tools.

The training must also address modern risk areas, including generative AI tools, social media, messaging platforms, remote work, and personal devices.

Step 6: Choose training focused on risk reduction

Training cannot eliminate HIPAA violations and HIPAA breaches, but well-designed modules reduce both likelihood and impact by targeting behaviors behind common incidents. Make sure that the content is focused on prevention and response. The training must identify typical errors, such as lost devices, unencrypted email, and improper disclosures, and specify who to notify, what to document, and when to escalate.

Step 7: Review the trainee learning experience

An effective learning experience is practical, accessible, and respectful of time. Online, self-paced modules with pause and resume controls suit shift work and clinical interruptions. Mobile-friendly delivery across desktop, tablet, and phone improves the completion rate of training. When staff can access training easily, learn at a sensible pace, verify understanding, and obtain help as needed, they make better decisions, and the compliance program becomes measurably stronger. Make sure that the training is available for the full year until the next annual session so that employees can review as many times as they require to refresh their knowledge. The learning experience is also improved if there are quizzes after each topic covered. The fact that trainees know that they will be tested at the end of each topic in the training course immediately improves their attention levels.

Step 8: Training management features

Online HIPAA training provides managers with the opportunity to monitor the progress of employees during their HIPAA training and confirm that the training has been completed. It is also necessary to retain training records for a minimum of six years.

Step 9: Include state privacy laws where necessary

HIPAA training also means training in the related medical record privacy and security laws. Certain states such as Texas and California have state medical privacy laws that are mandatory and stricter than HIPAA. There are also additional state data privacy laws that apply to medical records.

Step 10: Don’t forget cybersecurity training

Integrate HIPAA with cybersecurity awareness for any staff who have access to medical records on computers. Many large scale HIPAA beaches begin with general cyber risks, including phishing, weak credentials, unsafe USB use, and credential sharing. Pair HIPAA content with focused cybersecurity modules on human error, phishing recognition, secure messaging, credential management, and removable media.

Choose HIPAA Training That Changes Behavior

This guide recommends selecting HIPAA training that is designed for employees, identifies who produced the content, and includes a clear release date. It emphasizes practical scenarios over theory, with up-to-date modules that address social media, AI tools, messaging, remote work, and personal devices. It calls for risk-focused instruction that identifies common errors such as lost devices, unencrypted email, and improper disclosures, and that specifies who to notify, what to document, and when to escalate. It also highlights a learning experience that is self-paced, mobile-friendly, and available for the full year so employees can review as needed. The guide advises pairing HIPAA training with cybersecurity modules for staff who access medical records on computers.

The post 10 Step Guide to Choosing HIPAA Training for Employees appeared first on The HIPAA Journal.

Are You Really Compliant? The Stricter Medical Privacy Regulations in Texas

Posted by PJ Murray

In addition to HIPAA and the Texas Medical Records Privacy Act/HB300, several other laws apply to the privacy and security of medical records in Texas. Laws such as the Texas Identity Theft Enforcement and Protection Act, the Texas Data Privacy and Security Act, the Texas Responsible AI Governance Act, SB1188 and the Texas Medical Practice Act create a layered system of protections that often go beyond HIPAA’s minimum requirements.

Before HIPAA, medical confidentiality in Texas was governed mainly by the Texas Health and Safety Code, which already limited how health information could be used and disclosed, and gave patients rights to see their records. HIPAA then introduced federal privacy and security rules, but only for a narrower group of “covered entities.” To close that gap, Texas passed the Texas Medical Records Privacy Act in 2001, extending HIPAA-style protections to more organizations that handle Texans’ health information. HB300, passed in 2011, strengthened that Act by tightening rules for electronic disclosures, shortening deadlines for responding to patient access requests, and expanding breach notification requirements. HB300 is important, but it operates alongside a broader set of Texas privacy and security laws.

The Texas Identity Theft Enforcement and Protection Act (TITEPA) is not limited to healthcare, but it heavily affects healthcare organizations because it applies to any business that handles personal identifying information about Texas residents. Its definition of “sensitive personal information” is broader than HIPAA’s definition of PHI, so some data that is not PHI still has to be protected as if it were. Organizations must secure this information, dispose of it safely, and notify individuals (and sometimes the Attorney General) if computerized sensitive personal information is acquired by an unauthorized person. Because these requirements sit next to HIPAA’s breach rules, many healthcare organizations in Texas treat all patient-related information like PHI and apply HIPAA-level safeguards across the board.

The Texas Data Privacy and Security Act (TDPSA) is aimed at consumer data generally, but it also touches healthcare. Covered entities and business associates are exempt for PHI but not for other personally identifying data they collect, such as marketing lists, website tracking data, appointment booking details, or some HR data. For this non-PHI data, organizations must limit collection to what is necessary, obtain informed consent for certain uses (such as targeted marketing), and honor rights to access, correct, or request deletion where those rights apply. Deletion rights do not override medical record retention requirements, so PHI and medical records still must be kept according to Texas rules.

The Texas Responsible AI Governance Act and SB1188 add AI- and EHR-specific obligations. The AI Governance Act applies broadly to developers and users of AI, including healthcare organizations that use AI in clinical or administrative workflows. Patients must be told when AI is used in diagnosis or clinical decision support (outside emergencies), and patient authorization is required if PHI is sent to AI systems for purposes beyond treatment, payment, healthcare operations, or required-by-law disclosures. 

SB1188 goes further by requiring AI-generated diagnostic outputs to be reviewed under standards set by the Texas Medical Board and documented in the medical record, and by imposing specific security and functionality requirements on EHRs. It restricts storing certain data types in EHRs, such as credit scores or voter-registration status, and sets rules around parental access to minors’ electronic records – with exceptions for sensitive services such as reproductive, substance use, or mental health care.

The Texas Medical Practice Act and related code provisions add professional and confidentiality duties for licensed healthcare professionals on top of all this. In many cases, state law requires written consent for disclosures that go beyond treatment, payment, healthcare operations, or disclosures explicitly required by law, and adds extra protections for especially sensitive categories such as mental health, substance use, HIV testing, and genetic information. These provisions are updated regularly and can override or refine how other laws apply in specific scenarios. Because all of these laws overlap, organizations that handle medical information about Texas residents generally follow a “most protective law wins” approach. HIPAA and the Texas Medical Records Privacy Act/HB300 are central pieces of Texas medical privacy law, but real-world practice is also shaped by TITEPA, the TDPSA, the Responsible AI Governance Act, SB1188, and the Medical Practice Act. For workforce members, the safest course is to follow organizational policies, complete required training, and ask their privacy or compliance teams when they are unsure.



The post Are You Really Compliant? The Stricter Medical Privacy Regulations in Texas appeared first on The HIPAA Journal.

More Than CMIA and HIPAA: Which Medical Privacy Regulations Apply to You in California?

Posted by PJ Murray

The Confidentiality of Medical Information Act (CMIA) is just one of several state laws and regulations that apply to medical privacy in California and influence how staff handle patient information. Alongside HIPAA and CMIA, healthcare organizations may also have to comply with the Patient Access to Health Records Act (PAHRA), Medi-Cal confidentiality rules, California’s Consumer Privacy Act and Privacy Rights Act (CCPA/CPRA), state rules governing artificial intelligence in healthcare (including CCPA’s automated decision-making regulations), and SB81 on patient access and protection. Together, these laws help explain why privacy and security policies in California can look different from those in other states. 

HIPAA was designed to create a national “floor” of privacy and security standards, but in California that floor is only the starting point. When state law gives patients more rights or stronger protections than HIPAA does in a particular area, the California law takes precedence for that issue, while HIPAA still applies in the background. As a result, California providers often have to reconcile multiple overlapping rules when deciding how to use, disclose, and protect health information.

CMIA is the core California medical privacy statute. It applies broadly to providers, plans, contractors, and many consumer-facing digital health apps when they store or process identifiable medical information. CMIA tightly limits when information can be used or disclosed without authorization, adds extra protections for sensitive services, and requires safeguards for electronic information. A key difference from HIPAA is CMIA’s private right of action, which allows patients to sue for negligent, unauthorized disclosures, even when there was no intent to cause harm. That is a major reason California organizations stress strict access control, “need-to-know” use of records, and zero tolerance for snooping or gossip.

PAHRA strengthens and accelerates patient access rights beyond HIPAA. California providers generally must acknowledge or respond to access requests within a few days and provide copies within a much shorter deadline than HIPAA’s. Patients can also submit an addendum to correct or clarify their records, and that addendum must be attached with future relevant disclosures. PAHRA and CMIA together also limit parental access to minors’ sensitive records when the minor has the right to consent to care, so staff must pay close attention to who is entitled to see what.

Other important laws fill gaps that HIPAA and CMIA do not fully cover. Medi-Cal regulations protect beneficiary information, including social and economic data used for eligibility and benefits, and restrict its use mainly to treatment, billing, and program administration. CCPA/CPRA applies to eligible businesses for personal information that is not PHI or CMIA “medical information,” such as website tracking data, marketing lists, and some HR records. CCPA/CPRA also gives consumers rights to know, correct, and in some cases delete data. California also regulates the use of AI in healthcare through a mix of privacy, consumer, and professional rules that emphasize transparency, security, and maintaining human clinical judgment. In practice, these rules often appear as internal policies: which AI tools may be used, what kind of data may be entered, how outputs must be reviewed, and when patients must be informed.

SB81, California’s Patient Access and Protection law, adds targeted protections for immigration-related information. It treats a patient’s place of birth and immigration status as protected medical information and prohibits disclosures for immigration enforcement without a valid authorization or court order. It also requires healthcare organizations, including public college health centers, to establish “safe” non-public areas where patients can receive care without fear of immigration agents entering unless they have proper legal authority. This law shapes how front desks, security, and clinical teams respond to requests from law enforcement and why staff should receive specific training on these scenarios.

Because all these laws overlap, California healthcare organizations usually design their policies around the most protective rule that applies. CMIA is central, but real-world privacy practice is also shaped by PAHRA, Medi-Cal rules, CCPA/CPRA, AI-related requirements, and SB81. For healthcare staff and students, the safest approach is to follow their organization’s written policies, complete required training, and ask their privacy or compliance team whenever they are unsure. This overview is for training and general information, not legal advice, but it highlights why CMIA is just one piece of a much larger California privacy framework.

The post More Than CMIA and HIPAA: Which Medical Privacy Regulations Apply to You in California? appeared first on The HIPAA Journal.

What training does The HIPAA Journal provide?

Posted by PJ Murray

The HIPAA Journal provides a full suite of online HIPAA and related cybersecurity training programs, designed for different roles and types of organizations.

The main HIPAA products are:

  • Accredited HIPAA Certification for Individuals
    A certificate course for people entering or progressing in healthcare that covers HIPAA rules and real world scenarios, and issues an accredited certificate that can be shown to employers and used during onboarding.

  • HIPAA Training for Healthcare Employees
    A workforce course for covered entities of all sizes that satisfies HIPAA training requirements on HIPAA rules and regulations, suitable for new hire onboarding and annual refresher training, with lessons focused on how to safeguard protected health information in day to day work.

  • HIPAA Training for Small Medical Practice Employees
    A version of the workforce course tailored to small medical practices, with extra modules on the specific HIPAA challenges they face, also suitable for onboarding and refresher training.

  • HIPAA Training for Students
    A course for healthcare students and faculty that satisfies HIPAA training requirements for students working in any HIPAA covered environment and includes student specific modules and examples to prepare them for clinical placements.

  • HIPAA Training for Business Associate Employees
    A dedicated course for employees of business associates that meets HIPAA training requirements and includes modules on the particular compliance challenges that arise when handling protected health information on behalf of covered entities.

The main cybersecurity products are:

  • Cybersecurity Training for Healthcare Employees
    A certificate course for healthcare staff that teaches them to recognize cyber threats and handle health records securely, providing practical, attacker focused cybersecurity awareness to sit alongside standard HIPAA training.
  • Cybersecurity Training for Healthcare Students
    A cybersecurity course for healthcare students and faculty that can be added to HIPAA Training for Students, giving learners extra protection by teaching online threat awareness and safer behavior before and during clinical placements.
  • Cybersecurity Training for Business Associate Employees
    A healthcare focused cybersecurity course for employees of business associates that complements HIPAA Training for Business Associate Employees, with content aimed at reducing the risk of breaches when vendors and service providers handle patient data.
  • Healthcare Cybersecurity Training for Individuals
    A healthcare specific cybersecurity course that individual learners can purchase alongside Accredited HIPAA Certification for Individuals to demonstrate their understanding of cyber risks to protected health information and medical records.

All of these training courses are self paced online programs built by The HIPAA Journal’s compliance team using more than a decade of breach and enforcement analysis, with practical examples, coverage of emerging issues such as generative AI, messaging platforms and social media, randomized quizzes with certificates, and optional free modules on Texas and California medical privacy laws and on small medical practice challenges.

The post What training does The HIPAA Journal provide? appeared first on The HIPAA Journal.

Does the HIPAA Training from The HIPAA Journal satisfy the regulatory requirements for training?

Posted by PJ Murray

Yes, The HIPAA training from The HIPAA Journal has been specifically designed to satisfy the mandatory regulatory requirements to train your workforce on HIPAA rules and regulations. Under the HIPAA Privacy Rule and Security Rule, covered entities and business associates must ensure that all relevant workforce members receive training on HIPAA requirements and on how to perform their roles in compliance with those requirements. The HIPAA Journal’s courses are built around those obligations and provide comprehensive coverage of the HIPAA rules and regulations employees need to understand, including the core Privacy, Security, and Breach Notification Rule concepts, permitted uses and disclosures of PHI, patient rights, safeguards, incident reporting, and common real world risk areas such as email, messaging, and social media.

However, HIPAA also requires training on each organization’s own internal policies and procedures, which the regulations state will “depend on the size and type of activities” of the covered entity and on the results of its HIPAA risk assessment. Those internal policies are necessarily different in every organization, so they cannot be built into a single generic online course. The HIPAA Journal training deliberately does not attempt to cover those local policies and procedures; instead, organizations typically combine The HIPAA Journal’s rules-and-regulations training with their own site-specific policy and procedure training to fully meet all HIPAA training obligations.

The post Does the HIPAA Training from The HIPAA Journal satisfy the regulatory requirements for training? appeared first on The HIPAA Journal.

Who develops and maintains The HIPAA Journal’s HIPAA training content?

Posted by PJ Murray

The HIPAA Journal’s HIPAA training content is created and maintained by The HIPAA Journal editorial team, a group of in-house HIPAA experts each with more than a decade of experience in HIPAA and healthcare regulation. They designed the courses using insights from over ten years of HIPAA breach reporting and analysis, then refined the content using input from hundreds of external contributors such as privacy officers, compliance officers, IT security managers, and practice managers who responded to surveys and reviewed the material.

The training is actively maintained by The HIPAA Journal’s editorial and compliance team, who continuously monitor HIPAA rules, HHS/OCR guidance, and enforcement trends and update the lessons whenever there are meaningful regulatory or practical changes, including new issues such as the use of generative AI, messaging platforms, and social media.

The post Who develops and maintains The HIPAA Journal’s HIPAA training content? appeared first on The HIPAA Journal.

Why is The HIPAA Journal training the best on the market?

Posted by PJ Murray

Yes, the HIPAA training from The HIPAA Journal is the best available on the market. The HIPAA Journal’s employee training is the best on the market because it was built to correct real weaknesses in existing courses, developed over a long period by highly experienced HIPAA specialists with extensive field feedback, provides comprehensive and accurate coverage including key state laws, focuses on practical real world scenarios and everyday behavior, emphasizes personal responsibility and consequences, addresses modern technologies and evolving risks, offers tailored tracks for different environments and roles, uses an accessible online format with strong assessment and management tools, and is continuously updated and improved based on expert and user input.

Here are the main reasons why the training from The HIPAA Journal is the best available on the market:

  1. Created to fix real problems in existing training
    The team analyzed actual HIPAA violations and concluded that many were caused by preventable staff mistakes. They then reviewed other training products and found that a lot of what is on the market is inaccurate, incomplete, or out of date. Their program was built specifically to correct those weaknesses and reduce common staff errors.

  2. Developed by experienced HIPAA specialists over a long period
    The course took more than a year to build. It involved a team where everyone working on the content has more than ten years of HIPAA experience. They also gathered input from hundreds of privacy officers, compliance officers, IT security managers, and practice managers through surveys and feedback rounds.

  3. Comprehensive, accurate coverage for employees
    The core training covers the full HIPAA rule set from the perspective of everyday staff, not just policy writers. It includes additional modules on specialist topics and addresses key state privacy laws that add extra obligations, such as in Texas and California. The goal is to give employees a complete and correct understanding of what applies to them.

  4. Practical and scenario focused rather than just reciting rules
    Instead of simply repeating regulation text, the course emphasizes what workers must actually do in daily tasks. It explains how to apply HIPAA in real situations, so employees know how to act when faced with common scenarios that could lead to violations.

  5. Strong focus on behavior and personal responsibility
    The training stresses that every individual has a direct role in protecting protected health information. It explains how to spot and report security incidents and describes the possible consequences of noncompliance for both organizations and individuals, including internal sanctions, termination, fines, loss of license, and in serious cases criminal charges.

  6. Covers modern risk areas that older courses often ignore like AI and social media
    The program includes dedicated content on email, messaging apps, social media, artificial intelligence tools, and other modern technologies that HIPAA did not originally anticipate. The material is designed to be updated as technology and threats evolve, so the course does not become stale.

  7. Tailored training for different environments like Small Medical Practices or Universities or Business Associates
    There are specific modules for staff in small medical practices and for employees of business associates. These address the particular pressures and misconceptions in those settings and focus on why HIPAA still applies and why their own actions matter.

  8. Accessible online format with robust assessment features
    The training is offered as an online subscription. Staff can log back in for refreshers throughout the year rather than losing access. Quizzes draw from a large bank of questions, with randomization and unlimited retakes until all answers are correct, after which a certificate is issued. There are distinct courses for different audiences and tools for training managers to view records and track completion.

  9. Built with a continuous improvement and feedback loop
    The content was not written once and left alone. It has been reviewed by privacy and compliance officers, and their feedback led to additional modules being added. The program is designed to keep evolving based on user experience and ongoing regulatory and technological changes.

  10. Aligned with broader security and compliance efforts
    Because a large part of the HIPAA Journal readership is IT and security professionals, the training is designed to fit alongside security awareness and cybersecurity content, helping organizations connect privacy rules with practical security behavior.

The HIPAA Journal’s employee training program sets a new benchmark by combining expert developed, up to date content with practical, role specific guidance that helps organizations strengthen HIPAA compliance in everyday practice.

The post Why is The HIPAA Journal training the best on the market? appeared first on The HIPAA Journal.