HIPAA Compliance Training

HIPAA Refresher Training

Posted by Steve Alder

HIPAA Refresher Training is an annual course designed for staff who have already completed full HIPAA training and need their knowledge reinforced and updated rather than retaught from scratch. It is one of the most important tools for keeping HIPAA awareness alive in day to day work instead of letting it fade after onboarding.

What is Annual HIPAA Refresher Training?

Annual HIPAA Refresher Training focuses on reinforcing and updating knowledge that employees already have. It assumes that staff have previously completed a comprehensive HIPAA onboarding course and already understand core concepts such as PHI, ePHI, the Minimum Necessary Standard, and basic incident reporting. The aim is to strengthen good habits, correct small misunderstandings, and bring everyone up to date with new risks, tools, or policy changes. Because it is built on an existing foundation, the training can concentrate on real scenarios and common pitfalls rather than spending time on basic definitions. For that reason, it is only recommended for staff who have already received a complete, initial HIPAA training program.

How Often Should HIPAA Refresher Training be Provided?

HIPAA itself requires that training be provided on a regular basis, but it does not set a specific schedule. In practice, best practice in the healthcare sector is to provide HIPAA training annually, and the annual course is usually delivered in the form of refresher training. This creates a simple, predictable rhythm that is easy to communicate and easy to document. When everyone knows they will receive HIPAA training every year, it is easier to keep expectations clear and to avoid long gaps where habits drift away from policies. An annual cycle also lines up well with other compliance activities such as risk assessments, policy reviews, and security updates.

When is HIPAA Refresher Training Appropriate? (And when is it Not?)

Refresher training is not a replacement for full onboarding. It is not recommended for new staff because HIPAA Covered Entities and HIPAA Business Associates do not know each person’s baseline knowledge and must establish a consistent standard through comprehensive initial training. The refresher course should build on that baseline, not guess at it. Refresher training is also not suitable after a HIPAA violation. Employees who commit a HIPAA violation should receive more extensive HIPAA Remediation Training that looks closely at what went wrong, why it happened, and what must change, rather than a general refresher. In addition, refresher training is not enough for certain groups such as healthcare students, who should receive full HIPAA training that includes student specific content at the start of each placement. In short, refresher training works best for staff with solid prior training and a generally compliant track record.

HIPAA Refresher Training Content Recommendations

Even though HIPAA Refresher Training is shorter than onboarding, it still needs to cover specialist topics for the organization. For example, EMS staff should receive training on HIPAA in Emergency Situations every year, because their work regularly involves high pressure decisions about disclosures in complex environments. Refresher training is also the ideal place to introduce new topics that were not covered in the original course. Recent examples include HIPAA and AI tools, new communication platforms, and updated workflows for remote work. As technology and practice evolve, refresher training ensures staff understand how HIPAA applies to new tools and situations. Alongside HIPAA content, annual cybersecurity training is very strongly recommended, so staff are reminded about phishing, passwords, device security, and other threats that can expose electronic PHI.

Benefits of HIPAA Refresher Training

Annual HIPAA Refresher Training delivers clear, practical benefits. It reduces the risk of accidental HIPAA violations by reminding people about common pitfalls such as talking about patients in public areas, mishandling emails and attachments, or viewing more information than they need in electronic records. It keeps HIPAA on people’s radar in a busy clinical and administrative environment where urgent tasks can easily crowd out long term obligations. It also gives leadership a visible way to show their ongoing commitment to patient privacy and information security, rather than letting HIPAA compliance fade quietly into the background.

HIPAA Compliance Value of Annual Refresher Training

Annual refresher training also has significant compliance value. Completion records create a clear documentation trail that shows training is ongoing, not a one time event at hire. In the case of a HIPAA violation or an external investigation, these records support client due diligence, internal audits, and regulatory reviews by proving that the organization invests in regular, structured HIPAA education for its workforce. Consistent annual training makes it easier to demonstrate that the organization is acting in good faith, responding to new risks, and taking reasonable steps to prevent violations. It also helps identify departments or locations that may be falling behind on training, so corrective action can be taken before gaps turn into findings. Over time, a well documented pattern of annual refresher training strengthens the organization’s overall compliance posture and supports a more defensible response if something does go wrong.

What Features Should Be Included In HIPAA Refresher Training?

HIPAA Refresher Training should do more than repeat the onboarding course in a shorter format. It needs features that help staff update what they know, correct drifting habits, and stay aligned with current risks and expectations.

Training Created And Overseen By HIPAA Experts

Refresher training should be designed and maintained by HIPAA subject matter experts, including people who have experience as HIPAA Privacy Officers or Compliance Officers. Expert oversight helps ensure the content focuses on real world risks, common violation patterns, and practical behaviors rather than abstract legal language.

Current And Regularly Updated Content

Because refresher training is often taken annually, it must be reviewed and updated regularly. The material should reflect recent guidance, enforcement patterns, and changes in technology such as remote work tools, cloud platforms, and AI. Staff should come away knowing how HIPAA applies to current systems and workflows, not just how things used to work.

Employee Focused, Practical Curriculum

The curriculum needs to speak directly to employees. Refresher training should use simple language, clear explanations, and realistic scenarios that match clinical, administrative, and technical roles. It should highlight non compliant behaviors that cause real incidents, such as unattended workstations, unapproved file sharing, or oversharing in electronic records, and show what staff should do instead.

Emphasis On Risk Reduction And Modern Threats

A strong refresher program is organized around risk reduction. It should revisit high risk situations such as social media use, insecure messaging, and hurried communication in busy environments. The content should also reinforce how HIPAA applies in emergencies and unusual situations so staff can act quickly without guessing when pressure is high.

Flexible Overlays For Different Roles And Settings

HIPAA Refresher Training works best when it can be tailored to different roles and locations. The core course can be the same for everyone, while optional overlays add content for specific needs such as state medical privacy requirements, mental health or EMS practice, healthcare students, Business Associate staff, or small medical practices. This keeps the training relevant without having to build entirely separate programs.

Strong Documentation And Audit Readiness

Effective HIPAA refresher training includes solid documentation features. The system should record who completed which course, when they completed it, and what assessments they passed, with clear links to specific course versions. Reports should be easy to generate for leadership, clients, and auditors. This documentation shows that refresher training is ongoing, structured, and taken seriously across the organization.

Annual HIPAA Training is Healthcare Sector Best Practice

Annual HIPAA Refresher Training is most effective when it is treated as a focused annual update for staff who have already completed full onboarding, not as a shortcut or replacement for comprehensive training. Used correctly, it reinforces existing knowledge, addresses new risks such as changing technology and working practices, and keeps staff alert to common pitfalls that can lead to accidental violations. It is best reserved for employees with a solid baseline and a generally compliant track record, while new hires, healthcare students, and staff involved in violations should receive more extensive training that fits their circumstances.

The post HIPAA Refresher Training appeared first on The HIPAA Journal.

HIPAA Compliance Officer Training for Newly Appointed Officers

Posted by Steve Alder

HIPAA Compliance Officer training prepares a designated individual to oversee how a HIPAA Covered Entity meets its HIPAA Privacy, HIPAA Security, and HIPAA Breach Notification obligations, often in smaller practices while still functioning as a member of the workforce. Training for HIPAA Compliance Officers has two layers. HIPAA Compliance Officers need the same high quality HIPAA training that every employee receives so they understand HIPAA compliance from an employee perspective. HIPAA Compliance Officers need additional training that focuses on the overall compliance program for the HIPAA Covered Entity, including policies, documentation, risk management, and oversight. The most effective programs build this in sequence, starting with employee level training and then adding the advanced compliance content on top. The more advanced content is typically custom training that is specific to the HIPAA-Covered Entities policies and procedures.

The Foundation is HIPAA Training For Employees

The foundation for any HIPAA Compliance Officer is strong employee training that covers what staff actually do with Protected Health Information in real life. A good employee course introduces core HIPAA concepts, explaining what PHI and ePHI are, how the Minimum Necessary Standard works, why authorizations matter, and how HIPAA supports patient trust and better care. It then walks through the main HIPAA rules, including the Privacy Rule, Security Rule, and Breach Notification Rule, so employees see the whole picture rather than isolated fragments.

High quality employee training also explains the role of Compliance Officers themselves, framing them as partners who help staff follow ethical and legal standards. It goes on to show how HIPAA violations really occur and how to prevent them, with practical examples about oversharing information, mishandling records, ignoring access controls, or skipping procedures. Staff learn about patient rights under HIPAA, such as access, amendments, and confidential communications, and they see how their actions support those rights in day to day work.

Healthcare employee training must include HIPAA security awareness and cybersecurity training, teaching staff how to recognize threats to medical records and how administrative, physical, and technical safeguards protect data. It should cover how HIPAA applies in emergencies, how recent HIPAA updates affect work, and how to use artificial intelligence tools in a HIPAA compliant way. Lessons on social media and messaging clarify why casual or anonymous posts can still violate HIPAA and why organizational policies must be followed. Optional modules on state privacy laws and small medical practice challenges are also valuable when they apply. This type of comprehensive, scenario based employee training is the baseline that every Compliance Officer should complete and understand thoroughly.

Building On The Foundation with HIPAA Covered Entity Level Compliance Training

Once the employee layer is in place, a HIPAA Compliance Officer needs training that teaches them how to manage compliance for the entire HIPAA-Covered Entity. This includes learning how to design and maintain policies and procedures that reflect the specific organization’s size, structure, and risk profile. It also requires a deeper understanding of risk analysis and risk management planning, so the officer can identify where PHI is stored and transmitted, where vulnerabilities exist, and how to prioritize mitigation.

HIPAA Compliance Officer training at the HIPAA-Covered Entity level should address how to plan, deliver, and document workforce training, how to manage HIPAA Business Associates and their agreements, and how to monitor compliance through internal reviews or audits. It should explain how to coordinate incident response and breach notification, how to work with leadership on corrective action, and how to communicate with regulators or clients when questions arise.  The HIPAA Business Associate Agreement should also contain a provision that their staff in turn receive HIPAA training. This part of the training for the HIPAA Compliance Officer  is less about individual tasks and more about building and sustaining a complete HIPAA compliance program.

Training Pathway For HIPAA Compliance Officers

The most practical training pathway for a HIPAA Compliance Officer starts with completing a full workforce HIPAA training course, just like other employees. That ensures they see the same content staff receive and understand how it feels from the employee perspective. Once that foundation is in place, the Compliance Officer should add role specific modules that focus on risk assessments, policy development, documentation standards, training governance, and vendor oversight. Additional learning in incident handling, root cause analysis, and corrective action planning is also important.

Over time, both layers need to be refreshed. The HIPAA Compliance Officer should repeat employee level training on a regular schedule, so they stay aligned with staff content, and also keep their advanced compliance training up to date as regulations, technology, and enforcement priorities evolve. Skipping the employee layer or relying only on policy documents can leave significant blind spots in how policies are experienced on the ground.

HIPAA Compliance Officer Training For Newly Appointed Officers

Newly appointed HIPAA Compliance Officers face a steep learning curve. They may inherit an existing compliance program with gaps, or they may be asked to build one from scratch. The smartest first step for a new officer is to complete the same HIPAA Training for Employees that everyone else takes. This quickly aligns them with the organization’s baseline expectations, shows them what staff are being told, and highlights any disconnect between training messages and real practice.

After that initial employee training, new HIPAA Compliance Officers should move straight into structured officer level training that explains how to evaluate the current state of compliance, review existing policies and risk assessments, and identify urgent priorities. They need guidance on how to talk to leadership about risk, how to gain cooperation from busy departments, and how to shape a realistic 90 day plan that includes quick wins and longer term projects. Starting with employee training and then layering on specialized officer training helps new Compliance Officers build credibility with staff and leadership while avoiding dangerous assumptions about what people already know or do.

Conclusion: Ongoing Education And Professional Development

HIPAA Compliance Officer training is not a one time course but a layered and ongoing process. Effective officers build their knowledge from the ground up, starting with robust employee training that reflects real world risks, then adding advanced training in policies, risk management, documentation, and oversight for the HIPAA Covered Entity. They refresh both layers regularly and stay informed about new threats, regulatory updates, and enforcement trends. To support that ongoing learning, it is wise for Compliance Officers to follow trusted educational resources and keep a steady flow of practical insight. Subscribing to the free weekly newsletter from The HIPAA Journal is a simple way to stay current on HIPAA news, breach patterns, and guidance that can strengthen both employee training and the overall compliance program.

The post HIPAA Compliance Officer Training for Newly Appointed Officers appeared first on The HIPAA Journal.

Why HIPAA Business Associates Must Provide HIPAA Training for their Entire Staff

Posted by Ian

In any organization that qualifies as a HIPAA Business Associate, every member of the workforce is part of the environment in which protected health information is created, received, maintained, or transmitted. Even when an individual does not believe they “handle PHI,” their actions, access, and decisions can directly or indirectly affect the privacy and security of that information. For that reason, providing HIPAA training other than security awareness training to only a narrow group of employees is not sufficient. To fully manage risk, protect patients, and uphold contractual obligations, HIPAA training must extend to all staff in a Business Associate organization.

Legal and Contractual for Mandatory HIPAA Training for All Staff

Under HIPAA, a Business Associate is any organization or individual that performs certain services for or on behalf of a Covered Entity when those services involve the use or disclosure of protected health information. Once a company meets that definition, it assumes an organization-wide set of obligations. It is not just specific departments or job titles that become regulated; the company as a whole is bound by HIPAA’s requirements and by the terms of its Business Associate Agreements.

Those Business Associate Agreements typically require the organization to safeguard PHI, restrict uses and disclosures to permitted purposes, report incidents and breaches, and cooperate with the Covered Entity’s obligations to patients. These commitments cannot be fulfilled solely by a privacy officer, an IT team, or a handful of “PHI-facing” staff. They depend on the behavior of the entire workforce, including employees, contractors, and others under the organization’s direct control.

Under the HIPAA Security Rule, the Administrative Safeguards at 45 C.F.R. § 164.308(a)(5)(i) require covered entities and business associates to implement a security awareness and training program for all members of the workforce, including management. “Workforce” is defined broadly to include employees, contractors, volunteers, and any other persons whose conduct is under the organization’s direct control. The Security Rule further requires that this program address, at a minimum, periodic security reminders, protection against malicious software, monitoring of log-in attempts and reporting discrepancies, and procedures for creating, changing, and safeguarding passwords. This makes clear that every workforce member who can affect the confidentiality, integrity, or availability of electronic PHI must receive ongoing security awareness and training.

The Shared Custodial Chain of Protected Health Information

Protected health information rarely stays in one place or one system. It moves through a chain of custody: from the Covered Entity to direct Business Associates and often on to downstream subcontractor Business Associates. Each link in that chain has obligations to protect PHI and to support the rights of patients.

In practice, this chain involves a wide variety of people. System administrators configure databases and access controls. Developers and analysts work with test data that may include PHI if not properly de-identified. Customer support staff may see PHI on screens or in tickets. Administrative personnel may be exposed to PHI when handling email, faxes, or printed material. Even staff whose core role is not “healthcare” may be custodians of PHI by virtue of the systems they manage or the spaces they occupy.

If any one of these individuals mishandles PHI, shares it improperly, ignores a security warning, or fails to follow basic safeguards, the entire custodial chain is compromised. The Covered Entity is affected, other Business Associates may be implicated, and, most importantly, the patient may be harmed. Training only those who obviously “touch PHI” on a daily basis overlooks many points where risk can enter the system. Universal HIPAA training ensures that everyone who might encounter PHI or influence its protection understands their responsibilities.

The Human Factor as the Primary Source of Risk

Most privacy and security failures in healthcare and related industries stem from human behavior, not technology. Technical safeguards such as encryption, access controls, and logging are critical, but a sophisticated security program can be undone by a single untrained or careless staff member.

Real-world incidents repeatedly show the same patterns. A workforce member interacts with a phishing email and discloses login, enabling an attacker to access systems containing PHI. An employee props open a secure door or shares a password for convenience. A staff member uses an unapproved cloud storage service or messaging app to work more quickly, not realizing it fails to meet HIPAA standards. Another employee talks about a recognizable patient on social media or in a public setting, unintentionally disclosing PHI.

These are not always malicious acts. Often they stem from a lack of awareness or a failure to understand why policies are in place. Universal HIPAA training addresses this by explaining what PHI is, what the rules require, and why specific behaviors are risky. It connects daily decisions to real consequences for patients and for the organization. Without this education, the organization relies on luck rather than a structured risk control.

Incident Detection and Reporting Depend on Everyone

Business Associates are typically required, through HIPAA and their Business Associate Agreements, to identify, respond to, and report security incidents and privacy violations. Detection cannot rest solely with IT staff, technology, or a privacy office. In many cases, the first person to see something suspicious is a line employee: a receptionist who notices unusual access to records, a call center agent who spots odd account activity, or a developer who sees error messages that suggest unauthorized access.

If that employee has never been trained on what constitutes a security incident, why it matters, or how to report it, an opportunity for early intervention is lost. By the time a centralized team identifies the problem, more damage may have occurred, more PHI may be exposed, and more patients may be affected.

Universal HIPAA training gives every staff member a clear understanding of what an incident looks like, how to respond, and whom to contact. It also reinforces the message that reporting is a duty, not an optional courtesy, and that honest reporting is expected even when the reporter might have contributed to the problem. This broad, distributed awareness is essential for an effective incident response program.

Patient Safety and Medical Identity Theft

Protecting PHI is not only about preventing embarrassment or financial penalties. It is also about patient safety and the integrity of the medical record. When PHI is exposed or altered through misuse, error, or fraud, the patient may suffer physical harm, psychological distress, and long-term consequences.

Medical identity theft is a clear example. When someone uses another person’s identity to obtain care, prescriptions, or insurance coverage, false information can be added to the victim’s record. Incorrect allergies, diagnoses, medications, or procedures may appear. This can lead to misdiagnosis, ineffective treatment, dangerous drug interactions, or delays in necessary care. In critical situations, a corrupted record can be life-threatening.

Patients also suffer financially and emotionally. They may face denied coverage, disputed bills, or questions about their medical history. They may have difficulty restoring the accuracy of their records across multiple providers and systems. For every abstract “record” in a database, there is a real person whose life may be disrupted or endangered.

Because every staff member can either prevent or enable such harm through their handling of PHI, each person must understand what is at stake. Universal HIPAA training helps employees connect their daily actions to patient safety, moving compliance from a box-checking exercise to an ethical responsibility.

Organizational and Financial Risk Management

From an organizational perspective, failing to train all staff is a significant and unnecessary risk. Regulatory investigations following a breach or major incident often examine whether the organization had appropriate policies, safeguards, and training in place. If training is incomplete or poorly documented, regulators may conclude that the organization did not exercise reasonable care.

The consequences can include corrective action plans, civil monetary penalties, reputational damage, and the loss of business relationships. Covered Entities may terminate contracts or be reluctant to renew them if they perceive the Business Associate as a weak link in their compliance posture. Plaintiffs’ attorneys may rely on HIPAA standards as evidence of the applicable duty of care in negligence cases, even though HIPAA itself does not provide a private cause of action.

In contrast, a robust and well-documented training program for all staff strengthens the organization’s position. It demonstrates commitment to compliance, supports a consistent enforcement of policies, and helps prevent incidents in the first place. Compared to the costs of responding to a breach, training is a relatively low-cost, high-impact investment.

Fair Enforcement, Culture, and Accountability

HIPAA requires organizations to apply sanctions for violations of their policies and procedures related to PHI. For sanctions to be fair, defensible, and effective, the organization must be able to show that staff were informed of expectations and trained on relevant requirements.

If only some employees receive HIPAA training, it becomes difficult to enforce standards consistently. Workforce members may argue that they did not know their behavior was prohibited or that the organization failed to provide adequate guidance. This undermines the culture of accountability that HIPAA compliance requires.

Training all staff sends a clearer message. It establishes that everyone, regardless of position, shares responsibility for safeguarding PHI. It also supports a culture in which people feel both empowered and obligated to follow policies, protect patient information, and report concerns. Over time, this shared understanding and shared responsibility become part of the organization’s identity, rather than an external requirement imposed from the outside.

HIPAA Training as a Core Business Practice

For a HIPAA Business Associate, training only a subset of employees is not sufficient to satisfy legal requirements, protect patients, or manage organizational risk. The obligations under HIPAA and Business Associate Agreements apply to the organization as a whole, and so must the training that supports those obligations.

Every staff member influences the confidentiality, integrity, and availability of protected health information, whether directly or indirectly. Human behavior is a primary driver of both breaches and prevention. Incident detection and reporting depend on eyes and ears across the organization. Patient safety and medical identity theft concerns make data protection an ethical imperative, not merely a regulatory one. The financial and reputational stakes for the organization are significant, and fair enforcement of policies requires that “I did not know” is never a reasonable excuse.

HIPAA training for all staff is not an optional task or a best practice reserved for particularly cautious organizations. It is a foundational element of doing business as a HIPAA Business Associate. Training all staff is part of what it means to accept the responsibility of working with protected health information.

 

The post Why HIPAA Business Associates Must Provide HIPAA Training for their Entire Staff appeared first on The HIPAA Journal.

10 Step Guide to Choosing HIPAA Training for Employees

Posted by PJ Murray

Choosing HIPAA training for employees should be about compliance outcomes, not simply optics of checking the box for mandatory training. This 10-step guide helps you select HIPAA training courses that build real HIPAA compliance knowledge, reduce common errors, and prepare employees to apply HIPAA correctly from day one. This guide helps you avoid checkbox training and invest in learning that improves employee compliance performance, ultimately reducing HIPAA violations and HIPAA breaches.

Step 1: Review the course curriculum and verify that it is specifically designed for employees.

Verify that the training was designed for the staff receiving the training. There is little point in providing HIPAA training designed for compliance officers or training designed for managers that is focused on the compliance programs for HIPAA-covered entities.

Step 2: If the training provider does not state who produced the training, then ask for this information.

When selecting HIPAA training, evaluate substance and outcomes, not slide count. Effective courses go beyond reciting regulations and show how the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule translate into concrete tasks and decisions for employees. Begin with the source of the training content. Prefer curricula developed and maintained by recognized HIPAA subject-matter experts that have been designed with input from and then reviewed by HIPAA Privacy Officers and HIPAA Compliance Officers. The officers understand how violations occur and can teach recurring patterns, such as misdirected messages, wrong-patient access, and casual disclosures, and the precise steps that prevent them.

Step 3: If the training does not have a release date, then ask when it was produced.

Verify that the content is up-to-date because HHS and OCR guidance evolves, enforcement priorities shift, and new technologies introduce fresh risks. High-quality training is actively updated to reflect new laws, guidance, and enforcement trends, rather than remaining static.

Step 4: Prioritize practical advice over theory

Ensure the HIPAA training prioritizes practical scenarios over abstraction or simply repeating regulations. The training must use realistic examples such as unattended workstations, unapproved applications, and over-sharing on phone calls.

Step 5: Verify that training has modules covering evolving threats like social media and AI tools.

The training must also address modern risk areas, including generative AI tools, social media, messaging platforms, remote work, and personal devices.

Step 6: Choose training focused on risk reduction

Training cannot eliminate HIPAA violations and HIPAA breaches, but well-designed modules reduce both likelihood and impact by targeting behaviors behind common incidents. Make sure that the content is focused on prevention and response. The training must identify typical errors, such as lost devices, unencrypted email, and improper disclosures, and specify who to notify, what to document, and when to escalate.

Step 7: Review the trainee learning experience

An effective learning experience is practical, accessible, and respectful of time. Online, self-paced modules with pause and resume controls suit shift work and clinical interruptions. Mobile-friendly delivery across desktop, tablet, and phone improves the completion rate of training. When staff can access training easily, learn at a sensible pace, verify understanding, and obtain help as needed, they make better decisions, and the compliance program becomes measurably stronger. Make sure that the training is available for the full year until the next annual session so that employees can review as many times as they require to refresh their knowledge. The learning experience is also improved if there are quizzes after each topic covered. The fact that trainees know that they will be tested at the end of each topic in the training course immediately improves their attention levels.

Step 8: Training management features

Online HIPAA training provides managers with the opportunity to monitor the progress of employees during their HIPAA training and confirm that the training has been completed. It is also necessary to retain training records for a minimum of six years.

Step 9: Include state privacy laws where necessary

HIPAA training also means training in the related medical record privacy and security laws. Certain states such as Texas and California have state medical privacy laws that are mandatory and stricter than HIPAA. There are also additional state data privacy laws that apply to medical records.

Step 10: Don’t forget cybersecurity training

Integrate HIPAA with cybersecurity awareness for any staff who have access to medical records on computers. Many large scale HIPAA beaches begin with general cyber risks, including phishing, weak credentials, unsafe USB use, and credential sharing. Pair HIPAA content with focused cybersecurity modules on human error, phishing recognition, secure messaging, credential management, and removable media.

Choose HIPAA Training That Changes Behavior

This guide recommends selecting HIPAA training that is designed for employees, identifies who produced the content, and includes a clear release date. It emphasizes practical scenarios over theory, with up-to-date modules that address social media, AI tools, messaging, remote work, and personal devices. It calls for risk-focused instruction that identifies common errors such as lost devices, unencrypted email, and improper disclosures, and that specifies who to notify, what to document, and when to escalate. It also highlights a learning experience that is self-paced, mobile-friendly, and available for the full year so employees can review as needed. The guide advises pairing HIPAA training with cybersecurity modules for staff who access medical records on computers.

The post 10 Step Guide to Choosing HIPAA Training for Employees appeared first on The HIPAA Journal.

Are You Really Compliant? The Stricter Medical Privacy Regulations in Texas

Posted by PJ Murray

In addition to HIPAA and the Texas Medical Records Privacy Act/HB300, several other laws apply to the privacy and security of medical records in Texas. Laws such as the Texas Identity Theft Enforcement and Protection Act, the Texas Data Privacy and Security Act, the Texas Responsible AI Governance Act, SB1188 and the Texas Medical Practice Act create a layered system of protections that often go beyond HIPAA’s minimum requirements.

Before HIPAA, medical confidentiality in Texas was governed mainly by the Texas Health and Safety Code, which already limited how health information could be used and disclosed, and gave patients rights to see their records. HIPAA then introduced federal privacy and security rules, but only for a narrower group of “covered entities.” To close that gap, Texas passed the Texas Medical Records Privacy Act in 2001, extending HIPAA-style protections to more organizations that handle Texans’ health information. HB300, passed in 2011, strengthened that Act by tightening rules for electronic disclosures, shortening deadlines for responding to patient access requests, and expanding breach notification requirements. HB300 is important, but it operates alongside a broader set of Texas privacy and security laws.

The Texas Identity Theft Enforcement and Protection Act (TITEPA) is not limited to healthcare, but it heavily affects healthcare organizations because it applies to any business that handles personal identifying information about Texas residents. Its definition of “sensitive personal information” is broader than HIPAA’s definition of PHI, so some data that is not PHI still has to be protected as if it were. Organizations must secure this information, dispose of it safely, and notify individuals (and sometimes the Attorney General) if computerized sensitive personal information is acquired by an unauthorized person. Because these requirements sit next to HIPAA’s breach rules, many healthcare organizations in Texas treat all patient-related information like PHI and apply HIPAA-level safeguards across the board.

The Texas Data Privacy and Security Act (TDPSA) is aimed at consumer data generally, but it also touches healthcare. Covered entities and business associates are exempt for PHI but not for other personally identifying data they collect, such as marketing lists, website tracking data, appointment booking details, or some HR data. For this non-PHI data, organizations must limit collection to what is necessary, obtain informed consent for certain uses (such as targeted marketing), and honor rights to access, correct, or request deletion where those rights apply. Deletion rights do not override medical record retention requirements, so PHI and medical records still must be kept according to Texas rules.

The Texas Responsible AI Governance Act and SB1188 add AI- and EHR-specific obligations. The AI Governance Act applies broadly to developers and users of AI, including healthcare organizations that use AI in clinical or administrative workflows. Patients must be told when AI is used in diagnosis or clinical decision support (outside emergencies), and patient authorization is required if PHI is sent to AI systems for purposes beyond treatment, payment, healthcare operations, or required-by-law disclosures. 

SB1188 goes further by requiring AI-generated diagnostic outputs to be reviewed under standards set by the Texas Medical Board and documented in the medical record, and by imposing specific security and functionality requirements on EHRs. It restricts storing certain data types in EHRs, such as credit scores or voter-registration status, and sets rules around parental access to minors’ electronic records – with exceptions for sensitive services such as reproductive, substance use, or mental health care.

The Texas Medical Practice Act and related code provisions add professional and confidentiality duties for licensed healthcare professionals on top of all this. In many cases, state law requires written consent for disclosures that go beyond treatment, payment, healthcare operations, or disclosures explicitly required by law, and adds extra protections for especially sensitive categories such as mental health, substance use, HIV testing, and genetic information. These provisions are updated regularly and can override or refine how other laws apply in specific scenarios. Because all of these laws overlap, organizations that handle medical information about Texas residents generally follow a “most protective law wins” approach. HIPAA and the Texas Medical Records Privacy Act/HB300 are central pieces of Texas medical privacy law, but real-world practice is also shaped by TITEPA, the TDPSA, the Responsible AI Governance Act, SB1188, and the Medical Practice Act. For workforce members, the safest course is to follow organizational policies, complete required training, and ask their privacy or compliance teams when they are unsure.



The post Are You Really Compliant? The Stricter Medical Privacy Regulations in Texas appeared first on The HIPAA Journal.

HIPAA Training Requirements

Posted by Steve Alder

The HIPAA training requirements are that “a covered entity must train all members of its workforce on policies and procedures […] as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity” (§164.530(b)(1) of the HIPAA Privacy Rule). In addition, a covered entity or business associate must “implement a security awareness and training program for all members of its workforce including management”. (§164.308(a)(5) of the HIPAA Security Rule).

What are the HIPAA Training Requirements?

The first thing to be aware of with respect to the HIPAA training requirements is that not only HIPAA-Covered Entities are required to comply with the HIPAA Privacy Rule training standard. The Applicability standard at the beginning of the HIPAA Administrative Simplification Regulations (§160.102) states “Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a business associate”.

This means that if a HIPAA Business Associate provides a service for or on behalf of a covered entity that requires compliance with a HIPAA Privacy Rule standard, the business associate must also comply with the HIPAA Privacy Rule training standard. Both covered entities and business associates are required to comply with the HIPAA Security Rule training standard,  which applies to all members of the workforce regardless of whether they have access to PHI or not.

The HIPAA Privacy Rule Training Standard

To best explain the HIPAA Privacy Rule training standard, it is necessary to start with the “Policies and Procedures” standard of the HIPAA Privacy Rule’s Administrative Requirements. This standard states:

“A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart [the HIPAA Privacy Rule] and subpart D of this part [the Breach Notification Rule]. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance.”

This standard requires HIPAA-Covered Entities (and HIPAA Business Associates “where provided”) to develop and implement policies and procedures for every area of their operations which may involve uses and disclosures of PHI – including how to react to unauthorized uses and disclosures. Thereafter, with the above standard in mind, the Training standard of Administrative Requirements states:

“A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”

The HIPAA Security Rule Training Standard

Compared to the HIPAA Privacy Rule training standards, the HIPAA Security Rule training standard appears straightforward. It states:

“Implement a security awareness and training program for all members of its workforce (including management).”

To guide covered entities and business associates with what should be included in HIPAA security awareness training, the standard has four addressable implementation specifications:

  1. Periodic security updates.
  2. Procedures for guarding against, detecting, and reporting malware.
  3. Procedures for monitoring login attempts and reporting discrepancies.
  4. Procedures for creating, changing, and safeguarding passwords.

However, the section of the HIPAA Security Rule in which the training standard appears (the Administrative Safeguards §160.308) commences with the line “A covered entity or business associate must, in accordance with §164.306”. Section §164.306 contains the General Requirements for the HIPAA Security Rule, which state state covered entities and business associates must protect against any reasonably anticipated uses or disclosures not permitted under the HIPAA Privacy Rule. This implies organizations should incorporate HIPAA Privacy Rule training into HIPAA security awareness training, but it is left to organizations to make this connection themselves. Many don’t.

Therefore, although the HIPAA Security Rule training standard appears more straightforward, it potentially has more issues than the HIPAA Privacy Rule training standard inasmuch as there are many more opportunities for gaps in HIPAA knowledge and avoidable HIPAA violations. For example, training business associate workforces on detecting malware, reporting discrepancies, and safeguarding passwords, does not explain why it is a violation of HIPAA to copy and paste PHI databases and email them to yourself. HIPAA Security Rule training that only focusses on the cybersecurity aspects of HIPAA security will therefore have the wrong focus. The focus on HIPAA security awareness training should be the use and protection of PHI, and any technical aspects of cybersecurity are in the context of PHI.

Organizations that do incorporate HIPAA Privacy Rule training into HIPAA security awareness training can benefit from delivering HIPAA Security Rule training in the correct context. But, to combine training in this way, organizations have to develop multiple training courses to accommodate (for example) members of a covered entity’s workforce with different functions, and members of a business associate’s workforce with no access to PHI who have to undergo security training to “tick the box”.

How Often is HIPAA Training Required?

According to the HIPAA Administrative Requirements, HIPAA training is required for “each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce” and also when “functions are affected by a material change in policies or procedures”, again within a reasonable period of time. As well as providing HIPAA training to new staff as soon as possible, the best practice in the healthcare sector is to provide healthcare staff with annual HIPAA training.

The HIPAA Security Rule training standard implies that security and awareness training programs should be ongoing. HIPAA training should also be provided whenever there is a change in working practices or technology, whenever a risk assessment identifies a need for further training, or whenever new rules or guidelines are issued by the Department of Health and Human Services (HHS). In order to assess whether HIPAA training is required, HIPAA Privacy and HIPAA Security Officers should:

  • Monitor HHS and state publications for advance notice of rule changes. Ideally, this should involve subscribing to a news feed or other official communication channel.
  • When new rules or guidelines are issued, conduct a risk assessment to determine how they will affect the organization’s operations and if HIPAA training is required.
  • Liaise with HR and Practice Managers to receive advance notice of proposed changes in order to determine their impact on compliance with the HIPAA Privacy Rule.
  • Liaise with IT managers to receive advance notice of hardware or software upgrades that may have an impact on compliance with the HIPAA Security Rule.
  • Conduct regular risk assessments to identify how material changes in policies or procedures may increase or decrease the risk of HIPAA violations.
  • Compile a training program that addresses how any changes will affect employees’ compliance with HIPAA – not only the changes themselves.
  • Develop a HIPAA refresher training program that can be conducted at least annually if training is not provided for any other purpose.

Naturally, in the event of changes in working practices and technology, HIPAA training only needs to be provided to workforce members whose roles will be affected by the changes. As mentioned in our “Best Practices” section below, it is also advisable to include at least one member of senior management in the training sessions,  even if they are not affected by the new policies or procedures – as it shows the whole organization is taking its HIPAA training requirements seriously.

A potential issue with the frequency of training is that, if there are no material changes to policies and procedures, working practices, or technology, if no new rules or guidelines are issued by HHS, or if HIPAA security awareness training is only provided “periodically”, it can be a long time between training sessions, during which time members of the workforce may take shortcuts with compliance to “get the job done”. This is why the best practice in the healthcare sector is to provide healthcare staff with annual HIPAA training.

What Should be Included in a HIPAA Training Course?

The basic elements that should be included in a HIPAA training course are suitable as an introduction to HIPAA or can be used as the basis for am annual refresher course.

Recommended Content for HIPAA Compliance Training

The Role of the HIPAA Officers
This training should cover the roles of HIPAA Compliance Officer, HIPAA Privacy Officer, and HIPAA Security Officers, when to contact them, and how to use official reporting channels.

Definitions and Lexicons
This training should include clear definitions of PHI, ePHI, Minimum Necessary, Covered Entity, Business Associate, and Designated Record Set, with role-based examples.

The Main HIPAA Regulatory Rules
This training should cover the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule and how each maps to day-to-day tasks.

HIPAA Compliance for Staff
This training should include core obligations for handling PHI/ePHI, documentation standards, and step-by-step incident reporting.

Why HIPAA Compliance is Important
This training should cover benefits to patients, the organization, and employees, emphasizing confidentiality as part of care quality.

The Consequences of HIPAA Violations and Breaches
This training should include personal and organizational impacts, the difference between violations and breaches, and why prompt reporting matters.

Preventing HIPAA Violations
This training should cover common error patterns and practical habits to avoid them, including mindful, permitted disclosures.

PHI Disclosure Guidelines
This training should include required vs. permitted disclosures, exceptions, professional discretion, identity verification, and escalation triggers.

HIPAA Rights for Patients
This training should cover patient rights (access, amendments, restrictions, confidential communications, accounting of disclosures) and routing requests correctly.

HIPAA Security Rule: Threats to Patient Data
This training should cover accidental, internal, external, and environmental threats—and the importance of quick reporting.

HIPAA Security Rule: Protecting Electronic PHI
This training should include shared responsibilities for ePHI safeguards (devices, credentials, email) and when to alert Security about insider risks.

HIPAA and Emergency Situations
This training should cover permitted disclosures during medical, manmade, and physical emergencies and conditions for OCR enforcement discretion.

Recent HIPAA Updates
This training should include summaries of recent and proposed changes, workflow impacts, and practical cautions to avoid impermissible or missed disclosures.

Additional HIPAA Training Required for New Technologies

Several important technologies emerged after the passing of the HIPAA law and the subsequence introduction of the HIPAA rules.

HIPAA Training for Email, Messaging, and Texting
This training for staff must cover using only approved, secure channels for PHI; applying the Minimum Necessary standard; verifying identity before sending; and documenting disclosures per policy. It must teach employees how to craft message content (no diagnoses in subject lines, limited details in voicemails/texts), handle misdirected messages (immediate recall/notification and escalation), and use safeguards such as encryption, access controls, and auto-lock on mobile devices.

HIPAA Training for Social Media
This training for employees must explain how casual posts, photos, or “anonymous” case descriptions can disclose PHI and trigger sanctions. It must teach employees that once content is online they lose control of further disclosure or manipulation, and that work stories, images from clinical areas, and patient details—even without names—are risky. It should reinforce a culture of caution: follow organizational policy, avoid posting about patients or workplaces, and ask questions to the HIPAA Privacy and HIPAA Compliance Officers.

HIPAA Training for Artificial Intelligence (AI) Tools
This training must teach employees what AI tools are used in healthcare, when they are approved, and how unapproved or untrained AI can cause impermissible disclosures or exceed HIPAA Minimum Necessary Rule. It must cover best practices: never paste PHI into non-approved AI tools, validate AI outputs before use, log interactions as required, and report anomalies or inaccurate results. It must also explain that employees should not use AI to answer HIPAA compliance questions because these tools are often inaccurate or out of date.

Best Practices for HIPAA Compliance Training

Because no detailed HIPAA training requirements listed in the legislation, we have put together a short series of best practices that HIPAA compliance managers may want to consider when compiling “necessary and appropriate” security awareness training, HIPAA training for employees at onboarding, and HIPAA refresher training programs. Our best practices for HIPAA compliance training are not set in stone and can be selected from as best suits each training program.

  • Do test trainees during the training because self-attestation does not work because staff will only pay attention if they know they are going to be tested.
  • Do cover everything required. While it might be tempting to omit some elements of HIPAA to reduce the number of work hours required for an organization, it is a false economy that will almost certainly cost more in the longer term with regard to HIPAA violations or HIPAA breaches.
  • Do include the consequences of a HIPAA breach in the training, not just the financial implications for the organization, but also the personal career implications for trainees and their colleagues, and of course the person(s) whose PHI has been exposed.
  • Do provide Continuing Education Units (CEUs) during HIPAA training because they provide motivation for staff to complete the training. Only use HIPAA training that provides CEUs.
  • Don’t quote long passages of text from the HIPAA guidebooks or the regulations. HIPAA compliance training not only has to be absorbed, but it also has to be understood and followed in day-to-day life.
  • Do include senior management in the training. Even if senior managers have no contact with PHI, it is essential they are seen to be involved with HIPAA compliance training. Knowing that the training is being taken seriously at the top will encourage others to take it seriously.
  • Don’t forget to document your training. In the event of an OCR investigation or audit, it is important to be able to produce the content of the training as well as when it was conducted, to whom, and how frequently. Trainees should sign attestations to confirm they have received training if progress is not monitored by a learning management system.
  • Do provide comprehensive security awareness training that combines HIPAA compliance training and general online security training to cover best practices such as using a password manager, reducing phishing susceptibility, and backing up data. This will help to build a security culture in your organization and reduce the risk of data breaches.  The HIPAA security training must be targeted at PHI and medical records, not generic IT security training.

Additional State Medical Privacy Law Training

State medical privacy laws often supplement and sometimes preempt HIPAA by imposing stricter or additional obligations on workforce members that require additional training in these states. Staff must follow HIPAA plus any stricter state rule, for example, tighter consent, shorter response timelines, expanded breach notice content, or added safeguards for automated tools. It is therefore important that in some states, the HIPAA training also includes the related and relevant additional privacy training.

Texas Medical Privacy and Data Security Laws

In Texas, requirements can exceed HIPAA under the Texas Medical Records Privacy Act (as amended by HB 300), with further duties shaped by the Texas Identity Theft Enforcement and Protection Act, the Texas Data Privacy and Security Act, and AI-related measures such as the Texas Responsible AI Governance Act and SB 1188 on AI and electronic health records.

California Medical and Data Privacy Laws

California likewise layers additional protections above HIPAA through the Confidentiality of Medical Information Act, the Patient Access to Health Records Act, Medi-Cal rules, and the California Consumer Privacy Act/Privacy Rights Act (including automated decision-making provisions), along with new Health and Safety Code provisions added by SB 81 (Patient Access and Protection).

Additional Federal Laws

HIPAA is a federal statute that applies to covered entities and business associates, but it is not the only legislation covering the privacy and security of healthcare data. HIPAA sets minimum standards for health information privacy and security, but there are circumstances in which other federal and state health information privacy laws preempt HIPAA. For example, federal agencies also have to comply with the Privacy Act, while teaching institutions have to comply with FERPA.

States may also implement more stringent privacy requirements that preempt HIPAA. When more stringent requirements exist, in addition to providing HIPAA training, training must also be provided to comply with state laws where the state laws – or areas of the state laws – preempt HIPAA. For instance, organizations in Texas and those serving Texas residents are required to provide training on Texas HB 300 and the requirements of the Texas Medical Records Privacy Act, which go further than the minimum standards of HIPAA.

Benefits of Online HIPAA Training - the hipaajournal.com

Targeted HIPAA Training

HIPAA Training Requirements for Employers

In most cases, the HIPAA training requirements for employers only apply to employers that are HIPAA-Covered Entities or business associates. Qualifying employers must provide HIPAA training to all members of the workforce regardless of their role within the organization as per the Administrative Safeguards of the HIPAA Security Rule.

If an employer is not a covered entity or a business associate but engages in HIPAA-covered transactions (for example, the employer administers a self-insured health plan), HIPAA training only needs to be provided to employees with access to PHI or ePHI. Further information about HIPAA training requirements for employers in these circumstances can be found in this article.

HIPAA Training for Employees

In addition to providing “necessary and appropriate” HIPAA training for employees, it is advisable to provide additional training that gives context to the training each employee receives. For example, when training employees on the HIPAA rules for PHI disclosures, it is recommended to also discuss the consequences of HIPAA violations.

Documenting the training provided to employees is a requirement of HIPAA. However, this has advantages inasmuch as, if material changes to policies or procedures occur and they impact only a specific area of HIPAA compliance, a record exists of who has been trained in that specific area of HIPAA compliance and who now needs refresher training.

HIPAA Training for Business Associate Staff

The HIPAA training requirements for business associates are often misunderstood because – notwithstanding the Applicability standard §160.102 – nowhere in the HIPAA Privacy Rule does it state HIPAA training for Business Associates is mandatory. However, the Administrative Safeguards of the HIPAA Security Rule (45 CFR § 164.308) state:

“A covered entity or business associate must … … implement a security awareness and training program for all members of its workforce (including management).”

While this could be interpreted as a general security awareness and training program rather than HIPAA awareness training for business associates, it makes sense for training to be HIPAA-related because if a violation of HIPAA occurs, and there is no evidence of appropriate HIPAA Business Associate training being provided, it will likely result in heavier sanctions for willful neglect.

Consequently, while Business Associates must comply with the HIPAA security standards relating to a security and awareness training program, it is advisable to train workforces on whichever elements of the Administrative Requirements, HIPAA Privacy Rule, and/or Breach Notification Rule are appropriate to individuals’ roles or which are stipulated in a Business Associate Agreement.

Business associate staff need HIPAA training because the Privacy Rule can apply to their roles in addition to standard security awareness. This training explains who is who (covered entities, business associates, subcontractors) and how PHI moves along the chain of custody, so employees understand their part of the workflow. It clarifies responsibilities under the HIPAA Security Rule, why safeguards exist, what a Business Associate Agreement (BAA) permits, and when to alert Security or Privacy if confidentiality, integrity, or availability could be at risk. Employees learn the limits on uses and disclosures tied to the BAA and the service provided, the Minimum Necessary principle for access, and the exact steps to take if a mistake exposes PHI. The program also sets expectations about consequences, sanctions, patient harm, and organizational costs, using case studies to keep compliance top of mind.

HIPAA Compliance Training for Students

The HIPAA Privacy Rule states that HIPAA compliance training should be provided to new employees “within a reasonable period of time of a new employee joining a covered entity’s workforce”; and while there may be justifiable reasons not to provide training before a new employee accesses PHI (for example, they have transferred from another healthcare facility and already have an understanding of HIPAA), that is not the case for healthcare students. The HIPAA training for healthcare students is different than regular HIPAA training because the students require extra training on some topics that are not relevant to regular healthcare professionals, such as using PHI in student assignments.

Healthcare students should be provided with HIPAA compliance training before they access PHI so they are aware of PHI disclosure guidelines when they start working with patients or when they use healthcare data to support reports and projects. With this in mind, an appropriate HIPAA compliance training course for healthcare students would consist of the elements listed above, plus further elements relevant to their education.

Electronic Health Record Access by Healthcare Students

During their training, healthcare students may be permitted to access EHRs under supervision. It is important students know what they can and cannot do with patient PHI under HIPAA, and also that it is a violation of HIPAA to use another person’s EHR login credentials to access patient PHI.

PHI & Student Reports and Projects

Students need to be aware that, when writing reports, preparing case studies, or giving presentations, they are unable to use PHI unless the patient has given their informed consent, or unless PHI is de-identified by removing any identifiers that make the health information “protected”.

Being a HIPAA Compliant Student

It is a student’s responsibility to understand the covered entity’s HIPAA policies and procedures and comply with them just as if they were a healthcare professional. They also need to know how to identify a violation of HIPAA and who to report the violation to.

HIPAA Training for Small Medical Practice Employees

Small medical practices have some unique circumstances that are different than, for example, hospitals. HIPAA training for small medical practice staff should prepare employees for real-world constraints: tight spaces, multitasking at a busy front desk, unfamiliar software, and working in close-knit communities where people ask about neighbors’ health. This training must teach employees to control the physical environment (screen privacy, clean desks, locked bins), manage interruptions without over-sharing, and use only approved systems for PHI, no personal email, texting, or ad-hoc tools. It should explain why copying shortcuts from others is risky, provide simple tech steps (strong passwords, MFA, logouts), and offer scripts to resist community pressure (“I can’t discuss patient information”). Employees must learn the difference between a violation and a breach, how to report incidents quickly, and what sanctions or external penalties can follow.

HIPAA Training for IT Professionals

While it is natural to assume HIPAA training for IT professionals should focus on IT security and protecting networks against unauthorized access, it is also important IT professionals receive training about the challenges experienced by frontline healthcare professionals operating in compliance with HIPAA.

This is so IT professionals design systems and develop procedures that streamline with healthcare professionals’ needs. If systems and procedures are too complicated or appear irrelevant to individuals’ roles, ways will be found to circumnavigate the systems – potentially placing ePHI at the risk of exposure, loss, or theft.

HIPAA Training for Medical Office Staff

Depending on the size of a medical office and the variety of roles filled by staff, HIPAA training for medical office staff is likely to be more comprehensive than for any other category of healthcare employee. This is because medical office teams can often deal with patients, their families, inquiries from third parties, suppliers, payment processors, and health care plans.

The range of scenarios medical office staff are likely to experience is one of the reasons HIPAA training needs to be memorable so it is applied in day-to-day life. With regards to HIPAA training for medical office staff, the more contextual it is the better, as it will help employees better understand the significance of HIPAA and why safeguarding ePHI is important.

 

Why HIPAA Training is Important- the hipaajournal.com

 

HIPAA Refresher Training

In addition to being provided regularly to prevent the development of cultural norms, HIPAA refresher training should be provided to staff whenever new threats to patient data are discovered. It is important employees know how to identify the threats and respond to them and delaying training of this nature until an annual refresher training day could result in an avoidable data breach.

As well as covering changes to policies and procedures, HIPAA refresher training also needs to go over old ground periodically in order to remind employees why HIPAA is important and what patients’ rights are – especially as changes to the HIPAA Privacy Rule have recently been proposed that will improve data sharing and interoperability, and prohibit information blocking.

 

HIPAA Training Requirements FAQ

What is HIPAA training?

HIPAA training is part of the training new members of a covered entity’s workforce receive when they start working for a covered health plan, healthcare clearinghouse, healthcare provider, or pharmacy. The training should include an explanation of terms such as Protected Health Information and why it is necessary to protect the privacy of individually identifiable health information.

Additionally, HIPAA training should consist of security awareness training such as password management and phishing awareness. This element of training should not only be provided for members of a covered entity’s workforce, but also to members of a business associate’s workforce regardless of the access to electronic Protected Health Information.

How long is HIPAA training good for?

HIPAA training is good for one year because best practice in the healthcare sector is to provide annual HIPAA training.

There are circumstances where additional HIPAA training is required, such as when the HSS issues new guidelines,  when members of the workforce are required to undergo HIPAA refresher training due to an internal company policy, when an empolyee receives a sanction for a non-compliant event, or when there is a Corrective Action Plan imposed by HHS.

As well as policy and procedure training, the HIPAA Security Rule stipulates that all members of the workforce are required to participate in a security awareness and training program. As the use of the term “program” implies security and awareness training is ongoing, HIPAA training of this nature has no specific expiry date. It is necessary to continue improving the workforce’s resilience against online threats.

How can you get HIPAA training?

In most cases, you get HIPAA training from your employer when you start working for a business required to comply with the HIPAA Privacy, Security, and/or Breach Notification Rules. However, if you have no previous knowledge of HIPAA, it can be beneficial to invest in an online HIPAA training course to better understand the basics of HIPAA before moving onto policy and procedure training.

When must new employees complete their HIPAA training?

New employees must complete their HIPAA training “within a reasonable period of time” according to the HIPAA Privacy Rule. However, some states and some organizations have fixed time limits. For example, new employees in Texas must complete their HIPAA training within 90 days, while personnel attached to the Defense Health Agency must complete their training within 30 days.

How often should HIPAA training be completed?

HIPAA training should be completed as often as is necessary to mitigate the risk of a HIPAA violation or data breach. For some members of the workforce, this may mean completing HIPAA training monthly or quarterly; while, for other members of the workforce, annual refresher training is often sufficient to maintain a compliant organization.

Is there a difference between HIPAA compliance training and other types of HIPAA training?

Although there is no official difference between HIPAA compliance training and other types of HIPAA training, some organizations refer to policy and procedure training as HIPAA compliance training while HIPAA rules and regulations training (i.e., security and awareness training) is referred to as HIPAA training.  The HIPAA Journal has designed its HIPAA training to provide comprehensive training on HIPAA rules and regulations.

How often do healthcare workers need to have HIPAA training?

Healthcare workers need to have HIPAA training as often as required to perform their roles in compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Many healthcare workers only have HIPAA training when they start working for a new employer and when there is a material change to policies and procedures – and this is often not enough to ensure compliance.

How long must HIPAA security awareness training documents be maintained?

HIPAA security awareness training documents must be maintained for as long as policies or procedures related to the training (including sanctions policies) are in force plus six years. This is because documentation relating to policies and procedures have to be maintained for six years from the date they are last in force and, if training is based around the policies and procedures, the documents relating to the training must also be maintained for the same period of time.

How often does CMS require HIPAA training?

Although the Centers for Medicare and Medicaid Services (CMS) regulates compliance with Part 162 of HIPAA (relating to the operating rules for transactions, code sets, identifiers, etc.), CMS does not require HIPAA training. However, the agency does provide a series of web-based training courses on the Medicare Learning Network which cover a broad range of topics related to Part 162 compliance.

Who is in charge of HIPAA training?

The individual in charge of HIPAA training is the Privacy Officer or the Security Officer depending on whether the training relates to HIPAA policies and procedures or security and awareness training. Although in charge of training, neither Officer has to be present during a training session if – for example – a member of the IT team is demonstrating how a software solution works.

HIPAA requires specific training on what?

HIPAA requires specific training on the policies and procedures developed by the organization to protect the privacy of individually identifiable health information. Members of the workforce do not have to receive training on every policy and procedure – just those that are relevant to their roles (although it is also a good idea to provide general HIPAA training to all members of the workforce).

Where do I take HIPAA training for the army?

HIPAA training for the army is required for all Defense Health Agency military, civilian, and contractor personnel within 30 days of onboarding and annually thereafter. HIPAA training and Privacy Act training (also a requirement for Defense Health Agency personnel) is accessible via the Joint Training System on the Joint Chiefs of Staff website.

Are the training requirements under HB 300 any different from the HIPAA training requirements?

The training requirements under HB 300 are different from the HIPAA training requirements inasmuch as new members of a workforce subject to the Texas Medical Records Privacy Act must be trained on policies and procedures within 90 days. The HIPAA training requirements are that new members of the workforce are trained “within a reasonable period of time”, so the difference is that HIPAA does not stipulate a timeframe whereas HB 300 does.

It is worth noting that HIPA-Covered Entities are exempted from complying with the Texas Medical Records Privacy Act, but business associates are not. As a result, HB 300 applies to more types of organizations than HIPAA; and, while the training “requirements” do not differ a great deal, the number of organizations required to provide training is much higher.

Can Covered Entities be fined for not providing HIPAA training?

Covered entities can be fined for not providing HIPAA training if it transpires that a violation investigated by HHS’ Office for Civil Rights is attributable to a lack of training. Most often, rather than fine a covered entity, HHS’ Office for Civil Rights will require the covered entity to follow a Corrective Action Plan which includes monitored and documented training.

Is it necessary to have HIPAA refresher training whenever new technology is implemented?

It is necessary to have HIPAA refresher training whenever new technology is implemented if the new technology is being implemented to address a vulnerability or threat to the privacy and security of Protected Health Information. In most cases, the HIPAA element of the training will be incorporated into the technology element of the training to make both elements more understandable.

If a material change to a policy occurs, but it only affects a few people, is it necessary for everyone to undergo refresher training?

If a material change to a policy occurs, but it only affects a few people, it is not necessary for everyone to undergo refresher training unless the material change has a knock-on effect for other members of the workforce. For example, if a covered entity changes its policy for responding to PHI access requests, only those who respond to PHI access requests need to undergo refresher training, but public-facing members of the workforce will also need to know the policy has changed.

How much is the fine for failing to comply with the HIPAA training requirements?

The fine for failing to comply with the HIPAA training requirements – if a fine is imposed – varies according to the nature of a subsequent violation attributable to the training failure. Fines for failing to comply with the HIPAA training requirements can also be imposed when no subsequent violation has occurred if the training failure is identified during a compliance audit.

How does HHS’ Office for Civil Rights find out about HIPAA training violations?

HHS’ Office for Civil Rights can find out about HIPAA training violations in a number of ways. The agency can discover a training violation when investigating a complaint from a patient, when investigating a data breach, when investigating a tip-off from a member of the workforce, or when conducting a compliance audit.

Is it a requirement to provide HIPAA refresher training to the entire workforce when there is a material change to a policy or procedure?

It is not a requirement to provide HIPAA refresher training to the entire workforce when there is a material change to a policy or procedure unless the material change affects the entire workforce. For example, if there is a change to the content of Business Associate Agreements, only those members of the workforce that handle Business Associate Agreements will have to undergo HIPAA refresher training. However, if there is a material change to the organization’s HIPAA sanctions policy, all members of the workforce need to be trained on the implications of the change.

Why do all members of the workforce have to have HIPAA security and awareness training?

All members of the workforce have to have HIPAA security and awareness training because it is important that all members of the workforce are aware of cyber risks. Cybercriminals do not necessarily know who has access to PHI stored on a network, so will target every member of the workforce to try to infiltrate the network and move laterally until they find unprotected PHI.

Is there a benefit of HIPAA training packages offered by third-party compliance companies?

There is a benefit of HIPAA training packages offered by third-party compliance companies inasmuch as the packages provide a foundation of HIPAA knowledge. Trainees learn about the basics of HIPAA, why it exists, and what it protects to better prepare them for when they undergo policy and procedure training – which is subsequently more understandable.

For covered entities and business associates, the benefit of HIPAA training packages offered by third-party compliance companies is three-fold. The packages prepare new members of the workforce for more advanced policy and procedure training, put security and awareness training into context, and can also be used as the basis for periodic refresher training.

Who is responsible for organizing HIPAA training?

HIPAA compliance officers should be responsible for organizing HIPAA training for members of the workforce – although they don’t necessarily have to conduct the training themselves. If, for example, HIPAA security and awareness training involves how to compliantly use a new piece of software, it may be better for a member of the IT team to present the training – although the compliance officer should be in attendance at the presentation.

Should a Privacy Officer provide privacy training and a Security Officer provide security training?

While it would appear to make sense that a Privacy Officer provides privacy training and a Security Officer provides security training – as each Officer should be a specialist in their own field to answer questions – it is not necessary to divide training responsibilities. A lot of crossover exists between privacy and security in HIPAA, so both topics can often be covered together in a training session unless the session is about a specific privacy or security topic.

What is an example of a “material change to policies”?

An example of a material change to policies is when hospitals had to amend policies and procedures to accommodate the change from CMS’ Meaningful Use program to the Promoting Interoperability program. If the policy changes affect the way in which ePHI is managed, the personnel involved in managing data for the Promoting Interoperability program should undergo training to avoid there being gaps in their knowledge.

Which senior managers should be involved in HIPAA training?

All senior managers must be involved in HIPAA training – particularly security and awareness training. Additionally, while it is important all senior managers are aware of the impact HIPAA compliance has on operations, it is more practical to involve (for example) CIOs and CISOs in technology training, and CFOs in training that concerns interactions between healthcare organizations and health insurance companies.

What is the most important element of HIPAA training?

The most important element of HIPAA training should be determined by a risk assessment. Thereafter, the “most important element” of HIPAA training will vary on a case-by-case basis and likely vary according to workforce roles. However, it is important for personnel to understand why HIPAA is important and why they are undergoing training in a particular aspect of HIPAA compliance.

How long does HIPAA training take?

How long HIPAA training takes is subject to the amount of content included in the session, the number of people attending the session, and the volume of questions asked during and after the session. Online training modules generally take around five minutes each, so it would take around two hours to complete an online training course, but probably longer in a classroom environment.

How often do you have to do HIPAA training?

How often you have to do HIPAA training depends on factors such as material changes to policies and procedures, risk assessments, and OCR corrective action plans. In addition, as well as maintaining an ongoing security and awareness training program, it is recommended covered entities and business associates provide HIPAA Privacy Rule refresher training at least annually.

Why is HIPAA training important?

HIPAA training is important because – beyond the legal requirement to provide/undergo HIPAA training – it demonstrates to members of the workforce how covered entities and business associates protect patient privacy and ensure the confidentiality, integrity, and availability of PHI so members of the workforce can perform their duties without violating HIPAA regulations.

Who needs HIPAA training?

Everybody needs HIPAA training if they are a member of a covered entity’s or business associate’s workforce. This not only means employees have to be trained on HIPAA policies, but also volunteers, students, and contractors who may encounter Protected Health Information in visual, verbal, written, or electronic form. It is also a requirement of the HIPAA Security Rule that all members of the workforce – including senior managers – participate in a security and awareness training program.

When does HIPAA training expire?

HIPAA training does not expire – even though some training organizations issue time-limited certificates of compliance. No training provided in compliance with the HIPAA Privacy and Security Rules has an expiry date unless changes are made to policies and procedures, a risk analysis identifies a need for further training or an individual moves from one covered entity to another where different policies and procedures apply and the new employer has a legal obligation to provide HIPAA training on the different policies and procedures.

What kind of HIPAA training do I need to provide to new hires for HIPAA and HITECH?

The kind of HIPAA training you need to provide to new hires for HIPAA and HITECH depends on whether your organization is a covered entity or business associate.

If your organization is a HIPAA covered entity, you must train new hires on policies and procedures with respect to Protected Health Information and the Breach Notification Rule, and provide security and awareness training.

If your organization is a business associate for a covered entity, the training you need to provide for new hires varies according to the service provided to the covered entity. Breach notification training and security and awareness training are mandatory. However, it may be a condition of a Business Associate Agreement that your organization also provides HIPAA Privacy Rule training to new hires.

Why is documentation of HIPAA training necessary?

The documentation of HIPAA training is necessary for two reasons. First, it demonstrates a covered entity or business associate is complying with the HIPAA training requirements in the event of an audit, inspection, or investigation. Secondly, it records what training has been received by individuals to determine if additional training is required as a consequence of a risk analysis, a policy change, or a promotion.

What do you learn during HIPAA training?

What you learn during HIPAA training depends on the reason for the training being provided. HIPAA training for new employees will likely focus on the basics of HIPAA, policies, and procedures relating to PHI in the workplace, and how to respond to a breach of PHI. Security and awareness training will likely be more focused on best practices for accessing, using, and sharing ePHI online. There may also be occasions when HIPAA training focuses on specific issues identified in a risk assessment or prompted by a patient complaint.

What is a HIPAA training certificate?

A HIPAA training certificate is a third-party accreditation awarded to individuals who pass a HIPAA training course. Often the courses are designed to provide individuals with a basic knowledge of HIPAA so that subsequent training on (for example) policies and procedures or security and awareness is more understandable. HIPAA training certificates can also demonstrate to potential employers that a job candidate has an understanding of the HIPAA rules and regulations.

Who is responsible for training students about HIPAA?

The organization responsible for training students about HIPAA is the covered entity they are under the control of when first exposed to Protected Health Information. However, teaching institutions that do not provide medical services to the general public are not considered to be covered entities. Because of this, it may be the case a student does not receive any HIPAA training until after they have graduated and start working as an employee for a healthcare organization.

What HIPAA training is required?

What HIPAA training is required depends on the reason for the training. The basic HIPAA training requirements are that covered entities train members of the workforce on HIPAA-related policies and procedures relevant to their roles and that both covered entities and business associates provide a security awareness and training program. These requirements are not sufficient to prevent the most common types of HIPAA violations, and it is recommended all businesses supplement the minimum requirements with frequent refresher training.

The post HIPAA Training Requirements appeared first on The HIPAA Journal.

Couple Plead Guilty to $1M Fraud Scheme Involving Stolen Patient Data

Posted by Steve Alder

A former business clerk at Montefiore Medical Center and his partner have pleaded guilty to stealing thousands of patient records and using the stolen data to defraud government agencies out of almost $1 million.

Wilkins Estrella, 40, of Hackensack, New Jersey, had worked at the Bronx hospital for almost a decade. He was terminated in 2020 after an internal audit of access logs revealed he had been accessing patient records without authorization from at least 2020 to 2022. The review confirmed that more than 4,000 medical records were accessed without any legitimate business purpose for doing so. Montefiore Medical Center reported the data breach to the HHS’ Office for Civil Rights and referred the matter to law enforcement for criminal prosecution.

Along with his romantic partner, Charlene Marte, 31, of the Bronx, New York, Estrella misused patient data to open debit card accounts in patients’ names and had those cards sent to their own addresses and those of family members. The pair then used data from multiple sources to target COVID-19 relief funds from the Internal Revenue Service (IRS) and the New York State Department of Labor, including patients’ names, Social Security numbers, and other personally identifiable information obtained from Montefiore Medical Center.

The pair attempted to obtain $1.6 million in stimulus checks, tax refunds, and unemployment benefits, resulting in almost $1 million in actual losses. The funds were loaded onto the debit cards that the couple had fraudulently obtained.

Marte pled guilty to conspiracy to commit wire fraud and bank fraud on July 28, 2025, and is due to be sentenced on November 5, 2025. She faces up to 30 years in jail.  Estrella pled guilty to conspiracy to commit wire fraud and bank fraud on August 7, 2025, as well as one count of wrongful disclosure of individually identifiable health information. Estrella faces a maximum jail term of 30 years for the bank and wire fraud counts, and up to 10 years in jail for the wrongful disclosure charge, and is due to be sentenced on December 1, 2025. Estrella and Marte are also liable for $951,618.20 in forfeiture and the same amount in restitution.

“Wilkins Estrella stole the personal data of thousands of people, including hospital patients, and used this data along with his partner Charlene Marte to claim money that was intended to assist struggling Americans during the pandemic,” said U.S. Attorney Jay Clayton.  “Defrauding federal programs harms all New Yorkers, and our Office is committed to stopping it.”

The post Couple Plead Guilty to $1M Fraud Scheme Involving Stolen Patient Data appeared first on The HIPAA Journal.

ComplianceJunction Introduces API Integration to Streamline HIPAA Training for Healthcare Staffing Platforms

Posted by Steve Alder

ComplianceJunction has announced a new API-based integration designed to simplify HIPAA compliance training for healthcare staffing platforms. This program aims to assist staffing agencies and healthcare organizations with automating the delivery and tracking of mandatory HIPAA training for temporary and contract workers. ComplianceJunction has built a reputation as the top provider of HIPAA training.

The integration enables healthcare staffing platforms to incorporate ComplianceJunction’s training modules directly into their existing systems. This allows for automated assignment of training to new hires, real-time monitoring of course completion, and centralized reporting to ensure compliance with HIPAA regulations. By embedding training into the onboarding process, the integration seeks to reduce administrative tasks and ensure that all staff members receive necessary compliance education promptly. This approach aligns with industry trends emphasizing the importance of continuous education and streamlined compliance processes in healthcare staffing.

ComplianceJunction’s training courses have previously received accreditation from organizations such as the American Health Information Management Association (AHIMA), allowing healthcare professionals to earn Continuing Education Units (CEUs) upon completion. This accreditation underscores the quality and relevance of the training content provided and motivates staff.

The API integration is part of ComplianceJunction’s broader efforts to enhance HIPAA compliance training through technology, aiming to support healthcare organizations in maintaining high standards of data privacy and security.

Further details and demonstration access are available at:
https://www.compliancejunction.com/partner-program-hrplatform-integration/

The post ComplianceJunction Introduces API Integration to Streamline HIPAA Training for Healthcare Staffing Platforms appeared first on The HIPAA Journal.

ComplianceJunction HIPAA Training Receives SCCE Accreditation

Posted by Steve Alder

The Society of Corporate Compliance and Ethics (SCCE) has recently accredited ComplianceJunction’s ‘HIPAA Training for Organizations’ training course. The SCCE is an Eden Prairie, MN-based non-profit association dedicated to enabling the lasting success and integrity of organizations by promoting high standards in compliance and ethics programs. The SCCE, which has more than 19,000 members in over 100 countries, provides resources, education, and networking opportunities for ethics and compliance professionals and offers professional certification through the Compliance Certification Board (CCB). The CCB is an independent body that recognizes individuals with competence in the practice of compliance and ethics.

ComplianceJunction’s mission is to help healthcare organizations train their employees on HIPAA compliance and ensure they understand their responsibilities when it comes to health information privacy. ComplianceJunction has developed a training course that provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) and serves as a foundation for developing a comprehensive HIPAA training program. The training has been used by more than 1,000 healthcare organizations and over 100 universities to raise awareness of the HIPAA regulations.

“ComplianceJunction’s customers include practice owners and senior managers who want to ensure that their staff members are kept up to date on the HIPAA regulations and their organization maintains compliance with the HIPAA training requirements,” explained ComplianceJunction’s Ryan Coyne. “The SCCE accreditation means their employees can now earn CEUs for completing the course, which provides an extra incentive for completing the training.” Healthcare professionals who complete the accredited HIPAA training course will earn 2.6 Continuing Education Units (CEUs) that demonstrate they are taking steps to stay up-to-date with current regulations and are continuing their education and professional development.

“The ComplianceJunction HIPAA training offers a detailed overview of HIPAA fundamentals, laying a solid foundation for developing a comprehensive training program. The modules and case studies are excellent tools to engage staff in further discussion and uncover additional role-specific training needs,” said Joanne Curran, Director of Health Information Management at the Greater Lawrence Family Health Center. “Staff appreciate the opportunity to earn CEUs for completing the training series and look forward to additional training offerings.”

The post ComplianceJunction HIPAA Training Receives SCCE Accreditation appeared first on HIPAA Journal.