Feature Articles

What is a HIPAA Audit Checklist?

A HIPAA audit checklist is a document covered entities and business associates should use to audit compliance with the standards of the HIPAA Administrative Simplification Regulations applicable to their operations.

HIPAA Audit ChecklistAn internal HIPAA audit checklist differs from an external HIPAA audit checklist inasmuch as an external HIPAA audit checklist is designed to meet specific criteria of the OCR audit protocol, CMS’ compliance review program, or a third-party’s certification requirements.

By comparison, an internal HIPAA audit checklist is a comprehensive document that covers all areas of an organization’s compliance obligations. However, as different organizations have different compliance obligations, there is no “one-size-fits-all” internal HIPAA audit checklist.

Covered entities and business associates should review the following content, determine which standards of the HIPAA Administrative Simplification Regulations apply to their operations, and develop a HIPAA internal audit checklist that meets their requirements. The checklist should then be used as a HIPAA compliance audit checklist to identify gaps in compliance and implement measures to fill gaps.

hipaa audit checklist - thehipaajournal.com

Administrative Requirements Audit Checklist

The Administrative Requirements of HIPAA (Part 162) cover areas such as Unique Health Identifiers, Transaction Rules, and Code Set Standards. Covered entities that conduct claims processing or administration in-house, and business associates that provide billing and claims management services for covered entities, are required to comply with the standards of this Part.

Generally, there are only three areas of compliance organizations may need to include on an internal HIPAA audit checklist – the operating rules, the transaction rules, and documentation.

  • Verify compliance with the operating rules for eligibility, claims status, and electronic funds transfer/remittance advice.
  • Test transactions for compliance using the Administrative Simplification Enforcement and Testing Tool (ASETT).
  • Document policies, procedures, and test results for when the documentation is required for a compliance review.

While violations of the Administrative Requirements have never yet resulted in a civil monetary penalty, CMS has the authority to fine covered entities and business associates for noncompliance with Part 162 if an organization fails a CMS HIPAA audit and subsequently fails to comply with a corrective action plan. In the year to May 2023, 51% of organizations failed compliance reviews and were issued with a corrective action plan. (Reports for 2024 and 2025 have not been published).

HIPAA Privacy Rule Audit Checklist

The HIPAA Privacy Rule only has two basic HIPAA audit requirements – to protect individually identifiable health information from impermissible uses and disclosures, and to give individuals rights over their protected health information. To comply with these two requirements, organizations subject to the HIPAA Privacy Rule must comply with up to fourteen sets of standards depending on the nature of their operations.

Why “up to” fourteen? This is because, while all covered entities are required to comply with the HIPAA Privacy Rule, some standards do not apply to all types of organizations – for example, some standards apply to only health plans. Some business associates may be required to comply with specific HIPAA Privacy Rule standards depending on the service being provided for or on behalf of a covered entity and/or on the terms of their Business Associate Agreement with the covered entity.

All organizations subject to HIPAA compliance should review the following list, determine which applies to their operations, and add the relevant items to a HIPAA compliance audit checklist.

1. Designate a HIPAA Privacy Officer

Although most organizations will be familiar with this requirement, it is essential a member of the workforce is designated the role of Privacy Officer to be the point of contact for patients/plan members, workforce members, and regulatory agencies. The HIPAA Privacy Officer also has the responsibility to develop and implement HIPAA-compliant policies and procedures.

2. Understand What Constitutes PHI

There is a lot of misunderstanding about PHI, due to which some organizations can be unnecessarily overprotective with data, while others can be a little too carefree. Not only is it important to understand what constitutes PHI; but, for the sake of security and efficiency, to develop procedures for securing PHI in the minimum number of designated record sets practical.

3. Permissible Uses and Disclosures

Make sure all members of your organization´s workforce understand the difference between required, permissible, and attestable uses and disclosures of PHI, uses and disclosures of PHI for which an individual should be given an opportunity to consent or object, and uses and disclosures of PHI for which an individual´s written HIPAA authorization is required.

4. Procedures for Obtaining Authorizations

Every covered entity should have procedures for obtaining and managing authorizations so that if an individual exercises the right to revoke an authorization, the revocation can be actioned without delay. Procedures should also exist for (for example) withdrawing any information about the patient that has been used in fundraising or marketing material.

5. Notices of Privacy Practices

Every patient or plan member must be given a Notice of Privacy Practices when first attending a healthcare facility or enrolling in a health plan. The Notice must contain details of how PHI may be used or disclosed without an authorization, when it may only be used with the individual´s authorization, the rights of the individual to request privacy protection or copies of PHI.

6. Procedures for Responding to Requests for Privacy Protection

Individuals have the right to request restrictions on certain uses and disclosures – which can be situation-specific – and request to restrict how they are contacted by a covered entity or business associate. Organizations must have procedures in place to respond to requests for privacy protection, manage requests, and document oral terminations of requests.

7. Procedures for Responding to Requests for Access, Correction, and Transfer

The failure to provide access to health information, correct it when necessary, and transfer it to other providers when requested is one of the leading causes of complaints to HHS’ Office for Civil Rights. In an attempt to reduce the number of complaints, the agency is increasing its enforcement action against organizations that fail to respond to requests in a timely manner.

8. Procedures for Maintaining an Accounting of Disclosures

Individuals have the right to request an accounting of disclosures of their PHI for the six years prior to the request being made. However, not all disclosures have to be accounted for. It is important that covered entities understand which disclosures have to be accounted for and adopt procedures for maintaining an accounting of disclosures for each individual.

9. Workforce Training

Under the Privacy Rule, the training requirements are limited in scope to members of the workforce to whom HIPAA policies and procedures apply. However, basic HIPAA training should be provided to all members of the workforce in order to mitigate the risk of impermissible disclosures due to a lack of knowledge and reduce the risk of human error.

10. Documentation

Documentation is a requirement of nearly every standard in the HIPAA Privacy Rule, and organizations required to comply with the standards must put procedures in place for documenting policies and procedures, Notices of Privacy Practices, individual authorizations, workforce training, etc., and retaining policies and procedures for at least six years since they were last in force.

Organizations subject to the HIPAA Privacy Rule should also review the General Provisions of Part 164 – a section of the Administrative Simplification Regulations not covered by a “Rule”. These provisions primarily apply to Hybrid Entities, Affiliated Entities, and Organized Health Care Arrangements, and cover restricting access to PHI to only those who are authorized to access it within their roles and safeguarding PHI from non-covered areas of the organization.

HIPAA Security Rule Audit Checklist

Compared to the potential complexity of a HIPAA Privacy Rule audit checklist, a HIPAA Security Rule audit checklist is relatively straightforward. Not only does the HIPAA Security Rule contain far fewer standards than the HIPAA Privacy Rule, but the standards within the HIPAA Security Rule are less open to interpretation. The Security Standards General Rules also allow covered entities and business associates a “flexibility of approach” about how the standards are implemented.

To help organizations compile a HIPAA audit checklist for the HIPAA Security Rule, the Office of the National Coordinator for Health Information Technology (ONC) and HHS’ Office for Civil Rights have jointly produced a HIPAA Security Risk Assessment (SRA) Tool. Organizations can use the tool online or download as an Excel document to fulfill the risk assessment requirements of the Security Rule. However, this tool may not be suitable for all organizations; and before using it, it is advisable to consider the following questions:

1. Has your organization designated a HIPAA Security Officer?

This can be the same person as the HIPAA Privacy Officer but they need to be qualified for the position inasmuch as they have to design, implement, and enforce security policies and procedures. Ideally, it is best to designate this role to a senior member of the IT team.

2. Have you identified from where ePHI originates?

In order to protect ePHI from unauthorized access, disclosure, alteration, or deletion, you have to know from where ePHI originates, where it is maintained, and to where it is transmitted. Effectively, you need to create an audit trail for all ePHI in your organization´s possession.

3. Do you know how users access ePHI?

Before using the ONC/OCR Security Risk Assessment Tool, you need to conduct an inventory of devices used to access ePHI and the media on which it is stored. This not only includes onsite devices and servers, but also devices used to access ePHI remotely.

4. What security software is already in place?

As a covered entity or business associate, you are required to implement measures to mitigate threats from malware, ransomware, and phishing. Many organizations already have security measures – such as email and web filters – in place to mitigate threats.

5. What role-based access controls are already in place?

Similar to the previous item, many organizations already utilize role-based access controls to control what information users can access. It is far easier to adjust existing controls to comply with the Security Rule standards than start from scratch.

6. What other security mechanisms do you already use?

Due to the “flexibility of approach” clause and the fact that some implementation specifications are addressable, it may be possible to comply with many HIPAA Security Rule standards by enforcing the use of existing security mechanisms – i.e., PIN lock, automatic log-off, password managers, etc.

7. What processes already exist for reporting security incidents?

Most organizations should already have processes in place to flag suspect emails, malware, and other anomalies. These are usually sufficient for internal compliance with the HIPAA Security Rule – not forgetting that business associates are required to report all security incidents to covered entities.

8. Does the organization already have a security awareness training program?

The likelihood is that most organizations will have some form of security awareness training, and all that may be necessary for the training to meet the General Requirements of the HIPAA Security Rule (§164.406) is to tweak it to be more HIPAA-centric and ensure the training is documented.

9. Does the organization enforce a scaled sanctions policy?

Enforcing a scaled sanctions policy is an important step toward HIPAA compliance because it serves as a reminder to members of the workforce that minor or repeated violations of HIPAA can have consequences.

10. Does the organization have a contingency or emergency action plan?

Developing a contingency plan for foreseeable emergency events that may threaten the confidentiality, integrity, and availability of ePHI is a requirement of HIPAA. You may need to review the SRA Tool to ensure you have every type of emergency covered.

Although this HIPAA Security Rule HIPAA audit checklist is relatively basic with regards to the questions it asks, it is advisable to start a journey to HIPAA compliance by assuming zero knowledge – rather than assuming an existing degree of knowledge as the SRA Tool does. In addition, when implementing new measures, it is a best practice to test members of the workforce on what information they have absorbed rather than assume they have understood the new measures in one explanation.

HIPAA Audit Log Requirements

Whether you use a HIPAA Security Rule Audit Checklist or the SRA Tool, it is important not to overlook the HIPAA audit log requirements. The HIPAA Security Rule requires covered entities and business associates to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic Protected Health Information.

Audit logs enable covered entities and business associates to identify risks associated with events such as unauthorized access, impermissible disclosures, application flaws, and suspicious activities. They can also be used to provide forensic evidence following a security incident or data breach so measures can be put in place to prevent a reoccurrence.

The HIPAA Security Rule does not specify what data needs to be collected by audit logs or how frequently logs should be reviewed. HHS also acknowledges that different software solutions and applications record and examine system activity in different ways. For this reason, it can be beneficial for covered entities and business associates to implement HIPAA compliance software that can monitor all system activity and flag issues for further investigation.

Breach Notification Rule Audit Checklist

As business associates are required to notify covered entities of all security incidents (not just those that result in a breach of unsecured ePHI), business associates will need to use a different Breach Notification Rule audit checklist than a covered entity – who can use a HIPAA breach notification tool to determine whether a security incident is reportable or not. However, both Breach Notification Rule audit checklists will share some common items – for example:

  • How did the breach/security incident occur?
  • How has the impact of the breach/security incident been mitigated?
  • What should be done to prevent the breach/security incident from happening again?

It is also the case that procedures should be in place and responsibilities assigned for notifying covered entities of a security incident or for covered entities notifying HHS’ Office for Civil Rights and impacted individuals of a breach of unsecured ePHI. As with all other areas of HIPAA compliance, the procedures, all breaches/security incidents, and their outcomes must be documented and the documentation retained for a minimum of six years.

Advice for Developing and Completing HIPAA Audit Checklists

Integrating every element of HIPAA compliance into a single HIPAA audit checklist can be challenging and – due to the checklist’s comprehensiveness – potentially leave gaps that lead to compliance failures. There are two ways to overcome this challenge. Either divide the HIPAA audit checklist into smaller, more manageable units, or engage the services of a compliance professional to help you with both the development and the completion of the checklist.

One of the advantages of choosing the latter option is that compliance professionals have the experience to assess an existing checklist, determine how much help you need, and provide as much help as necessary to produce an accurate and comprehensive checklist. This approach has the benefit of preventing the scenario in which you are looking for threats that do not exist in standards that do not apply to your organization – saving your time and your organization’s money.

FAQs

What are the HIPAA Administrative Simplification Regulations?

The HIPAA Administrative Simplification Regulations are the “Administrative Data Standards and Other Requirements” that were developed as a result of the passage of HIPAA (Title 45, Subtitle A, Subchapter C of the Code of Federal Regulations).

The Regulations not only include the standards for the Administrative Requirements and the HIPAA Privacy, Security, and Breach Notification Rules, but also the General Administrative Provisions, the General Security and Privacy Provisions, and the Enforcement Rule.

Could CMS issue a civil monetary penalty for noncompliance?

The Centers for Medicare and Medicaid Services (CMS) has the same authority to impose sanctions on noncompliant organizations as HHS’ Office for Civil Rights. In theory, CMS could impose a fine of up to $2,134,831 on a covered entity or business associate who repeatedly failed to comply with the Administrative Requirements due to willful neglect.

Why are business associates required to comply with the Privacy Rule?

The applicability standard of the HIPAA Privacy Rule (§164.104) was amended via the Final Omnibus Rule in 2013 to read “Where provided, the standards, requirements, and implementation specifications adopted under this part [the HIPAA Privacy Rule] apply to a business associate.”

This means that a business associate may need to develop policies and procedures relating to permissible uses and disclosures and for managing access requests if an individual’s ePHI is maintained in a separate designated record set from that of the covered entity.

Does a business associate have to designate a Privacy Officer?

This depends on the nature of the business associate’s operations and the potential for interactions with the public and regulatory authorities. If there is likely to only be minimal interaction, the role of Privacy Officer could be designated to a Security Officer.

What is considered PHI under HIPAA?

This is possibly the most frequently asked question relating to HIPAA compliance because what is considered PHI under HIPAA is complicated – so complicated that we have dedicated a full-page article to answering this question.

Why is the ONC/OCR Security Risk Assessment Tool not suitable for all organizations?

According to the OCR’s website, “the tool’s features make it useful in assisting small and medium-sized health care practices and business associates”. This implies that it is not suitable for health plans, healthcare clearinghouses, and larger organizations.

In addition, the tool assumes a certain level of knowledge and that a number of measures have already been implemented to comply with HIPAA Security Rule standards. If your organization is taking its first steps towards HIPAA compliance, you may find the tool too advanced for your needs.

How might an organization already have role-based access controls in place?

Many organizations use identity and access management services such as Microsoft AD, Okta Lifecycle Management, or Open LDAP (etc.) to control who in the organization has access to systems and databases. These services can often be used to comply with the HIPAA Security Rule access requirements.

What is the difference between a HIPAA compliance audit checklist and a healthcare compliance audit checklist?

The difference between a HIPAA compliance audit checklist and a healthcare compliance audit checklist is that a HIPAA compliance checklist helps organizations audit their compliance with HIPAA, while a healthcare compliance checklist helps organizations audit their compliance with all applicable federal, state, and local regulations related to their healthcare activities (i.e., CMS’ Medicare regulations, OSHA workplace regulations, and state licensing requirements).

What are 3 important components of a HIPAA security audit?

All components of a HIPAA security audit are important. However, the 3 elements of a HIPAA security audit most organizations should focus on include:

  • An inventory and audit trail of ePHI. If you do not know where ePHI originates, where it is stored, how it is used, and how it is disclosed, it will be impossible to implement measures to safeguard the confidentiality, integrity, and availability of health information.
  • The implementation and configuration of software. It is often not sufficient to implement software described as “HIPAA compliant” to comply with the HIPAA Security Rule. The software also has to be configured to mitigate threats to health information.
  • Workforce training and compliance monitoring. All members of the workforce must receive security awareness training even when they do not have access to ePHI. It is also important to monitor compliance with the security awareness training.

The post What is a HIPAA Audit Checklist? appeared first on The HIPAA Journal.

Free Webinar TODAY: AI + HIPAA: Innovating in Healthcare Without Leaving Compliance Behind

Artificial intelligence has tremendous potential in healthcare, and healthcare organizations have embraced AI tools in all areas of their operation; however, there are compliance risks associated with AI when tools engage with health information protected under the Health Insurance Portability and Accountability Act (HIPAA). Incorporating AI tools while complying with all HIPAA Privacy and Security Rule implementation specifications can be challenging, especially when there is limited guidance on how HIPAA applies to AI.

Fortunately, help is at hand. On July 8, 2026, the HIPAA-compliant communication platform provider Paubox is hosting a webinar where healthcare organizations can learn from a diverse panel of experts about AI-related HIPAA compliance challenges and receive invaluable advice on how to keep innovating without leaving HIPAA compliance behind.

During the webinar, attendees will learn about how real-world healthcare teams are developing and implementing AI tools and the challenges they have faced, the specific questions you need to be asking any AI vendor before you sign and handle business associate agreements (BAAs), what responsible use of AI with PHI looks like, and what the future holds, and what you need to do right now.  At the end of the webinar, there will be time allocated for a Q&A with the panel to get answers to your questions.

Speakers:

Heather Phillips, FoXX Health

Heather Phillips – Advisory Committee Member, FoXX Health
Tim Gutwald - Partner, Elevare Law Tim Gutwald – Partner, Elevare Law
Brittany Sigler - DrPH, Founder & Product Leader, Bright Signal Consulting Brittany Sigler – DrPH, Founder & Product Leader, Bright Signal Consulting
Mike Maseda - Head of Sales & Ops, GenHealth.ai Mike Maseda – Head of Sales & Ops, GenHealth.ai

Webinar Details

AI + HIPAA: Innovating in Healthcare Without Leaving Compliance Behind

July 8, 2026

1.00 p.m. ET | 12.00 p.m. CT | 11.00 a.m. MT | 10:00 a.m. PT

Click Here to Register for the Webinar

Can’t attend on the day? Register to receive a link to the recording!

This webinar is eligible for 1 self-reported CPE

The post Free Webinar TODAY: AI + HIPAA: Innovating in Healthcare Without Leaving Compliance Behind appeared first on The HIPAA Journal.

Free Webinar: How to Stop Phishing Attacks Before They Reach Your Team

webinar - how to stop healthcare phishing attacksPhishing has long been a leading cause of healthcare data breaches. Hackers target employees as they are a weak link in the security chain, and many healthcare ransomware attacks start with credentials stolen in phishing attacks.

Phishing attacks are often blamed on the employees who respond to phishing attempts. A survey of healthcare IT leaders found 85% of respondents believe employee negligence is a top email security risk, yet despite that, only 16% of respondents said they train their workforce on how to recognize phishing attempts quarterly or more frequently. The majority of healthcare organizations only provide training to their workforce once a year, and hope that the training sticks and employees will remain vigilant throughout the year, which is seldom the case.

Unfortunately, the risk from phishing is getting worse as AI-generated phishing campaigns are difficult for employees to identify. AI-generated phishing emails are grammatically correct, free of spelling mistakes, and use advanced impersonation techniques. An analysis of phishing emails by KnowBe4 between late 2024 and early 2025 found that 83% of phishing emails were AI-generated.  Not only is AI-generated phishing outpacing training programs, the phishing emails also bypass traditional email spam filters. Further, Paubox research shows that when employees do identify phishing attempts, only 5% of attacks are reported to the security team! If you rely on employee training and a traditional email filter, your organization is at risk.

In this free webinar on April 28, 2026, discover why phishing defenses are failing and how you can improve your security posture and block attacks before they reach your team. The webinar is aimed at IT directors, CISOs, security leaders responsible for email infrastructure, compliance officers managing HIPAA email requirements, healthcare administrators who oversee PHI-handling workflows, and security teams weighing whether current controls match current threats.

Webinar attendees will learn about:

  • The evolution of AI-generated phishing and BEC attacks and why they bypass defenses
  • Why healthcare organizations are targeted
  • The findings of a Paubox analysis of 170 email-related data breaches in 2025 and common authentication gaps
  • How the “training plus spam filter” model leaves measurable security gaps
  • How inbound email security at the technical layer catches what training and traditional filters miss
  • How to assess where your organization’s email security actually stands today

WEBINAR DETAILS

How to Stop Phishing Attacks Before They Reach Your Team

Tuesday, April 28, 2026

10 a.m. PT | 11 a.m. MT | 12 p.m. CT | 1 p.m. ET | 6 p.m. BST

Register for the Webinar


Speaker: Dawn Halpin, Demand Generation Manager, Paubox

Dawn Halpin, Paubox

Dawn Halpin, a Marquette University and University of Wisconsin-Milwaukee graduate, is the Demand Generation Manager at the email security firm Paubox. Paubox is a leader in HIPAA-compliant email security for the healthcare industry and is trusted by more than 8,000 organizations, including Cost Plus Drugs, Rippling, and Covenant Health.

The post Free Webinar: How to Stop Phishing Attacks Before They Reach Your Team appeared first on The HIPAA Journal.

Free HIPAA Compliance Risk Check for Covered Entities

HIPAA compliance is mandatory for organizations that qualify as HIPAA covered entities. But how compliant is your organization really?

Free Online HIPAA Compliance AssessmentWith our 2-minute free HIPAA Compliance Risk Check, you can quickly evaluate the compliance status of your organization and receive a report with actionable insights to immediately improve compliance with HIPAA.

Please note that in order for the report to accurately reflect your organization’s compliance status, you need to be aware of your organization’s current compliance activities when you take our free HIPAA risk check.

Please also note that this check is designed to be used by organizations that are HIPAA covered entities. It is not suitable for solo practitioners or HIPAA Business Associates.

Why Take The HIPAA Compliance Risk Check?

Being aware of your compliance obligations and those of your business partners can be vital because, in the event of a HIPAA violation, ignorance of the HIPAA requirements is not an acceptable defense against enforcement action. This free assessment is:

  • Quick and Convenient: In just two or three minutes, answer a series of targeted questions designed to gauge your organization’s compliance with the latest HIPAA regulations.
  • Instant Results: Receive a compliance score immediately after completing the assessment, giving you a quick snapshot of where your organization stands.
  • 100% Private: Your name and your organization name do not appear on the report and it is only sent to the email address you designate and not copied or stored on any server.

What Does Your Risk Report Include?

  • Your HIPAA Compliance Risk Score: Understand how well your organization adheres to HIPAA standards.
  • Analysis of Compliance Risk Score: Identify specific areas where your organization may be falling short.
  • Tailored Recommendations: Get expert advice on what steps to take to improve your compliance score.

How It Works

  1. Start the Risk Check: Click on this link to get started.
  2. Assessment Steps: You will be taken through a series of multiple choice questions to answer covering a range of HIPAA compliance requirements.
  3. Choose One Answer: Select the answer which best reflects the current situation within the organization.
  4. Receive Your Score: After completing the assessment, you’ll immediately see your HIPAA compliance risk score on screen.
  5. Take Action: Use the insights provided in your report to take actionable steps towards improving your client score.

Your name and your organization name do not appear on the report and you decide what you wish to do with the information. Your email address and your answers to the risk check are not copied or stored on any server, so you can be sure they will remain 100% confidential.

The post Free HIPAA Compliance Risk Check for Covered Entities appeared first on The HIPAA Journal.

Business Associate HIPAA Checklist

As aBusiness Associate, it is important to be aware of which HIPAA compliance standards apply to your organization.

Do you have the correct procedures in place to avoid costly data breaches, HIPAA violations, and regulatory fines?

Find out now with our comprehensive HIPAA Checklist for Business Associates that has been compiled by leading compliance experts.

Use the form to download this checklist.

Non Compliance Is Not An Option

HIPAA compliance standards are enforced by HHS Office of Civil Rights, the Centres for Medicare and Medicaid, and the Federal Trade Commission.

The post Business Associate HIPAA Checklist appeared first on The HIPAA Journal.

Free Webinar TODAY: HIPAA Email Security 101: PHI, Encryption, and What’s Required

According to the Paubox 2026 Healthcare Email Security Report, in 2025, 170 email-related data breaches were reported to the HHS’ Office for Civil Rights (OCR). While healthcare organizations are getting better at preventing email-related data breaches, an analysis of email security configurations found that in 2025, 41% of healthcare organizations fell into the high-risk category, an increase from the previous year.

On top of those large healthcare data breaches are the thousands of smaller breaches that affect fewer than 500 individuals, a large percentage of which are due to poor email security configurations and errors by healthcare employees. Each email incident erodes trust, can be costly to resolve, and potentially puts the organization at risk of a HIPAA penalty, yet email compliance failures are easily avoided.

On May 21, 2026, the leading healthcare email security company, Paubox, is hosting a webinar to explain HIPAA email security 101. The webinar consists of a practical session covering the fundamentals of HIPAA-compliant email, what constitutes PHI, and how to identify the indicators of PHI, as well as the key email security requirements that HIPAA-regulated entities must have in place to ensure that sensitive information is protected and patient privacy is assured. Attendees will also learn about the common compliance errors made by organizations and healthcare employees when communicating via email, and how to avoid them.

Webinar attendees will learn how encryption works and why it is vital for HIPAA compliance

Reserve your spot today to learn how HIPAA applies to email and the requirements for HIPAA-compliant email communications. 

Why Attend?

  • Attendees will learn the fundamentals of HIPAA-compliant email communications, what constitutes PHI, and the common compliance mistakes made by healthcare organizations, and how to avoid them. This webinar is eligible for 1 self-reported CPE. Attendees will receive a certificate of attendance that may be used as supporting documentation when submitting credits to applicable certifying bodies.

WEBINAR DETAILS

HIPAA Email Security 101: PHI, Encryption, and What’s Required

Wednesday, May 20, 2026

10 a.m. PT | 11 a.m. MT | 12 p.m. CT | 1 p.m. ET | 6 a.m. BST

Register for the Webinar


 

Speaker: Dawn Halpin, HIPAA Evangelist, Paubox

Dawn Halpin, Paubox

Dawn Halpin, a graduate of Marquette University and the University of Wisconsin-Milwaukee, is a HIPAA Evangelist at the email security firm Paubox. Paubox is a leader in HIPAA-compliant email security for the healthcare industry and is trusted by more than 8,000 organizations, including Cost Plus Drugs, Rippling, and Covenant Health.

 

 

The post Free Webinar TODAY: HIPAA Email Security 101: PHI, Encryption, and What’s Required appeared first on The HIPAA Journal.

HIPAA Risk Assessment

A HIPAA risk assessment assesses threats to the privacy and security of PHI, the likelihood of a threat occurring, and the potential impact of each threat so it is possible to determine whether existing policies, procedures, and security mechanisms are adequate to reduce risks and vulnerabilities to a reasonable and appropriate level.    

The requirements for covered entities and business associates to conduct a HIPAA risk assessment appear twice in the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act. However, it may be necessary for organizations to conduct risk assessments beyond these requirements.

The first requirement to conduct a HIPAA risk assessment appears in the HIPAA Security Rule (45 CFR § 164.308 – Security Management Process). This standard requires covered entities and business associates to conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI”.

The second requirement appears in the HIPAA Breach Notification Rule (45 CFR § 164.402). This standard only applies when there has been an impermissible acquisition, access, use, or disclosure of unsecured PHI (in any format), and a HIPAA risk assessment is necessary to determine whether the event is notifiable to HHS and the affected individual(s).

However, beyond the HIPAA risk assessment requirements of the HIPAA Security and Breach Notification Rules, risks exist to the confidentiality, integrity, and availability of PHI when it is not in electronic format – for example, when unauthorized disclosures are made verbally or when a printed medical report is left unattended in an area of public access.

Because of these risks, it may be necessary to conduct a HIPAA privacy risk assessment which not only takes into account risks to the confidentiality, integrity, and availability of non-electronic PHI, but which also covers individuals’ access rights (to their PHI), Business Associate Agreements, and other Organizational Requirements of HIPAA.

HIPAA Security Risk Assessment

The objective of a HIPAA security risk assessment is outlined in the General Rules (CFR 45 § 164.306) that precede the Administrative, Physical, and Technical Safeguards of the HIPAA Security Rule. These are to:

  • Ensure the confidentiality, integrity, and availability of all electronic PHI the covered entity or business associate creates, receives, maintains, or transmits.
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
  • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part (the HIPAA Privacy Rule).
  • Ensure compliance with this subpart (the HIPAA Security Rule) by its workforce. Note: This is achieved via security awareness training and the enforcement of a sanctions policy.

With regards to the Administrative, Physical, and Technical Safeguards of the HIPAA Security Rule, the General Rules allow a “flexibility of approach” in how the standards are implemented. Despite the flexibility of approach clause, it is important that all standards are implemented unless an implementation specification is not “reasonable and appropriate” and an equivalent alternate measure is implemented in its place. The full list of Administrative, Physical, and Technical implementation specifications is:

Standards Sections Implementation Specifications

(R)=Required, (A)=Addressable

Implementation Commentary
Security Management Process 164.308(a)(1) Risk Analysis (R), Risk Management (R), Sanction Policy (R), Information System Activity Review (R) Organizations should perform a comprehensive risk analysis to identify potential vulnerabilities to ePHI. Develop and document a risk management strategy that prioritizes remediation activities. Enforce a sanction policy for employees who fail to comply with security policies, and implement tools for reviewing system activity regularly to detect any unauthorized access.
Assigned Security Responsibility 164.308(a)(2) (R) Assign a senior-level individual (such as a CISO or Privacy Officer) to be responsible for ensuring the implementation and oversight of security policies and procedures across the organization. This individual should have authority and resources to enforce HIPAA compliance.
Workforce Security 164.308(a)(3) Authorization and/or Supervision (A), Workforce Clearance Procedure (A), Termination Procedures (A) Establish and document procedures for supervising workforce members who access ePHI. Screen employees before granting access, and ensure prompt deactivation of accounts and access upon termination or role change to prevent unauthorized access.
Information Access Management 164.308(a)(4) Isolating Health Care Clearinghouse Function (R), Access Authorization (A), Access Establishment and Modification (A) Create controls to isolate systems that manage ePHI, especially if a healthcare clearinghouse is part of a larger organization. Define procedures for granting, modifying, and removing user access based on job roles. Access should be reviewed periodically and updated accordingly.
Security Awareness and Training 164.308(a)(5) Security Reminders (A), Protection from Malicious Software (A), Log-in Monitoring (A), Password Management (A) Develop a formal training program that includes regular security updates, awareness of phishing and malware threats, instructions for recognizing suspicious activities, and best practices for password management. Training should be documented and mandatory for all employees.
Security Incident Procedures 164.308(a)(6) Response and Reporting (R) Develop and maintain a written incident response plan that defines how to detect, report, and respond to security incidents. Train staff on recognizing incidents, and test the plan through simulated exercises to improve readiness.
Contingency Plan 164.308(a)(7) Data Backup Plan (R), Disaster Recovery Plan (R), Emergency Mode Operation Plan (R), Testing and Revision Procedure (A), Applications and Data Criticality Analysis (A) Implement a robust contingency planning framework that includes regular data backups, disaster recovery procedures, and emergency mode operations to ensure continuity of care. Conduct periodic testing and revise plans based on outcomes. Assess and prioritize data and application criticality to focus recovery efforts effectively.
Evaluation 164.308(a)(8) (R) Regularly evaluate your security program’s effectiveness through audits, risk assessments, and policy reviews. Document evaluation results and implement improvements as needed to address any weaknesses or evolving threats.
Business Associate Contracts 164.308(b)(1) Written Contract or Other Arrangement (R) Enter into Business Associate Agreements (BAAs) with all vendors who handle ePHI on your behalf. Ensure these agreements outline security responsibilities and establish that the associate is subject to HIPAA rules.
Facility Access Controls 164.310(a)(1) Contingency Operations (A), Facility Security Plan (A), Access Control and Validation Procedures (A), Maintenance Records (A) Implement procedures to control physical access to facilities where ePHI is stored. This includes locking doors, using ID badges, and ensuring that emergency access is planned. Document maintenance activities and control how visitors and staff are validated before entering sensitive areas.
Workstation Use 164.310(b) (R) Define appropriate uses of workstations that access ePHI. Restrict the use of unauthorized software and internet access, and place workstations in secure locations where unauthorized individuals cannot view screen content.
Workstation Security 164.310(c) (R) Physically secure workstations by using cable locks, locking office doors, and ensuring terminals are not left unattended when logged in. This helps prevent unauthorized access or tampering.
Device and Media Controls 164.310(d)(1) Disposal (R), Media re-use (R), Accountability (A), Data Backup and Storage (A) Develop policies for securely disposing of media containing ePHI, such as shredding paper records or wiping hard drives. Maintain a media tracking system to ensure accountability and store backups securely offsite or in the cloud.
Access Control 164.312(a)(1) Unique User Identification (R), Emergency Access Procedure (R), Automatic Logoff (A), Encryption and Decryption (A) Assign unique user IDs for tracking access to systems containing ePHI. Ensure emergency access is available when needed. Set automatic logoff policies to reduce risk from unattended terminals, and encrypt data both at rest and in motion where appropriate.
Audit Controls 164.312(b) (R) Use software tools that track and log all access to ePHI, including login attempts, file accesses, and modifications. Regularly audit these logs to identify unusual activity and respond to potential breaches.
Integrity 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information (A) Use checksums, digital signatures, or similar tools to ensure that ePHI has not been altered or destroyed in an unauthorized manner. Validate these mechanisms regularly to ensure reliability and security.
Person or Entity Authentication 164.312(d) (R) Ensure users authenticate themselves before accessing ePHI using secure methods such as strong passwords, biometric verification, or multi-factor authentication. Regularly update and review authentication policies.
Transmission Security 164.312(e)(1) Integrity Controls (A), Encryption (A) Encrypt data transmissions such as emails or data sent via APIs to protect ePHI from interception. Implement integrity controls like message authentication codes to ensure that data is not altered during transmission.

 

The final section of the HIPAA Security Rule covers Business Associate Agreements and other Organizational Requirements. This section requires covered entities to ensure their Business Associate Agreements require business associate to comply with the HIPAA Security Rule and report any security incidents (not just data breaches) to the covered entity. With regards to the Organization Requirements, the standard in 45 CFR § 164.314 applies to group health plans; but all covered entities in hybrid, affiliated, or OHCA arrangements should review the content of this standard as well.

HIPAA Breach Risk Assessment

The second “required” HIPAA risk assessment is actually optional inasmuch as the HIPAA Breach Notification Rule states any that impermissible acquisition, access, use, or disclosure of PHI is presumed to be a breach unless a low probability of compromise can be demonstrated via a risk assessment that takes at least the following factors into account:

  • The nature and extent of breached PHI including the types of identifiers and the likelihood of reidentification,
  • The unauthorized person (if known) who acquired, accessed, or used the breached PHI or to whom an impermissible disclosure was made,
  • Whether PHI was actually acquired or viewed (read HHS’ guidance on ransomware to establish what constitutes “acquired or viewed” in cyberattacks),
  • The extent to which the risk to PHI has been mitigated.

The reason for the HIPAA breach risk assessment being described as optional is that covered entities and business associates could – if they wish – skip this HIPAA assessment and notify every impermissible acquisition, access, use, or disclosure of PHI. The drawback to this approach is that it may result in business disruption if HHS’ Office for Civil Rights feels your organization is experiencing an above-average number of data breaches and decides to conduct a compliance review.

It can also cause a loss of trust from individuals served by the organization if patients and plan members are receiving frequent breach notifications – especially if they are advised to take measures to protect themselves against fraud, theft, and loss unnecessarily because “breached” PHI has not actually been acquired or viewed. Although “optional”, it can be a good idea to conduct a HIPAA breach risk assessment to prevent unavoidable notifications.

HIPAA Risk Assessment Workflow- the hipaajournal.com

HIPAA Privacy Risk Assessment

Due to the requirement to conduct risk assessments being in the HIPAA Security Rule, many covered entities and business associates overlook the necessity to conduct a HIPAA privacy risk assessment. A HIPAA privacy risk assessment is equally as important as a security risk assessment but can be a much larger undertaking depending on the size of the organization and the nature of its business.

In order to complete a HIPAA privacy risk assessment, an organization should appoint a Privacy Officer, whose first task it is to identify organizational workflows and get a “big picture” view of how the requirements of HIPAA Privacy Rule impact the organization´s operations. Thereafter the Privacy Officer needs to map the flow of PHI both internally and externally in order to conduct a gap analysis to identify where breaches may occur.

The final stage of a HIPAA privacy risk assessment should be the development and implementation of a HIPAA privacy compliance program. The program should include policies to address the risks to PHI identified in the HIPAA privacy assessment and should be reviewed as new work practices are implemented or new technology is deployed.

As required by 45 CFR § 164.530, it is essential employees are trained on any policies and procedures developed as a result of a HIPAA privacy risk assessment and when material changes to policies and procedures impact employees’ functions. Although covered entities and business associates may comply with this requirement “to tick the box”, better trained staff make fewer HIPAA errors, so training on HIPAA policies and procedures should be embraced as a risk mitigation strategy.

Not Identifying Risks Can be Costly

The severity of fines for non-compliance with HIPAA has historically depended on the number of patients affected by a breach of PHI and the level of negligence involved. Few fines are now issued in the lowest “Did Not Know” HIPAA violation category, because there is little excuse for not knowing a legal requirement exists to protect PHI.

More recently, the majority of fines have been under the “Willful Neglect” HIPAA violation category, where organizations knew – or should have known – they had a responsibility to safeguard PHI. Many of the largest fines – including the $5.5 million fine issued against the Advocate Health Care Network – are attributable to organizations failing to identify where risks to the integrity of PHI exist.

However, since the start of the second round of HIPAA audits, fines have also been issued for potential breaches of PHI. These are where flaws in an organization´s security have not been uncovered by a HIPAA risk assessment, or where no assessment has been conducted at all. In March 2016, North Memorial Health Care of Minnesota paid more than $1.5 million to settle related HIPAA violation charges.

It’s Not Just Large Organizations in the Firing Line

Although the majority of headlines relating to HIPAA violations concern large medical organizations and large fines for non-compliance, there are very many small medical practices also investigated by the Office for Civil Rights (OCR) or subject to HIPAA audits. Since 2003, OCR has received more than 300,000 reports of alleged HIPAA violations. Less than 2% of these relate to data breaches involving 500 individuals or more.

A significant problem for small and medium sized medical practices is that not all insurance carriers cover the cost of a HIPAA breach. The cost of a HIPAA breach not only includes the fine, but also the cost of hiring IT specialists to investigate the breach, the cost of repairing public confidence, and the cost of providing credit monitoring services for individuals. Insurers may also limit their coverage according to the nature of the HIPAA violation and the level of negligence.

Without insurance coverage, the cost of a HIPAA breach could potentially close a small medical practice. However, this scenario can be mitigated by conducting a HIPAA risk assessment and implementing measures to resolve any uncovered issues. An assessment can be complicated and time-consuming, but the alternative is potentially terminal to small medical practices and their business associates.

Business Associates Must Be Included

Every covered entity that creates, receives, maintains, or transmits PHI has to conduct an accurate and thorough HIPAA risk assessment in order to comply with the Security Management requirements of the HIPAA Security Rule. This condition of HIPAA compliance not only applies to medical facilities and health plans. Business associates, subcontractors, and vendors must also conduct a HIPAA security risk assessment. Similar to covered entities, fines for non-compliance can be issued by OCR against business associates for potential breaches of PHI.

OCR treats these risks seriously. In December 2014, the agency revealed that 40% of all HIPAA breaches involving an exposure of more than 500 patient records are attributable to the negligence of business associates. In June 2016, it issued its first fine against a business associate – the Catholic Health Care Services of the Archdiocese of Philadelphia agreeing to pay $650,000 following a breach of 450 records. The non-profit organization had failed to conduct a HIPAA risk assessment since 2013.

More recently, the proportion of data breaches attributable to a lack of compliance by business associates may appear to have reduced, but this is not necessarily the case. Under the HIPAA Breach Notification Rule (CFR § 164.410), a business associate is required to notify a covered entity when a breach of unsecured PHI occurs. It is then the covered entity’s responsibility to notify HHS and the affected individual(s) – so it may be the case many data breaches are recorded as being attributable to a covered entity when in fact a business associate is at fault.

Developing a Risk Management Plan and Implementing New Procedures

A HIPAA risk assessment should reveal any areas of an organization’s security that need attention. Organizations then need to compile a risk management plan in order to address the weaknesses and vulnerabilities uncovered by the assessment and implement new procedures and policies where necessary to close the vulnerabilities most likely to result in a breach of PHI.

The risk levels assigned to each vulnerability will give an organization direction on the priority that each vulnerability needs to be given. The organization can then create a remediation plan to tackle the most critical vulnerabilities first. The remediation plan should be complemented with new procedures and policies where necessary, and appropriate workforce training and awareness programs.

It has been noted by OCR that the most frequent reason why covered entities and business associates fail HIPAA audits is because of a lack of procedures and policies – or inadequate policies and procedures. It is important that the appropriate procedures and policies are implemented in order to enforce changes to the workflow that have been introduced as a result of the HIPAA risk assessment.

Tools to Assist with a HIPAA Risk Assessment

Conducting a HIPAA risk assessment on every aspect of an organization’s operations – not matter what its size – can be complex. This is particularly true for small medical practices with limited resources and no previous experience of complying with HIPAA regulations. To help reduce the complexity of conducting HIPAA risk assessments, in 2014, OCR released a downloadable Security Risk Assessment (SRA) tool that helps small and medium sized medical practices with the compilation of a HIPAA risk assessment.

The SRA tool is very helpful in helping organizations identify some locations where weaknesses and vulnerabilities may exist – but not all. In the User Guide accompanying the software, it is stated at the beginning of the document “the SRA tool is not a guarantee of HIPAA compliance”. This is because, although the tool consists of 156 questions relating to the confidentiality, availability, and integrity of all PHI, there are no suggestions on how assign risk levels or what policies and procedures to introduce.

Much the same applies to other third-party tools that can be found on the Internet. They may also help organizations identify some weaknesses and vulnerabilities, but not provide a fully compliant HIPAA risk assessment. Indeed, many third-party vendors publish disclaimers in the small print of their terms and conditions similar to that at the beginning of the SRA tool User Guide. The conclusion is that tools to assist with a HIPAA risk assessment can be helpful for identifying issues but are not suitable for providing solutions to all issues.

HIPAA Risk Assessment FAQ

Where are risks most commonly identified?

Where risks are most commonly identified vary according to each organization and the nature of its activities. For example, a small medical practice may be at greater risk of impermissible disclosures through personal interactions, while a large healthcare group may be at greater risk of a data breach due to the misconfiguration of cloud servers.

What is a “reasonably anticipated threat”?

A reasonably anticipated threat is any threat to the privacy of individually identifiable health information or to the confidentiality, integrity, or availability of PHI that is foreseeable. These not only include threats from external bad actors, but also threats originating from human error or a lack of knowledge due to a lack of training. This is why a “big picture” view of organizational workflows is essential to identify reasonably anticipated threats.

What is the difference between a risk assessment and a risk analysis?

The difference between a risk assessment and a risk analysis is that a risk assessment identifies the risks to HIPAA compliance, whereas a risk analysis assigns risk levels for vulnerability and impact combinations. The objective of assigning risk levels to each risk is so that risks with the potential to be most damaging can be addressed as priorities. Most HIPAA risk analyses are conducted using a qualitative risk matrix.

Who is responsible for conducting a HIPAA security risk assessment?

The responsibility for conducting a HIPAA security risk assessment usually lies with a HIPAA Compliance Officer; or, if the responsibility for HIPAA compliance is shared between a HIPAA Privacy Officer and a HIPAA Security Officer, the risk assessment and analysis should be conducted by the HIPAA Security Officer with assistance from his or her colleague depending on the nature of risks identified.

Are there different types of risk assessment for covered entities and business associates?

There are not different types of risk assessment for covered entities and business associates. Both covered entities and business associates need to conduct “A-to-Z” risk assessments for any Protected Health Information created, used, or stored. While business associates may experience a lower volume of PHI than a covered entity, the risk assessment has to be just as thorough and just as well documented.

What is a HIPAA risk assessment?

A HIPAA risk assessment is a risk assessment that organizations subject to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act have to complete in order to be compliant with the “Security Management Process” requirements. Non-compliant organizations have been filed for failing to comply with this requirement of HIPAA.

What is the difference between a HIPAA risk assessment and a HIPAA compliance assessment?

The difference between a HIPAA risk assessment and a HIPAA compliance assessment is that a HIPAA risk assessment identifies potential threats and vulnerabilities so measures can be implemented to mitigate their likelihood. A HIPAA compliance assessment is usually an assessment performed by a third party to assess an organization´s compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

Why can I not find a HIPAA risk assessment template on the Internet?

You will not find a HIPAA risk assessment template on the Internet because covered entities and business associates vary significantly in size, complexity, and capabilities, and there is no “one-size-fits-all” HIPAA risk assessment. Due to the number of variables, there is no such thing as a HIPAA risk assessment template; and, if you do source a template from the Internet, you should treat it with caution as it may not include every potential risk to PHI maintained by your organization.

When is a HIPAA risk assessment necessary?

A HIPAA risk assessment is necessary in two instances. The first instance appears in the HIPAA Security Rule (45 CFR § 164.308 – Security Management Process). The second instance occurs under the HIPAA Breach Notification Rule (45 CFR § 164.402), which applies when there has been an impermissible acquisition, access, use, or disclosure of unsecured PHI. However, organizations should conduct risk assessments more often than these requirements, particularly related to non-electronic PHI and organizational requirements.

What is the objective of a HIPAA security risk assessment?

The objective of a HIPAA security risk assessment is to identify risks to the confidentiality, integrity, and availability of all electronic PHI the covered entity or business associate creates, receives, maintains, or transmits. The risk assessment should not only focus on external threats, but also those within the organization attributable to malicious insiders or a lack of security awareness training.

What factors are considered in a HIPAA breach risk assessment?

The factors considered in a HIPAA breach risk assessment include the nature and extent of breached PHI, the types of identifiers and the likelihood of re-identification, the unauthorized person who accessed or used the breached PHI, whether PHI was actually acquired or viewed, and the extent to which the risk to PHI has been mitigated.

What could be the consequence of not identifying risks to PHI in a risk assessment?

The consequences of not identifying risks to PHI in a risk assessment are an increased likelihood of a data breach or impermissible disclosure, and – following on from such an event – a sanction issued by HHS’ Office for Civil Rights for failing to conduct a thorough risk assessment. It is important to be aware there are no excuses for failing to conduct a thorough risk assessment as covered entities and business associates “know or should know” they have a responsibility to safeguard PHI.

Do the HIPAA risk assessment requirements apply to Business Associates?

The HIPAA risk assessment requirements apply to business associates as business associates are required to comply with the HIPAA Security and Breach Notification Rules and the two HIPAA standards relating to HIPAA risk assessments appear in these Rules. Business associates are also advised to conduct HIPAA Privacy Rule risk assessments if the nature of their activities for a covered entity could violate the privacy of individually identifiable health information.

What tools can assist organizations with a HIPAA risk assessment?

The tools that can assist organizations with a HIPAA risk assessment include a downloadable Security Risk Assessment (SRA) tool released by HHS’ Office for Civil Rights in 2014 to help small and medium-sized medical practices with the compilation of a HIPAA risk assessment. There are also many tools available from third party compliance experts that are best used for identifying issues in situations not covered by the Security Risk Assessment Tool (i.e., HIPAA Privacy Rule compliance).

The post HIPAA Risk Assessment appeared first on The HIPAA Journal.

FREE Webinar: Compliance Best Practices & Live Demo on Tues May 19

Workforce Compliance

Healthcare compliance isn’t a checklist, it’s a program. And most organizations are managing it across a tangle of spreadsheets, binders, and disconnected tools.

Join Compliancy Group for a live session designed to cut through the complexity and give you a clearer picture of what an effective compliance program actually looks like and how to build one.

They will walk through industry best practices across the four core areas of compliance, sharing the dos and don’ts that separate defensible programs from costly gaps, and then show you exactly how Compliancy Group’s platform manages each area in one connected system.

What Will be Covered?

  • Risk & Assessment — How to conduct, document, and act on risk assessments the way OIG and OCR expect
  • Workforce Compliance — Training, attestations, and the employee-level accountability that auditors look for
  • Vendor Compliance — Why 70% of 2025 breaches trace back to business associates, and how to manage third-party risk
  • Incident Management & Hotline Reporting — Building a culture of reporting and a process that protects your organization

This isn’t a standard product demo. It’s a practical session built for compliance-responsible leaders who want real guidance and want to see what simplified, visible, and defensible looks like in practice.

 

WEBINAR DETAILS

Compliance Best Practices & Live Demo Session

  Date: Tuesday, May 19th 2026

Time: 1:00 p.m. ET | 12:00 p.m. CT | 11:00 a.m. MT | 10:00 a.m. PT

Format: Live webinar

 


 

Speaker: Liam Degnan, Director, Solutions Engineering

Liam Degnan Compliancy GroupLiam Degnan brings more than eight years of experience in risk management, SaaS sales, and healthcare compliance. As Compliancy Group’s Senior Solutions Engineer, he advises healthcare decision-makers, healthcare providers, and medical vendors. He speaks on a variety of platforms and topics, with an emphasis on simplifying HIPAA, OSHA, SOC 2, and other healthcare compliance regulations.

 

 

The post FREE Webinar: Compliance Best Practices & Live Demo on Tues May 19 appeared first on The HIPAA Journal.

ComplianceJunction HIPAA Training Receives SCCE Accreditation

The Society of Corporate Compliance and Ethics (SCCE) has recently accredited ComplianceJunction’s ‘HIPAA Training for Organizations’ training course. The SCCE is an Eden Prairie, MN-based non-profit association dedicated to enabling the lasting success and integrity of organizations by promoting high standards in compliance and ethics programs. The SCCE, which has more than 19,000 members in over 100 countries, provides resources, education, and networking opportunities for ethics and compliance professionals and offers professional certification through the Compliance Certification Board (CCB). The CCB is an independent body that recognizes individuals with competence in the practice of compliance and ethics.

ComplianceJunction’s mission is to help healthcare organizations train their employees on HIPAA compliance and ensure they understand their responsibilities when it comes to health information privacy. ComplianceJunction has developed a training course that provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) and serves as a foundation for developing a comprehensive HIPAA training program. The training has been used by more than 1,000 healthcare organizations and over 100 universities to raise awareness of the HIPAA regulations.

“ComplianceJunction’s customers include practice owners and senior managers who want to ensure that their staff members are kept up to date on the HIPAA regulations and their organization maintains compliance with the HIPAA training requirements,” explained ComplianceJunction’s Ryan Coyne. “The SCCE accreditation means their employees can now earn CEUs for completing the course, which provides an extra incentive for completing the training.” Healthcare professionals who complete the accredited HIPAA training course will earn 2.6 Continuing Education Units (CEUs) that demonstrate they are taking steps to stay up-to-date with current regulations and are continuing their education and professional development.

“The ComplianceJunction HIPAA training offers a detailed overview of HIPAA fundamentals, laying a solid foundation for developing a comprehensive training program. The modules and case studies are excellent tools to engage staff in further discussion and uncover additional role-specific training needs,” said Joanne Curran, Director of Health Information Management at the Greater Lawrence Family Health Center. “Staff appreciate the opportunity to earn CEUs for completing the training series and look forward to additional training offerings.”

The post ComplianceJunction HIPAA Training Receives SCCE Accreditation appeared first on HIPAA Journal.