HIPAA Compliance Training

Couple Plead Guilty to $1M Fraud Scheme Involving Stolen Patient Data

Posted by Steve Alder

A former business clerk at Montefiore Medical Center and his partner have pleaded guilty to stealing thousands of patient records and using the stolen data to defraud government agencies out of almost $1 million.

Wilkins Estrella, 40, of Hackensack, New Jersey, had worked at the Bronx hospital for almost a decade. He was terminated in 2020 after an internal audit of access logs revealed he had been accessing patient records without authorization from at least 2020 to 2022. The review confirmed that more than 4,000 medical records were accessed without any legitimate business purpose for doing so. Montefiore Medical Center reported the data breach to the HHS’ Office for Civil Rights and referred the matter to law enforcement for criminal prosecution.

Along with his romantic partner, Charlene Marte, 31, of the Bronx, New York, Estrella misused patient data to open debit card accounts in patients’ names and had those cards sent to their own addresses and those of family members. The pair then used data from multiple sources to target COVID-19 relief funds from the Internal Revenue Service (IRS) and the New York State Department of Labor, including patients’ names, Social Security numbers, and other personally identifiable information obtained from Montefiore Medical Center.

The pair attempted to obtain $1.6 million in stimulus checks, tax refunds, and unemployment benefits, resulting in almost $1 million in actual losses. The funds were loaded onto the debit cards that the couple had fraudulently obtained.

Marte pled guilty to conspiracy to commit wire fraud and bank fraud on July 28, 2025, and is due to be sentenced on November 5, 2025. She faces up to 30 years in jail.  Estrella pled guilty to conspiracy to commit wire fraud and bank fraud on August 7, 2025, as well as one count of wrongful disclosure of individually identifiable health information. Estrella faces a maximum jail term of 30 years for the bank and wire fraud counts, and up to 10 years in jail for the wrongful disclosure charge, and is due to be sentenced on December 1, 2025. Estrella and Marte are also liable for $951,618.20 in forfeiture and the same amount in restitution.

“Wilkins Estrella stole the personal data of thousands of people, including hospital patients, and used this data along with his partner Charlene Marte to claim money that was intended to assist struggling Americans during the pandemic,” said U.S. Attorney Jay Clayton.  “Defrauding federal programs harms all New Yorkers, and our Office is committed to stopping it.”

The post Couple Plead Guilty to $1M Fraud Scheme Involving Stolen Patient Data appeared first on The HIPAA Journal.

ComplianceJunction Introduces API Integration to Streamline HIPAA Training for Healthcare Staffing Platforms

Posted by Steve Alder

ComplianceJunction has announced a new API-based integration designed to simplify HIPAA compliance training for healthcare staffing platforms. This program aims to assist staffing agencies and healthcare organizations with automating the delivery and tracking of mandatory HIPAA training for temporary and contract workers. ComplianceJunction has built a reputation as the top provider of HIPAA training.

The integration enables healthcare staffing platforms to incorporate ComplianceJunction’s training modules directly into their existing systems. This allows for automated assignment of training to new hires, real-time monitoring of course completion, and centralized reporting to ensure compliance with HIPAA regulations. By embedding training into the onboarding process, the integration seeks to reduce administrative tasks and ensure that all staff members receive necessary compliance education promptly. This approach aligns with industry trends emphasizing the importance of continuous education and streamlined compliance processes in healthcare staffing.

ComplianceJunction’s training courses have previously received accreditation from organizations such as the American Health Information Management Association (AHIMA), allowing healthcare professionals to earn Continuing Education Units (CEUs) upon completion. This accreditation underscores the quality and relevance of the training content provided and motivates staff.

The API integration is part of ComplianceJunction’s broader efforts to enhance HIPAA compliance training through technology, aiming to support healthcare organizations in maintaining high standards of data privacy and security.

Further details and demonstration access are available at:
https://www.compliancejunction.com/partner-program-hrplatform-integration/

The post ComplianceJunction Introduces API Integration to Streamline HIPAA Training for Healthcare Staffing Platforms appeared first on The HIPAA Journal.

ComplianceJunction HIPAA Training Receives SCCE Accreditation

Posted by Steve Alder

The Society of Corporate Compliance and Ethics (SCCE) has recently accredited ComplianceJunction’s ‘HIPAA Training for Organizations’ training course. The SCCE is an Eden Prairie, MN-based non-profit association dedicated to enabling the lasting success and integrity of organizations by promoting high standards in compliance and ethics programs. The SCCE, which has more than 19,000 members in over 100 countries, provides resources, education, and networking opportunities for ethics and compliance professionals and offers professional certification through the Compliance Certification Board (CCB). The CCB is an independent body that recognizes individuals with competence in the practice of compliance and ethics.

ComplianceJunction’s mission is to help healthcare organizations train their employees on HIPAA compliance and ensure they understand their responsibilities when it comes to health information privacy. ComplianceJunction has developed a training course that provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) and serves as a foundation for developing a comprehensive HIPAA training program. The training has been used by more than 1,000 healthcare organizations and over 100 universities to raise awareness of the HIPAA regulations.

“ComplianceJunction’s customers include practice owners and senior managers who want to ensure that their staff members are kept up to date on the HIPAA regulations and their organization maintains compliance with the HIPAA training requirements,” explained ComplianceJunction’s Ryan Coyne. “The SCCE accreditation means their employees can now earn CEUs for completing the course, which provides an extra incentive for completing the training.” Healthcare professionals who complete the accredited HIPAA training course will earn 2.6 Continuing Education Units (CEUs) that demonstrate they are taking steps to stay up-to-date with current regulations and are continuing their education and professional development.

“The ComplianceJunction HIPAA training offers a detailed overview of HIPAA fundamentals, laying a solid foundation for developing a comprehensive training program. The modules and case studies are excellent tools to engage staff in further discussion and uncover additional role-specific training needs,” said Joanne Curran, Director of Health Information Management at the Greater Lawrence Family Health Center. “Staff appreciate the opportunity to earn CEUs for completing the training series and look forward to additional training offerings.”

The post ComplianceJunction HIPAA Training Receives SCCE Accreditation appeared first on HIPAA Journal.

Is HIPAA Training is a Federal Requirement?

Posted by Steve Alder

Yes, HIPAA training is mandated by the Health Insurance Portability and Accountability Act (HIPAA) and is a federal requirement for healthcare providers, insurance companies, and their business associates in the United States to ensure the confidentiality, integrity, and security of protected health information. HIPAA training is mandated by both the HIPAA Privacy Rule (45 CFR § 164.530) and the HIPAA Security Rule (45 CFR § 164.308(a)(5)), requiring healthcare entities to provide regular, role-specific training on handling protected health information (PHI) and electronic PHI (ePHI) to all workforce members, ensuring ongoing awareness and compliance with privacy and security measures.

HIPAA Training Required under HIPAA Privacy Rule (45 CFR § 164.530)

The HIPAA Privacy Rule mandates that covered entities – which include healthcare providers, health plans, and healthcare clearinghouses – must train all members of their workforce on the policies and procedures with respect to PHI. The HIPAA training must be provided to each new member of the workforce within a reasonable period after they join the entity, and also when there are material changes in the policies or procedures. The purpose of this training is to ensure that every individual who handles or has access to PHI is aware of the privacy practices and the legal obligations for safeguarding patient information. The HIPAA Privacy Rule emphasizes that training should be appropriate to the functions performed by each workforce member.

HIPAA Training Required under HIPAA Security Rule (45 CFR § 164.308(a)(5))

Under the HIPAA Security Rule, covered entities are required to implement a security awareness and training program for all members of its workforce, including management. This involves regular updates regarding the safeguards for protecting ePHI, which could include procedures for guarding against, detecting, and reporting malicious software; procedures for monitoring log-in attempts and reporting discrepancies; and procedures for creating, changing, and safeguarding passwords. The HIPAA training should be ongoing to address the evolving nature of security threats and to reinforce the importance of every individual’s role in protecting ePHI.

 

Both these sections collectively ensure that HIPAA training is not a one-time requirement but an ongoing process, integral to the compliance strategy of all entities handling PHI. The training should be tailored to the specific roles of the workforce members and must be documented. Non-compliance with these training requirements can result in significant HIPAA penalties like the $1,500,000 fine for Athens Orthopedic Clinic PA in 2020 that included failure provide HIPAA Privacy Rule training in the list of HIPAA breaches.

The post Is HIPAA Training is a Federal Requirement? appeared first on HIPAA Journal.

How long does HIPAA training take?

Posted by Ian

The duration of HIPAA training varies depending on the specific needs and roles of the individuals being trained, but for healthcare staff undergoing annual HIPAA refresher training, it typically takes about 90 minutes to complete. A typical HIPAA training course covers essential topics to ensure compliance with HIPAA regulations. It starts with fundamental definitions, including Protected Health Information and the Minimum Necessary Standard, to lay a solid foundation for understanding. The course also introduces the HITECH Act, emphasizing its role in advancing healthcare IT and extending HIPAA compliance to business associates. A key section of the course is devoted to the main HIPAA Regulatory Rules, with particular attention to those most relevant for the trainees. The HIPAA Omnibus Final Rule is discussed for its impact on patient rights and violation penalties. Core modules of the course include the HIPAA Privacy Rule, focusing on the use and disclosure of PHI, and the Security Rule, which deals with the safeguarding of electronic PHI. The training educates on HIPAA Patient Rights and the proper communication of these rights. Understanding HIPAA Disclosure Rules is another critical part, enabling healthcare workers to make informed decisions about PHI disclosure. The course also tackles the consequences of HIPAA violations, teaching the importance of prompt reporting and effective mitigation strategies. Preventing common HIPAA violations, such as inadvertent disclosures, is a practical component, along with guidelines on responsible use of social media and mobile devices.

Additional Cybersecurity Training on Handling PHI

HIPAA training often includes important aspects of cybersecurity, as protecting Protected Health Information (PHI) involves safeguarding it from digital threats. Healthcare staff and anyone handling PHI need to be trained to recognize and deal with cybersecurity risks such as phishing, ransomware, and other cyber attacks. This training helps them identify potential threats and teaches them how to respond effectively to protect patient data. The aim is to ensure that everyone who deals with PHI is not just aware of the confidentiality requirements, but also has the practical skills to prevent and react to cybersecurity incidents. This approach is essential in preparing healthcare workers to handle the challenges of securing digital information.

Additional Training in Texas

In Texas, House Bill 300 (HB-300) significantly expands upon the federal HIPAA requirements, necessitating specialized training for healthcare professionals within the state. This legislation, tailored specifically to Texas, places stricter standards on the handling of Protected Health Information (PHI) and broadens the definition of covered entities. The training mandated by HB-300 goes beyond the scope of federal HIPAA training, focusing on the additional privacy and security obligations specific to Texas. Healthcare workers, including doctors, nurses, and administrative staff, are required to complete this training within a specified timeframe of their employment start date and must undergo regular updates to stay abreast of changes in the law. This ensures that all healthcare personnel in Texas are not only compliant with federal standards but also well-versed in the state’s more stringent regulations regarding patient privacy and data security.

Special HIPAA Training for Healthcare Students

Healthcare students need to undergo full HIPAA training before they can access patient PHI. This training is important to ensure they understand how to handle PHI correctly and securely, especially when using it in training reports and academic work. The focus of the training is to teach students the importance of confidentiality and the correct procedures for using PHI, in line with HIPAA regulations. It is important that they learn these rules early in their training, so they are well-prepared to manage PHI responsibly in their future healthcare roles.

HIPAA Training for HIPAA Compliance Officers

HIPAA training for HIPAA compliance officers is an extensive and thorough process, often spanning several days or even weeks, to ensure a comprehensive understanding of all aspects of HIPAA. This specialized training delves deep into the intricacies of HIPAA regulations, including privacy and security rules, patient rights, and the proper handling of Protected Health Information (PHI). Compliance officers are equipped with detailed knowledge on how to implement and maintain HIPAA standards within their organizations, manage potential breaches, and navigate complex scenarios that may arise in the course of maintaining compliance. The extended duration of this training is essential to thoroughly prepare these officers for the critical role they play in safeguarding patient privacy and ensuring their organization’s adherence to these crucial federal regulations.

The post How long does HIPAA training take? appeared first on HIPAA Journal.